When the spotlight fell on those vulnerabilities, two common culprits emerged. One was phishing, which tends to exploit human trust and ignorance to turn an unsuspecting employee into an attack vector. The other was the Remote Desktop Protocol, or RDP, which is the technology on which so many forms of remote access rely. In mid-2020, ZDNET went so far as to say that RDP “reigns supreme” when it comes to ransomware exploits.

The identification of RDP as a potential security risk wasn’t news to a lot of people in the IT industry. During the pandemic, however, its threat as an attack vector magnified because of how widespread its use became in debilitating ransomware attacks. According to Palo Alto Networks’ Unit 42 Cloud Threat Report, 1H 2021, RDP exposures increased by 59% across all cloud providers in the short span between Q1 2020 and to Q2 2020. The 2020 Incident Response and Data Breach Report from the same group found that RDP was the initial attack vector in 50% of the 1,000+ ransomware deployment cases it studied.

What is the Remote Desktop Protocol (RDP) and why does it pose security risks?

The Remote Desktop Protocol is a part of a suite of technologies found on Microsoft Windows systems that are designed to allow users to remotely connect to and control a separate system. RDP works in conjunction with Remote Desktop Services (RDS) to provide a graphical representation of the host’s desktop interface on any remote client machine that supports it. This was traditionally used for IT to diagnose and fix issues on a remote user’s computer via the GUI, but these days it’s far more common to find RDP being used to provide users with virtual desktops or perform remote management.

(As a brief aside for the sake of clarity, Microsoft’s official name for their RDP client software is the Remote Desktop Connection. This was previously known as the Terminal Services Client because of its roots in Windows Server’s Terminal Services.)

RDP connections pose a security risk for three simple reasons:

1. RDP is the de facto industry standard for providing remote desktop sessions and other services to remote users.
2. The increase in remote work has likewise increased the use of virtual desktop and other remote access solutions that rely on remote desktop services.
3. Because of how RDP works by default, simple RDP vulnerabilities have the potential to grant hackers access to entire networks.

Through the use of man-in-the-middle attacks or phishing campaigns that allow for unauthorized access to a remote client, a malicious actor can use that client as an attack vector to (or through) the remote desktop gateway. Virtual private networks (VPNs) exacerbate this situation because they assume legitimacy and offer network-level authentication to remote clients. Even strong passwords and IP address whitelists don’t offer sufficient protection when VPNs are at play.

Yet it’s important to note here that infected endpoints aren’t the only potential RDP vulnerability. Ransomware.org details what’s known as a reverse RDP attack, whereby the threat actor plants malware on the RDP server. Any client that connects to that infected server becomes infected itself. Entire organizations could therefore potentially find themselves on the wrong side of a system-wide lockout.

How does the server become infected in the first place? This is done through brute force attacks that run through authentication permutations until they hit the right combo that gives the hacker RDP access. Many organizations face challenges in preventing this because they have to open their firewall to common RDP ports in order to provide seamless access to authorized remote users.

Older, unpatched versions of RDP also have innate security vulnerabilities that make them susceptible to malware like BlueKeep (CVE-2019-0708), which is a “worm” that can infect a server and spread to connected devices.

Does that mean RDP security is a lost cause?

With so many actual and potential RDP vulnerabilities, it might seem like secure remote access is an impossible task. And if that’s true, it presents IT departments with a terrible choice: Either forbid hybrid and remote work altogether or allow hybrid/remote work and accept malware and other security concerns as a necessary consequence.

Fortunately, that isn’t the case.

Zero Trust Network Architecture (ZTNA) is a best practice that approaches network security from a different angle — and in doing so aims to provide better balance to the “trust versus threat” dilemma. Instead of assuming that authentication should equate to full network access, Zero Trust treats every device as a possible security risk. It operates on a model of least privilege, so both remote users and those at in-network workstations are only granted permissions to access the apps and data they need and nothing more. You can think of ZTNA as compartmentalizing and containing users rather than just opening a single door to the organization’s entire network.

Any Zero Trust model will both require and strengthen a secure remote desktop policy. To put that another way, organizations can leverage ZTNA to empower their hybrid/remote workforce even as they mitigate the security risks associated with remote-enablement technologies like RDP. But much of that depends on sourcing and implementing the solutions that also prioritize that balance.

