10 Actions to Secure Your RDP from MitM Attacks
Author: Frederik Veyrie
Table of Contents
First of all, Remote Desktop Protocol (RDP) is a network communications protocol developed by Microsoft mainly for remote access. The management of remote servers, virtual desktops, terminal servers, and applications is also done through a remote desktop protocol. RDP sessions run via an encrypted channel. Overall, it prevents outsiders from viewing the encrypted sessions by secretly monitoring the network or changing the traffic (site) between the victim and the attacker.
When these sessions are being monitored, we called it a Man-in-the-middle (MitM), which is a well-documented method of gaining unauthorized access to any RDP session. To emphasize. their goal is to steal your login credentials or personal information. They can also spy and steal your data. Ultimately, these attacks can be costly and complicated for a company. In 2021, ransomware cost 20 billion to businesses. This is why you should have a secure RDP against attacks is very important, especially when all your workers are remote, using their personal devices and networks.
Types of RDP Attacks
Unfortunately, MitM are not the only attacks on the internet. There are other types of attacks that can happen either on your browser, software, email, etc. To demonstrate, here’s a list of common attack used to hijack a RDP session:
- Keylogging (or keystroke):
It’s malware that tracks every key you press on your keyboard without your knowledge. It’s used to steal login credentials. Here’s a complete article about keylogging and how to prevent them and secure your RDP.
Attackers can use it to encrypt all your data files and to get it back, you’ll have to pay a ransom, which can be very pricey, usually in Bitcoins. Here’s how we helped a company after a Ransomware attack.
Known as the most damaging, it attacks the system software with a maximum impact. It can affect Windows Vista, Windows 7, Windows 8.1, and Windows 10. Here’s everything you need to know about Eternal blue
How secure is RDP?
RDP is enabling you to connect to a remote desktop, but how secure is it? There are two big vulnerabilities to know:
- The sign-in credentials are weak: The password used to log in to the desktop computer is often the same for RDP remote logins. This is making these connections vulnerable to cyberattacks such as credential stuffing and brute force.
- The port access is unrestricted: The RDP connections are on port 3389 by default. Attackers assume that this is the port in use so they are targeting it.
By itself, RDP is not a secure setup and might put your organization vulnerable to cyberattacks. However, if you’re combining it with password management, SSO, and firewall rules, you can address those vulnerabilities easily. If you’re using RDP alone, make sure you’re protected from these vulnerabilities.
An alternative is to use a solution built around RDP to minimize risks by adding layers of security on top of it. This is how we built V2 Cloud and you will find more information about our product at the end of this article.
Ensure RDP Security from Attacks
To clarify, Microsoft has a huge role, and obligation, to constantly fix the vulnerabilities being disclosed. However, it’s fundamental that admins and security consultants take proactive measures to prevent and reduce the security risks posed by the remote desktop protocol (RDP) on their system.
Some proactive measures can be implemented immediately, not to stop an attack, but to overcome an attacker’s likelihood of wreaking havoc on your network if they gain access to a machine anywhere along the chain.
Before we get to the preventive measure, let’s talk a little about the most recent Credential Security Support Provider protocol (CredSSP) vulnerability. According to Microsoft, CredSSP is a protocol that enables an application to securely pass on a user’s credentials from a client to a target server.
Remote Desktop Protocol Vulnerability
The most recent RDP uncovered security vulnerability was a result of a logical flaw in the Credential Security Support Provider protocol, a Security Support Provider.
It was used by a Remote Desktop Protocol to secure a transfer of credentials to a target server. It was discovered by Preempt researchers. Although it’s been patched by Microsoft in the March Patch (CVE-2018–0886), this tells you how vulnerable a network using the RDP can be if no preventive measures are put in place to secure your remote desktop sessions.
This vulnerability could have been leveraged by attackers using the man-in-the-middle method to take over machines on a network. At V2 Cloud, we specialize in Ransomware Data Recovery, to prevent these types of attacks.
10 Steps to Secure your RDP
Here’s an effective list to ensure your RDP sessions are secure. We recommend following these 10 protective measures:
- Ensure your workspaces and remote servers are well patched: If you’re using digital workspaces and remote servers, it’s really important that the patch management is done correctly, otherwise, you’re facing vulnerabilities that won’t make RDP secure.
- Use two-factor authentication(2FA): By using 2FA, you’re adding another layer of security on top of your RDP sessions. Multi-factor authentication doesn’t require you to have a highly sensitive system—malware threats are everywhere.
- Reduce the number of privileged remote account users on the server: If fewer users have access to important files, you’re reducing the risks of data theft and malware.
- Use a strong password: Secure your RDP connections by using a password manager that’s going to generate an alpha-numeric combination. You don’t want the desktop session password and the RDP password to be the same.
- Don’t save your credentials in your RDP file: If your credentials are saved in your RDP file, you will be vulnerable to cyberattacks. This is done by default but there are ways to disable it.
- Delete your RDP connections history: To secure RDP sessions, you should always delete your RDP connection history after usage. There are ways to clear your RDP connections manually or in bulk and you can also prevent Windows from saving them.
- Activate Network Level Authentication (NLA): Doing so will make RDP more secure by bringing an extra layer of security. This can be done via group policy as well.
- Restrict access using firewalls: You can restrict access on RDP by IP addresses with firewalls. This is a great way to secure RDP because you can select the IP and ranges you want to access the server.
- Use Remote Desktop Protocol Gateways: RD Gateway will provide you with an encrypted RDP connection. That way, you allow remote users to connect to internal networks without a VPN.
- Change the listening port for Remote Desktop: As stated earlier, the RDP port by default is not secure. The standard port is 3389, so attackers assume that’s the one in use. By changing it, you’re securing your RDP connections.
With this in mind, following the recommendations on the checklist to secure your RDP connection doesn’t guarantee that your system will be 100% protected from attacks, although it does make it a lot harder to be a victim of attackers. Although, these protective measures can be challenging to implement for someone who isn’t tech-savvy.
This is why V2 Cloud is an incredible resource. Every V2 Cloud customer is protected from the CredSSP kind of attack because the secure Remote Desktop Protocol sessions are tunneled into SSH protocol using the V2 Cloud Client. This SSH tunnel protects all your data transfer and keystrokes that you operate inside your remote desktop. Also, there is no need to open the TCP Port 3389 of your virtual machine.
On the positive side, is that you don’t have to start the implementation of secure RDP measures from scratch. V2 Cloud’s forward-thinking cloud and our team of experts have developed a secure RDP connection, and it is straightforward to integrate into your already existing cloud infrastructure
The best way to connect to V2 Cloud is with our desktop application, it’s even more secure, and we can provide better features.
Use our expertise to your advantage!
Stay updated with Uptime by V2 Cloud
A curated newsletter about the world of IT, tech and cloud computing