Plugging Remote Desktop Security Holes

By Oleg Zlotnik. June 4, 2020

These days, almost everyone who can work remotely is doing so. Many remote workers use their corporate laptops from home. Others use their personal devices to connect to a corporate VDI (Virtual Desktop Infrastructure). And some leave their corporate devices at work and connect to them remotely from their personal devices, including phones and tablets. One popular way of doing so is using Microsoft Remote Desktop Services (RDS), known before as Microsoft Terminal Services, and usually referred to as just Remote Desktop Protocol (RDP). 

Why RDP is So Popular

RDP makes it easy for workers to connect their devices to a remote server host in order to access corporate resources. RDP is part of the Windows operating system, which means it’s ubiquitous. It’s also free and easy to set up and maintain – all great selling points.  

With RDP, multiple users can be hosted on a single physical device or a virtual device, and share the same Windows Server OS. Processing takes place on the server, as opposed to on the user device.As long as workers have an RDP client on their devices, they can use it to access server-hosted applications and data that align with their credentials. Microsoft Terminal Services Client, mstsc.exe, is built-in into Windows, and such clients exist also for macOS, iOS, Linux, and Android.

RDP Vulnerabilities  

As beneficial as RDP is, it has security risks, particularly when used over the Internet. For instance, a remote user’s RDP password is the key to your corporate resources. And because by default, there’s no multi-factor authentication with RDP, a password is often all cybercriminals need. More and more, they’re performing brute force attacks against users’ passwords over RDP, with the intention of launching ransomware into those environments.
Some cybercriminals are selling credentials for unhacked Windows RDP servers on the black market for as little as $20. Others attempt cryptographic attacks on sessions that are weakly encrypted in order to steal and sell sensitive information.

Closing RDP Security Loopholes

The good news is that there are a number of ways to mitigate RDP security risks.

First, you should make sure that RDP access is restricted to internal IP addresses only. This alone will decrease the attack surface dramatically and make RDP servers less exposed to automated scanners.

Users that would like to connect remotely should use a VPN. This  adds another layer of encryption to the session, lowering the risk of a cryptographic attack.

Another option is to use Remote Desktop Gateway, which is part of Windows Server.  Remote Desktop Gateway allows a secure connection without exposing the RDP server directly to the internet.

You can also implement an RDP-compatible multi-factor authentication mechanism to augment traditional password authentication. For example, you could require Virtual Smart Cards as an additional form of authentication (supported by the RDP protocol) or add an external MFA services integration, such as Duo.

Other good practices include forcing Network Level Authentication (NLA), forcing the highest RDP session encryption level (this is usually the default), restricting which users are allowed to connect to each device, and of course, keeping the RDP servers updated and patched against recent vulnerabilities.

The big question is, what happens when the laptop that a remote worker uses for RDP gets infected? If they’re using the same device for RDP and for everything else, including browsing the web and emailing, there’s a good chance that the laptop will eventually get infected. And an infected user device can grant a hacker access to a corporate network and open the door to malware infestations. 

OS Isolation Enhances Remote Desktop Security

Organizations that want to securely use remote desktop access are turning to endpoint OS isolation solutions like the Hysolate platform. OS isolation works by splitting a single physical device into multiple virtual operating systems. The endpoint OS’s run side-by-side but are completely separated by a virtual air gap. 

To boost security, OS isolation lets you dedicate one OS just for corporate access – nothing else. You can fully lock down this OS – with no internet access, other than through the corporate VPN. Users can use the other “open” OS for everything else. The other OS can be open to the internet and used for email and handling non-sensitive corporate information.
Advanced OS isolation platforms, such as Hysolate, make the end-user’s life easier. If the user unintentionally tries to use the “open” OS to access a corporate resource, such as an RDP server, the user will automatically be blocked and redirected to the correct “locked-down” OS.

And here’s where OS isolation really shines: Cybercriminals who breach the open OS are completely contained within it. They cannot reach the locked-down OS that is used to access corporate resources. Hence, they cannot access the corporate network itself, and cannot steal sensitive information or infect other resources and devices. 

Learn why security leaders are using Hysolate to secure remote desktop access. Request a demo to see for yourself.

About the Author

Oleg is a Software Engineer and Cyber Security veteran, with over 15 years of experience. At Hysolate, Oleg led an engineering team for several years, after which he joined as an architect to the CTO's office and has pioneered the next-gen products. Prior to Hysolate, Oleg worked at companies such as Google and Cellebrite, where he did both software engineering and security research. He began his career in the intelligence unit 8200 of the IDF and holds a B.Sc in Computer Science, Cum Laude, from the Technion.

Share this article: