In an ideal world, RDP’s functionality would only be used on an internal network, safe from the dangers of the internet. For many, practicality outweighs security in this debate. What we would like to encourage is that if it is going to be used it should be used safely. First the question of ‘is it absolutely necessary?’ should be asked and if the answer is yes, ‘how can we use it safely?’
Attacks on internet-exposed RDP servers
Internet-exposed services are an easy target for attackers. We have a critical control specifically around securing internet-exposed services.
Two of the most common attack vectors against internet-exposed RDP servers are:
- attackers using credentials they have obtained, or
- attackers exploiting an unpatched vulnerability in RDP itself, such as Bluekeep.
Regardless of how an attacker gains initial access, once they have access to the server via RDP the attacker has a foothold on your network which can lead to more damaging attacks, such as stealing or encrypting your business’ data.
Do you need to access the server itself?
In some cases, the RDP server is not even needed. For example, if you’re using an RDP server to access applications remotely, you may choose to make the applications available directly over a VPN connection. Alternatively, you may choose to use modern virtual desktop products. These both serve as more secure alternatives to internet-exposed RDP.
Accessing Windows servers remotely, but more securely
If you need to access a Windows server from another network (for example staff working from home, or an IT service provider), we recommend using a VPN to create a tunnel between those networks.
For staff working from home, using a VPN to create a tunnel between their device (eg laptop) and your network will allow the staff member to access the RDP server like they were in the office. This is often referred to as a point-to-site VPN. This VPN should be configured to require multi-factor authentication (MFA) for an extra layer of security.
IT service providers may use a point-to-site VPN like the previous example, but may also consider a site-to-site VPN, such as IPsec tunnels. If you’re using a site-to-site VPN, you’ll need to enforce MFA on each application and system that is accessible over the VPN, as individual users will not need to authenticate to the VPN endpoint.
No matter which VPN technology you use, you need to ensure that it has strong authentication and you should keep a log of what happens over that link. You also need to ensure the VPN endpoint is kept up to date with patches, and has network controls. This ensures someone with access to the VPN can only access the systems that they should be able to, and no more.
If you do need to use RDP, whether exposed to the internet or internally, we have some more information about how to secure the RDP server and clients.