Cameyo is a building block of a Zero Trust Network Architecture

For organizations that are as serious about Zero Trust as they are about hybrid and remote work, Cameyo’s Virtual App Delivery (VAD) offers a way to secure RDP vulnerabilities while simultaneously giving their workforce secure access to their critical apps.

Cameyo is able to do this in part because it’s OS-independent. It doesn’t require a special client; all apps are delivered to the user via a dedicated encrypted HTTPS (TLS/SSL) HTML5 browser session. This means that clients running operating systems like Windows, ChromeOS, iOS, Android, and Linux can all work with software that retains its full desktop functionality, yet the software is never running on the remote device itself. This likewise means that all user interaction with the app is abstracted from the host machine — so the attack vector is obfuscated for malware payloads.

And while Cameyo does use industry-standard RDP for secure remote access, it makes use of several custom technologies like Secure Cloud Tunneling, NoVPN and Port Shield to safeguard networks against brute force attacks, ransomware and other cyberattacks. As a result, Cameyo provides IT with the ability to deliver all of their apps to users on any device without having to expose firewall and server ports to the open Internet or the need for VPNs. These technologies complement an entire platform designed around the Zero Trust philosophy:

• Single Architecture – Cameyo does not rely on acquired/bolt-on technologies or third party products that significantly increase the surface of attack for hackers.
• Cameyo Secure Cloud Tunneling – a proxy server is set up between the end user device and the Cameyo server, eliminating the need to open firewall ports to direct inbound traffic. It also eliminates the need for VPNs because the end user device is completely isolated from the corporate network. Both are a major attack vector for hackers. Our Secure Cloud Tunneling KB article includes additional info and a diagram.
• Cameyo Port Shield – closes HTTP, HTTPS, and RDP ports at the Windows firewall and dynamically opens them to authorized users only when they need access. Server ports are another favorite for hackers. Additional info on Cameyo Port Shield can be found here.
• Least Privilege Principle – users do not have admin privileges. In the unlikely event a hacker gains access to a Cameyo user session, they are locked into the session and unable to move to other areas of the corporate network.
• Non-persistent Servers – when a user closes a Cameyo session, their data and entire user profile is deleted. Our patented Temporary User Profile technology stores the updated user profile separately and seamlessly syncs the user profile upon session relaunch (see below for additional information on Temp User Profiles).
• HTTPS security and encryption – all Cameyo servers are automatically created with HTTPS to ensure all data/sessions are encrypted.

Through this combination of secure RDP technologies and ZTNA, Cameyo provides your hybrid/remote work users with seamless, secure access to all their apps from any device while simultaneously solving RDP security issues and reducing your overall attack surface.

If you thought Zero Trust and remote work were mutually exclusive, we offer a free trial so you can see Cameyo unite the two in your own environment. Sign up for your own free trial and start delivering apps securely to your remote users today. We also offer you the option to schedule a demo should you have questions about the basics of Virtual App Delivery and how Cameyo fits into a holistic Zero Trust security approach.

The post Your Guide to RDP Security appeared first on Cameyo.

RDP was developed by Microsoft as a proprietary technology and has been built into every version of Windows since Windows XP in 2001. And, yes, that does include more recent versions of the operating system like Windows 10 and 11. As its name indicates, the Remote Desktop Protocol was intended to make remote desktops more user friendly by facilitating communication between Microsoft’s Terminal Server and the Terminal Server Client.

Part of that ease of use derived from the standardization that RDP provides. Windows servers and clients know that RDP port number 3389 is the default listening port for computers to establish a remote desktop connection, so they keep this port open automatically. That way, users are less likely to encounter the kinds of connection errors or Windows Firewall issues that will send them to IT in search of help.

Unfortunately, the use of 3389 as a standard port didn’t escape the attention of malicious actors. They quickly realized that they could exploit RDP’s open port as a way to deliver a ransomware payload or a DDOS attack. A popular method is simple brute force attacks: Hackers will try a relentless series of authentications in the hope of gaining illicit access to the remote desktop server on that port.

This has turned the default RDP port into a major liability. Cybercrime experts currently estimate that RDP is the initial attack vector for half of all ransomware attacks. Naturally, the number of ransomware attacks rose during the pandemic, when the world shifted quickly to providing remote desktop access to users who were now working outside of the office.

But with a 2021 PWC survey revealing that 83% of companies anticipate continuing remote or hybrid work going forward, remote desktop services and the software that leverages them will remain in demand. Consequently, RDP will remain a point of vulnerability for IT and organizations as a whole.

The not-so-quick (or effective) fix: Manually configure your RDP port

There’s a widespread assumption that simply changing the default port for RDP to something other than 3389 will thwart hackers. And if you have no other options, it’s true that assigning a new RDP port is a better defensive maneuver than not changing it at all.

Here’s a quick tutorial on how to do it:

1. Double-click on the Windows Start button. Type regedit and then press Enter. This will launch the Registry Editor. In newer versions of Windows, you can do this directly from the Windows Search feature.
2. In the Registry Editor, look for HKEY_LOCAL_MACHINE in the sidebar. Extend the drop-down list and navigate to HKEY_LOCAL_MACHINE\SYSTEM. Keep extending the drop-downs next to CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp.
3. Click on RDP-Tcp. That will open up a list of items in the main window.
4. Locate the dword file named “PortNumber”. Right-click on the PortNumber dword file and select “Modify…”
5. This results in a dialog with three fields: Value name, Value data and Base. Change the base to Decimal. In the Value data field, enter a new port number between 1025 and 65535. Make sure that the new remote desktop port number you choose is not already in use by another application or service.
6. Click OK, then reboot the computer.

This general procedure should change the default RDP port on your Windows machine. But bear in mind that the Windows Registry contains sensitive, system-level data that is not supposed to be altered in most circumstances. Any changes you make could cause instability.

Another important thing to remember is that this only changes the local ports on the current machine. If you have multiple clients using Windows Remote Desktop or other RDP-based software, you will need to make the exact same changes to the default RDP port on those machines as well.

On top of this, you’ll also need to update your Windows firewall rules. This is done by creating a new rule or set of inbound rules that account for the new RDP port. If you’re using Windows Server to provide remote desktop services, these changes to the Windows Registry and Windows Firewall will likely need to be replicated there too. Double check with your software solution provider to determine whether it’s okay to do this without breaking functionality.

The next time the user connects to these RDP-based services using a Remote Desktop client, they will have to manually update the local port. They can do this by adding a colon and the new RDP port number after the machine’s hostname or IP address (e.g., “hostname:1234”) in the connection field.

However, just changing the RDP port number doesn’t mean that the security problem is solved. It isn’t hard for someone with basic technical knowledge to determine the new port number, especially if they gain access to a remote computer.

This method is also insufficient if your organization practices or plans to implement a zero trust policy. Zero trust assumes that every device is potentially compromised, so any open port—even if it’s not the default—is treated like an attack vector. In a zero trust environment, the only acceptable course of action is to lock down vulnerabilities, restrict user access to essential functionality and minimize all exposure of the internal network to remote entities.

Practice zero trust with Cameyo cloud desktops 

Cameyo’s Virtual App Delivery (VAD) platform enables organizations to maintain strict zero trust IT policies while providing their work-from-home (WFH) and hybrid users with effortless cloud desktop access. We’re able to achieve this mix of uncompromising security and incredible ease of use thanks to a suite of innovative technologies and practices. These include:

• Non-persistent servers: Every time the user logs out, all of their user data is fully wiped from the Cameyo server.
• Cameyo NoVPN: As a rule, virtual private networks (VPNs) grant users access to the corporate network. Cameyo keeps clients off the corporate network, yet it’s also far easier for users to connect than with a VPN.
• Secure Cloud Tunneling: With Cameyo, IT can deliver applications to remote & hybrid users outside of the VPN and without opening any ports in their firewall. It’s the best of both worlds: flexibility and security.
• User segmentation: Cameyo’s virtual app delivery (VAD) isolates sessions and ensures constant separation of resources, so users and their devices never come into contact with networks or data beyond that.
• No lateral movement: In the event that a user’s device is infected with malware, by design Cameyo prevents that malware from ever reaching your internal network and data. Nor can it reach the Cameyo system.
• Least privilege: Cameyo delivers all apps via a secure HTML5 browser and encrypts all traffic with HTTPS. Cameyo also leverages Windows Terminal Services and temporary user profiles, so admin privileges, settings and files remain off-limits
• Identity and access control: Cameyo integrates with your single sign-on (SSO) provider of choice. Any multi-factor authentication (MFA) you have set up with your SSO carries over to Cameyo.
• Port Shield: Rather than leaving the RDP port open, Cameyo opens and closes both the HTTP and the RDP ports dynamically in response to authenticated user activity and whitelisted IP addresses.

