How To Secure RDP Sessions From MitM Attacks
Author: Gabriel Bujold
RDP- The Remote Desktop Protocol
This is a network communications protocol by Microsoft for remote access and management of remote server, virtual desktops, terminal servers, and applications.
RDP sessions run via an encrypted channel which is meant to prevent outsiders from viewing the encrypted sessions by eavesdropping on the network. Nevertheless, RDP attacks have repeatedly demonstrated the vulnerabilities in the encryption method. Man-in-the-middle (MitM) attack is a well-documented method of gaining an unauthorized access to any RDP session.
Apart from MitM, there are other attack methods that can be used to hijack an RDP session viz:
- Keylogging- Keylogger is a malware that tracks every key you press on your keyboard without your knowledge. It can be used to steal login credentials.
- Ransomware- Attackers can use it to encrypt all your data files and to get it back you’ll have to pay a ransom.
- EternalBlue- It affects the system software with maximum impact. It can affect Windows Vista, Windows 7, Windows 8.1, and Windows 10.
The Obligation To Secure RDP from MitM
The obligation to fix these vulnerabilities obviously lays with Microsoft and yes they are constantly patching up the vulnerabilities as they are being disclosed. However, it is compulsory that admins and security consultants take some proactive measures to protect and mitigate the risks posed by RDP on their systems. There are some proactive measures that can be implemented immediately not to stop an attack but to reduce an attacker’s likelihood of wreaking havoc on your network if they gain access to a machine anywhere along the chain. But before we get to the preventive measure, let’s talk a little about the most recent CredSSP vulnerability.
Most Recent RDP vulnerability
The most recent RDP vulnerability uncovered was as a result of a logical flaw in CredSSP ( Credential Security Support Provider protocol) used by Remote Desktop Protocol for secure transfer of credentials to a target server. It was discovered by Preempt researchers. Although, it’s been patched by Microsoft in the March Patch Tuesday (CVE-2018–0886) that tells you how vulnerable a network using the RDP can be if no preventive measures are put in place to secure the RDP sessions. This vulnerability could have been leveraged by attackers using man-in-the-middle method to take over machines on a network.
How to reduce the risk of being the next victim
To secure your RDP sessions, you can follow these protective measures:
- Ensure your workspaces and remote server are well patched.
- It has been established that blocking application ports helps in foiling the attack.
- Reduce the number of privileged account users remoting into the server.
- Use a strong password
- Don’t save your credentials in your RDP file
- Delete your RDP file
- Activate Network Level Authentication (NLA)
- Disable RDP if they are not being used
- Tunnel RDP connections through SSH or use (V2 Cloud client)
- Restrict access using firewalls
- Change the listening port for Remote Desktop
- Use Remote Desktop Protocol Gateways
- Use Two-factor authentication on highly sensitive systems
Following the recommendations in the checklist doesn’t guarantee that your system will be 100% protected from attacks. What it does is that it makes it less of an easy prey for attackers.
Note: V2 Cloud clients are protected from CredSSP kind of attack because the RDP sessions are tunneled into SSH protocol. This SSH tunnel protects all your data transfer and keystrokes that you use inside your Remote desktop. Also, there is no need to open the Port 3389 of your virtual machine.
Good news is that you don’t have to start the implementation of secure RDP measures from scratch because V2 Cloud’s forward-thinking cloud and RDP experts have developed a client application that tunnels your RDP sessions into SSH protocol that protects it from the prying eyes of attackers. It provides secure RDP connection and it is very easy to integrate into your already existing cloud infrastructure.