How to Ensure your RDP Security from MitM Attacks
Author: Frederik Veyrie
Table of Contents
First of all, Remote Desktop Protocol (RDP) is a network communications protocol developed by Microsoft mainly for remote access. The management of remote servers, virtual desktops, terminal servers, and applications is also done through a remote desktop protocol. RDP sessions run via an encrypted channel. Overall, it prevents outsiders from viewing the encrypted sessions by secretly monitoring the network or changing the traffic (site) between the victim and the attacker.
When these sessions are being monitored, we called it a Man-in-the-middle (MitM), which is a well-documented method of gaining unauthorized access to any RDP session. To emphasize. their goal is to steal your login credentials or personal information. They can also spy and steal your data. Ultimately, these attacks can be costly and complicated for a company. In 2019, in the USA only, it was estimated that ransomware cost 7,5 billion to businesses. This is why RDP security is very important, especially when all your workers are remote, using their personal devices and networks.
Types of Attacks
Unfortunately, MitM are not the only attacks on the internet. There are other types of attacks that can happen either on your browser, software, email, etc. To demonstrate, here’s a list of common attack used to hijack an RDP session:
- Keylogging (or keystroke):
It’s malware that tracks every key you press on your keyboard without your knowledge. It’s used to steal login credentials. Here’s a complete article about keylogging and how to prevent them.
Attackers can use it to encrypt all your data files and to get it back, you’ll have to pay a ransom, which can be very pricey, usually in Bitcoins. Here’s how we helped a company after a Ransomware attack.
Known as the most damaging, it attacks the system software with a maximum impact. It can affect Windows Vista, Windows 7, Windows 8.1, and Windows 10. Here’s everything you need to know about Eternal blue
Ensure RDP Security
To clarify, Microsoft has a huge role, and obligation, to constantly fix the vulnerabilities being disclosed. However, it’s fundamental that admins and security consultants take proactive measures to prevent and reduce the risks posed by the remote desktop protocol (RDP) on their system.
Some proactive measures can be implemented immediately, not to stop an attack, but to overcome an attacker’s likelihood of wreaking havoc on your network if they gain access to a machine anywhere along the chain.
Before we get to the preventive measure, let’s talk a little about the most recent Credential Security Support Provider protocol (CredSSP) vulnerability. According to Microsoft, CredSSP is a protocol that enables an application to securely pass on a user’s credentials from a client to a target server.
Remote Desktop Protocol Vulnerability
The most recent RDP uncovered vulnerability was a result of a logical flaw in the Credential Security Support Provider protocol, a Security Support Provider.
It was used by a Remote Desktop Protocol to secure a transfer of credentials to a target server. It was discovered by Preempt researchers. Although it’s been patched by Microsoft in the March Patch (CVE-2018–0886), this tells you how vulnerable a network using the RDP can be if no preventive measures are put in place to secure your remote sessions.
This vulnerability could have been leveraged by attackers using the man-in-the-middle method to take over machines on a network. At V2 Cloud, we specialize in a Ransomware Data Recovery, to prevent these types of attacks.
10 Steps to Secure your RDP
Here’s an effective list to ensure your RDP sessions are secure. We recommend following these 10 protective measures:
- Ensure your workspaces and remote servers are well patched.
- Use two-factor authentication on highly sensitive systems.
- Reduce the number of privileged remote account users on the server.
- Use a strong password.
- Don’t save your credentials in your RDP file.
- Delete your RDP file.
- Activate Network Level Authentication (NLA).
- Restrict access using firewalls.
- Use Remote Desktop Protocol Gateways.
- Change the listening port for Remote Desktop.
With this in mind, following the recommendations on the checklist doesn’t guarantee that your system will be 100% protected from attacks, although it does make it a lot harder to be a victim for attackers. Although, these protective measures can be challenging to implement for someone who isn’t tech-savvy.
This is why V2 Cloud is an incredible resource. Every V2 Cloud customers are protected from the CredSSP kind of attack because the Remote Desktop protocol sessions are tunneled into SSH protocol using the V2 Cloud Client. This SSH tunnel protects all your data transfer and keystrokes that you operate inside your remote desktop. Also, there is no need to open the TCP Port 3389 of your virtual machine.
On the positive side, is that you don’t have to start the implementation of secure RDP measures from scratch. V2 Cloud’s forward-thinking cloud and our team of experts have developed a secure RDP connection, and it is straightforward to integrate into your already existing cloud infrastructure
The best way to connect to V2 Cloud is with our desktop application, it’s even more secure, and we can provide better features.
Use our expertise to your advantage!