This is how Cameyo delivers an ultra-secure, user-friendly cloud desktop even as it eliminates the need to tinker with Windows Registry settings and firewall rules.

Better still, Cameyo’s VAD solution is Windows-independent. What this means is that Cameyo doesn’t force users to interact with an entire Windows-based desktop environment or use a Windows-based client to stay productive. They can selectively access the apps they want, and they can do so on any device, regardless of its operating system. That stands in stark contrast to Windows Remote Desktop and other legacy remote desktop access solutions, which are often built around providing a full Windows desktop experience.

If zero-trust security coupled with industry-leading ease of use for your remote workforce sounds like an ideal combo, simply sign up for your free trial of Cameyo’s VAD platform to experience it for yourself. And if you’ve got technical questions about how Cameyo is able to provide greater flexibility while hardening security, all you have to do is request a demo. Our engineers will gladly talk you through the features and practices described above in more detail.

The post How to Secure Your Remote Desktop Ports appeared first on Cameyo.

The basics of the Remote Desktop Protocol (RDP)

A possible fix: Changing the RDP port in Windows

Lock down your RDP ports with Cameyo

Given the exponential rise in ransomware attacks in recent years, organizations are taking security more seriously than ever. At the top of their to-do list is mitigating some of the inherent risk in the Remote Desktop Protocol (RDP). Since 2018, RDP has been the primary vector in half of all ransomware attacks, according to the cybersecurity research firm Palo Alto Networks.

The basics of the Remote Desktop Protocol (RDP)

Before we dive into a potential fix for Remote Desktop Protocol vulnerabilities, it’s important to understand what it is and why it’s used. Otherwise you could risk breaking essential functionality.

RDP is the set of network rules used for communication between Microsoft’s Terminal Server and the Terminal Server Client, which is a widely used means of providing remote desktop functionality to end users.

Whenever you have Remote Desktop Services enabled on any Windows server, it has RDP port number 3389 open by default. That standardization is helpful from a networking perspective, but it also makes that port number very attractive to malicious actors. They know there’s a good chance that 3389 is going to be perpetually open as a listening port, especially among enterprise or distributed organizations, and they’ll try to use it as a way to deliver a ransomware payload or DDOS attack.

So, to eliminate the problem, should you just disable RDP? Well, not exactly. The Remote Desktop Protocol is used by any number of applications that tap into Windows Server, and disabling it would mean losing essential services. It would make about as much sense as removing the engine of your car to make it less attractive to thieves.

A possible fix: Changing the RDP port in Windows

One way to thwart some of the less ambitious hackers and bots is to change the default RDP port number to something other than 3389. This is a good idea for both Windows clients and Windows Server, given that both use the same listening port for Remote Desktop Connection traffic.

Please note that this involves making fundamental system tweaks in the Windows Registry Editor. As a result, it could have knock-on effects for your device- and network-level firewall settings, which means that features related to remote desktop could break. Before starting, be absolutely sure you have a Windows registry backup and enough technical skill to reverse the steps below if that happens.

Bearing that caveat in mind, here are the basic steps to take to change RDP port on a Windows machine.

