RDP might as well stand for Remove Doorbell Protocol when you leave this service exposed to the internet. Open RDP has been the leading cause of successful ransomware attacks. Anyone scanning the internet can find your open RDP port, and start guessing access credentials from anywhere. It is still the most successful way into a network today!
BLUF: A VPN and MFA are imperative to prevent anyone from breaking-and-entering your network. There is a LOT you can do to secure remote access! Don’t wait until it’s too late. Here's our quick take insight into RDP weaknesses, and how you can patch today.
- Restrict RDP access behind a VPN
- Blacklist IP addresses at the Firewall
- Enable MFA for every RDP account especially third-party contractors
Use caution with third-party RDP accounts
Did you know that sharing your RDP credentials with a third-party is like giving a complete stranger the keys to the front door of your house? No doorbell needed. Especially without detailed logging of every RDP access attempt or success - you are leaving the main entryway unattended and unprotected.
RDP is the leading cause of remote access abuse.
This shocking fact can be witnessed as early as the infamous target breach back in 2013 where 40 million credit and debit records and 70 million customer records were lost to cyber criminals. Fast forward to today and read our analysis of recent breaches on supply chain manufactures in Japan. Without proper credential management, you might be leaving copies of your keys out for anyone to use.
Logging
Proper log settings can help you detect suspicious RDP activity. Logs are also crucial to establishing accountability and investigating an incident. These live in a number of places, most commonly:
"Applications and Services Logs -> Windows -> TerminalServices-*"
Auditing
Manufacturers often require remote access for a number of third-parties who need to access, integrate, or update systems remotely. The danger of leaving this access unprotected can mean the difference of several million dollars in fines, data breach, remediation costs, and IT rebuilding.
Ensure you audit third party access on a regular basis and only provision the minimum access level required to conduct the remote business. Deprovision accounts as soon as the contract or period of service is over. Also, make sure the same strong authentication you require of your own company applies to your third-party providers.
Checklist to harden your RDP Settings
- Restrict RDP access behind a VPN
- Blacklist IP addresses at the Firewall
- Enable MFA for every RDP account especially third-party contractors
- Log every activity involving remote access using RDP across servers and endpoints
- Limit third-party remote access to time-sensitive or as-needed credentials, not permanent accounts
- Rotate usernames and passwords