Your Guide to RDP Security

As workforces return in whole or in part to the office, cybersecurity remains top of mind for many IT departments. And rightfully so. Malware and cyberattacks surged during the pandemic, and the explosive growth in the number of remote users opened up new vulnerabilities and attack vectors for cybercriminals as organizations struggled to find the tricky balance between ease of access and strict security measures.

When the spotlight fell on those vulnerabilities, two common culprits emerged. One was phishing, which tends to exploit human trust and ignorance to turn an unsuspecting employee into an attack vector. The other was the Remote Desktop Protocol, or RDP, which is the technology on which so many forms of remote access rely. In mid-2020, ZDNET went so far as to say that RDP “reigns supreme” when it comes to ransomware exploits.

The identification of RDP as a potential security risk wasn’t news to a lot of people in the IT industry. During the pandemic, however, its threat as an attack vector magnified because of how widespread its use became in debilitating ransomware attacks. According to Palo Alto Networks’ Unit 42 Cloud Threat Report, 1H 2021, RDP exposures increased by 59% across all cloud providers in the short span between Q1 2020 and to Q2 2020. The 2020 Incident Response and Data Breach Report from the same group found that RDP was the initial attack vector in 50% of the 1,000+ ransomware deployment cases it studied.

What is the Remote Desktop Protocol (RDP) and why does it pose security risks?

The Remote Desktop Protocol is a part of a suite of technologies found on Microsoft Windows systems that are designed to allow users to remotely connect to and control a separate system. RDP works in conjunction with Remote Desktop Services (RDS) to provide a graphical representation of the host’s desktop interface on any remote client machine that supports it. This was traditionally used for IT to diagnose and fix issues on a remote user’s computer via the GUI, but these days it’s far more common to find RDP being used to provide users with virtual desktops or perform remote management.

(As a brief aside for the sake of clarity, Microsoft’s official name for their RDP client software is the Remote Desktop Connection. This was previously known as the Terminal Services Client because of its roots in Windows Server’s Terminal Services.)

RDP connections pose a security risk for three simple reasons:

  1. RDP is the de facto industry standard for providing remote desktop sessions and other services to remote users.
  2. The increase in remote work has likewise increased the use of virtual desktop and other remote access solutions that rely on remote desktop services.
  3. Because of how RDP works by default, simple RDP vulnerabilities have the potential to grant hackers access to entire networks.

Through the use of man-in-the-middle attacks or phishing campaigns that allow for unauthorized access to a remote client, a malicious actor can use that client as an attack vector to (or through) the remote desktop gateway. Virtual private networks (VPNs) exacerbate this situation because they assume legitimacy and offer network-level authentication to remote clients. Even strong passwords and IP address whitelists don’t offer sufficient protection when VPNs are at play.

Yet it’s important to note here that infected endpoints aren’t the only potential RDP vulnerability. Ransomware.org details what’s known as a reverse RDP attack, whereby the threat actor plants malware on the RDP server. Any client that connects to that infected server becomes infected itself. Entire organizations could therefore potentially find themselves on the wrong side of a system-wide lockout.

How does the server become infected in the first place? This is done through brute force attacks that run through authentication permutations until they hit the right combo that gives the hacker RDP access. Many organizations face challenges in preventing this because they have to open their firewall to common RDP ports in order to provide seamless access to authorized remote users.

Older, unpatched versions of RDP also have innate security vulnerabilities that make them susceptible to malware like BlueKeep (CVE-2019-0708), which is a “worm” that can infect a server and spread to connected devices.

Does that mean RDP security is a lost cause?

With so many actual and potential RDP vulnerabilities, it might seem like secure remote access is an impossible task. And if that’s true, it presents IT departments with a terrible choice: Either forbid hybrid and remote work altogether or allow hybrid/remote work and accept malware and other security concerns as a necessary consequence.

Fortunately, that isn’t the case.

Zero Trust Network Architecture (ZTNA) is a best practice that approaches network security from a different angle — and in doing so aims to provide better balance to the “trust versus threat” dilemma. Instead of assuming that authentication should equate to full network access, Zero Trust treats every device as a possible security risk. It operates on a model of least privilege, so both remote users and those at in-network workstations are only granted permissions to access the apps and data they need and nothing more. You can think of ZTNA as compartmentalizing and containing users rather than just opening a single door to the organization’s entire network.

Any Zero Trust model will both require and strengthen a secure remote desktop policy. To put that another way, organizations can leverage ZTNA to empower their hybrid/remote workforce even as they mitigate the security risks associated with remote-enablement technologies like RDP. But much of that depends on sourcing and implementing the solutions that also prioritize that balance.

Cameyo is a building block of a Zero Trust Network Architecture

For organizations that are as serious about Zero Trust as they are about hybrid and remote work, Cameyo’s Virtual App Delivery (VAD) offers a way to secure RDP vulnerabilities while simultaneously giving their workforce secure access to their critical apps.

Cameyo is able to do this in part because it’s OS-independent. It doesn’t require a special client; all apps are delivered to the user via a dedicated encrypted HTTPS (TLS/SSL) HTML5 browser session. This means that clients running operating systems like Windows, ChromeOS, iOS, Android, and Linux can all work with software that retains its full desktop functionality, yet the software is never running on the remote device itself. This likewise means that all user interaction with the app is abstracted from the host machine — so the attack vector is obfuscated for malware payloads.

And while Cameyo does use industry-standard RDP for secure remote access, it makes use of several custom technologies like Secure Cloud Tunneling, NoVPN and Port Shield to safeguard networks against brute force attacks, ransomware and other cyberattacks. As a result, Cameyo provides IT with the ability to deliver all of their apps to users on any device without having to expose firewall and server ports to the open Internet or the need for VPNs. These technologies complement an entire platform designed around the Zero Trust philosophy:

  • Single Architecture – Cameyo does not rely on acquired/bolt-on technologies or third party products that significantly increase the surface of attack for hackers.
  • Cameyo Secure Cloud Tunneling – a proxy server is set up between the end user device and the Cameyo server, eliminating the need to open firewall ports to direct inbound traffic. It also eliminates the need for VPNs because the end user device is completely isolated from the corporate network. Both are a major attack vector for hackers. Our Secure Cloud Tunneling KB article includes additional info and a diagram.
  • Cameyo Port Shield – closes HTTP, HTTPS, and RDP ports at the Windows firewall and dynamically opens them to authorized users only when they need access. Server ports are another favorite for hackers. Additional info on Cameyo Port Shield can be found here.
  • Least Privilege Principle – users do not have admin privileges. In the unlikely event a hacker gains access to a Cameyo user session, they are locked into the session and unable to move to other areas of the corporate network.
  • Non-persistent Servers – when a user closes a Cameyo session, their data and entire user profile is deleted. Our patented Temporary User Profile technology stores the updated user profile separately and seamlessly syncs the user profile upon session relaunch (see below for additional information on Temp User Profiles).
  • HTTPS security and encryption – all Cameyo servers are automatically created with HTTPS to ensure all data/sessions are encrypted.

Through this combination of secure RDP technologies and ZTNA, Cameyo provides your hybrid/remote work users with seamless, secure access to all their apps from any device while simultaneously solving RDP security issues and reducing your overall attack surface.

If you thought Zero Trust and remote work were mutually exclusive, we offer a free trial so you can see Cameyo unite the two in your own environment. Sign up for your own free trial and start delivering apps securely to your remote users today. We also offer you the option to schedule a demo should you have questions about the basics of Virtual App Delivery and how Cameyo fits into a holistic Zero Trust security approach.