1. Double-click on the Windows Start button. Type in “regedit” (don’t worry if there’s not a dedicated text entry field) and then press Enter. This will launch the Registry Editor.
2. In the Registry Editor, look for HKEY_LOCAL_MACHINE in the navigation sidebar. Navigate to HKEY_LOCAL_MACHINE\SYSTEM by extending the drop-down list. From there, keep extending the drop-downs next to CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp.
3. Click on RDP-Tcp. That will open up a list of items in the main window.
4. Find the dword file named “PortNumber”. Right-click on the PortNumber dword file and select “Modify…”
5. You’ll see a dialog with three fields: Value name, Value data and Base. Change the base to Decimal. In the Value data field, enter a new port number between 1025 and 65535. Make sure that the new remote desktop port number you choose is not already in use by another application or service.
6. Click OK, then reboot the computer.

All being well, you will have now successfully changed the default RDP port on your Windows machine. An important thing to remember is that, with Windows Server, you’ll need to update your Windows firewall rules and also mimic this change across any clients that are still using the default RDP port. If you’ve only made the change on a Windows client machine, you’ll have to manually update the Remote Desktop client the next time you connect. This is done by adding a colon and the new RDP port number after the machine’s hostname or IP address (e.g., “hostname:1234”).

Lock down your RDP port with Cameyo

Rather than trying to dodge RDP security risks with Registry Editor workarounds, why not choose a digital workspace solution that enhances security while facilitating hybrid and remote work?

Cameyo’s virtual app delivery platform is built around a hardened Zero Trust security model, now considered a best practice among enterprise IT departments and cybersecurity experts alike. To that end, Cameyo makes use of multiple innovative technologies that mitigate risk and avoid common attack vectors like RDP port vulnerabilities. Some of these core technologies include:

• Secure Cloud Tunneling: Enables secure, user-friendly virtual app delivery independent of a VPN (which carries its own risks) and without needing to open any ports in the Windows firewall. You can read a detailed explanation of Cameyo’s Secure Cloud Tunneling here.
• Port Shield: Provides built-in security that dynamically opens or closes HTTP(S) and RDP ports in response to authenticated users. Even though the RDP listening port remains active, it’s inaccessible to non-authorized traffic—no Windows Registry Editor hacks needed. More info on Cameyo’s Port Shield is available here.
• NoVPN: Ensures that all data traffic is encrypted and that apps are delivered from a secure HTML5 browser via an HTTPS session. This effectively separates the client device from the corporate network. This Cameyo help center article has more details on NoVPN and how it works.

Technologies like these—not to mention additional ones like non-persistent servers and single sign-on (SSO) support—are what set Cameyo apart from other app virtualization solutions and remote work strategies. In a survey conducted by the research firm TechValidate, 98% of respondents reported that Cameyo’s security beats the competition (TVID: 8A7-240-702) while also being  simpler to deploy and manage (TVID: FD6-B62-2F3).

Take advantage of your free trial of Cameyo today and start experiencing the benefits of virtual app delivery. Not only will it free you from having to wrestle with RDP port vulnerabilities, it will also give your remote workforce seamless, anywhere access to business-critical Windows apps, even legacy software (regardless of OS like Windows 7, Windows 10, etc.). You can also schedule a demo to have one of our engineers give you a guided tour of Cameyo and its features.

The post Should You Change Your RDP Port? Here’s Why and How to Do It appeared first on Cameyo.

The post Mitigating RDP and VPN Vulnerabilities to Reduce Ransomware Attacks appeared first on Cameyo.

Microsoft Remote Desktop Services is an established Microsoft technology that has existed since the late 1990s, back when it was known as Terminal Services (terminal server). RDS is a thin-client architecture, which, in a nutshell, means that the end user’s computer functions as an input device and the actual computing session is hosted by a remote desktop license server to which that computer is connected. At the risk of oversimplification, you can think of it like a monitor and keyboard attached to a PC located miles and miles away.

The great thing about RDS is that all the heavy lifting is done by the Microsoft Windows server. Because the remote client is more or less an interactive window onto that server-hosted computing session, it doesn’t have to be an expensive, cutting-edge powerhouse. Lower-spec’d machines can save IT departments a lot of money on procurement. Plus, they minimize some of the financial toll of user-caused damage.

Remote Desktop Services also gives organizations more curation and control over the computing session itself, as nothing is stored on the user’s computer. That allows for more consistency and ease of configuration. And, finally, RDS can deliver a Windows desktop environment to any machine that supports the Remote Desktop Protocol (RDP) regardless of operating system, including iOS, Chromebook, and Android devices. In this day and age, when device agnosticism is more important than ever, that can be a huge advantage.

What are RDS CALs?

To provide your people with access to  Microsoft products via RDS, you’ll first need to purchase client access licenses (CALs)/device cals through a Microsoft license program. The Remote Desktop Session Host (RDSH) server hosts the resources—such as Windows apps or files—and then clients connect to the RDSH to access the resources.

It’s important to note that the RDSH that hosts the resources must have a Windows Server 2016 (or above) CAL that matches the OS version, and remote clients that access the server must have a User CAL. Newer RDS Client Access Licenses are capable of working with older RDSH servers, but older RDS CALs cannot work with new RDSH servers – which means you’d need a new license agreement.

To install and keep track of all your concurrent RDS CAL licenses in your RDS environment requires a RD Licensing Server, which is a component of the RD Session Host Server. When users connect to an RDSH server, the server checks to see if each user has an active User CAL by contacting the RD licensing server. If the RDS CAL is available, the RDSH server accepts the connection from the user and starts a session.

When it comes to determining the right number of licenses, it’s worth noting that you need a Windows Server CAL and an RDS CAL for each user or device.

What are the downsides to Remote Desktop Services?

Organizations typically encounter two important hurdles when it comes to Remote Desktop Services 

• Security: As RDS relies on RDP, that protocol has to be exposed to the Internet (via ports 3389, 3387 and 3392) whenever remote users need access—which is 24-7 in most cases. This leaves servers with RDP enabled vulnerable to brute-force attacks. Malicious actors will make repeated RDS login attempts using passwords that are weak or based on known dictionary values.
• Complexity: Remote Desktop Services require infrastructure and administration. That involves tasks like setting up RD gateway servers, creating special RD roles, fine-tuning the deployment types and properties, and then configuring the provisioning for each user who needs to be supported with RDS. And, of course, all of these will need to be monitored and updated on an ongoing basis.

Faced with these considerations, many organizations pause and ask themselves if every remote user really needs a complete desktop environment as part of their digital workspace.

That’s where application virtualization comes in. Virtual apps offer a more streamlined supplement or alternative to the traditional RDS implementation, enabling organizations to provide their remote users with Windows applications that don’t necessarily require a Windows desktop too.

Cameyo simplifies and secures remote productivity

Cameyo is ideal for organizations that want to strike this balance and provide their off-network workforce with a more tailored digital workspace experience, with some users supported by remote desktop applications while others are able to access full Remote Desktop Services. This is because our Virtual App Delivery (VAD) platform is built on the robust, proven functionality of RDS, yet it eliminates the sticking points of security and complexity in two important ways.

To begin with, Cameyo’s Virtual App Delivery includes our proprietary Port Shield technology. Instead of keeping a known list of RDP-specific ports open all the time, Cameyo Port Shield opens and closes them dynamically to establish SSL-encrypted connections between clients and the server. It performs this whitelisting and blocking of RDP traffic at the Windows firewall level and in real time based on authenticated users. This minimizes the attack surface without resorting to VPNs or asking users or admins to jump through additional hoops.

Similarly, Cameyo’s ease of use makes provisioning and productivity much more straightforward. On the backend, admins can quickly restrict or allow access to individual Windows applications on a per-group or per-user basis. And users don’t need to fire up an entire RDS session to use that remote desktop application. With Cameyo, they can simply click on a link that enables them to start working with their standard Windows application in a browser window—no matter where they are or what device they’re on. 

Right-sizing your digital workspace

At one time, Remote Desktop Services was the go-to method to get Windows applications in the hands of off-network users. The advent and maturity of application virtualization has changed that. Cameyo makes it possible for organizations to equip their remote users with the apps they need—including legacy Windows software—without also having to provision a full Remote Desktop Services session and all that entails. 

Best of all, it doesn’t take weeks to see if Cameyo’s Virtual App Delivery platform will round out your RDS implementation and help you create secure, user-optimized digital workspaces. Sign up for your free trial of Cameyo today and you can be publishing Windows applications to your remote workers within a matter of minutes.

The post What are RDS CALs, and Do You Need Them? appeared first on Cameyo.