What Protocol Would You Use for Remote Access, to Get a Console With an Encrypted Connection?

What is RDP?

RDP (remote desktop protocol) is a applied science that allows for a complete desktop feel, including remote sound, clipboard, printers, and file transfers with high resolution graphics (which can exist scaled down based on bandwidth) for a remote user.

In 1998, Microsoft introduced Windows Terminal Server as an add-on to Windows NT Server 4.0 Operating Arrangement. This add-on adequacy enabled remote desktop access over a network using TCP/IP. Every Windows Bone release to follow has besides included this adequacy, which became mainstream with the release of Windows XP (circa October 2001). Since the release of XP, RDP has been the de facto standard for remote session access for Windows Desktop and Server Operating Systems.

At 20 years old, RDP has seen multiple versions, with new capabilities added to mature it as a reliable remote admission protocol. Over this time, RDP has also had its share of security issues.

However, with emergence of a "new normal" that entails more remote working, increased reliance on deject computing, and e'er more than distributed environments, RDP is now commonly being stretched for use cases far beyond what information technology was intended. Numerous threat and breach research reports over the last 18+ months accept indicated that this misuse of RDP is helping fuel the success and onslaught of ransomware and other cyberattacks.

Read on for an overview of RDP including, how it works, common use cases, RDP security risks, all-time practices for securing RDP, and alternatives to RDP to keep your organizations.

How RDP Works

Remote desktop protocol utilizes a unmarried TCP/IP port to initiate a connection (default 3389) and is a derivative of the T.128 application sharing protocol. Without going into technicalities of how each parcel and frame is constructed, the important takeaway is that all traffic is mostly point-to-point, encrypted, and contains all the data to efficiently transmit and process an entire user feel remotely with various mechanisms for fault tolerance, authentication, and even multiple monitor back up. This is all washed without the need for HDMI, USB, and other types of cables. In fact, it works merely fine over WiFi, and even cellular, equally long equally TCP/IP is bachelor.

The diagram above helps illustrate typical scenarios for connectivity. A customer can use a browser or remote desk customer through the Internet to connect to remote desktop gateways on premise. While these are based on running RDP over HTTPS (blue and blackness connectivity lines), the gamble is only moderately mitigated as compared to running the RDP protocol straight (orange line). The mitigation would entail boosted hallmark and brainchild controls in the RD Gateway or RD Web Admission Server defined as Policy Rules.

However, the highest take a chance is the exposure of RDP on the Internet, port 3389, and allowing it to traverse directly through the firewalls to a target on the internal network. This exercise is mutual and should absolutely exist avoided. To that finish, if you are familiar with using a Citrix Server or Microsoft Windows Terminal Services, yous are probably using RDP all the time—and may non fifty-fifty be aware of it—using an Remote Desktop (RD) Gateway or RD Web Access approach, which shares similar risks.

Common RDP Apply Cases

Enterprises of all sizes may use RDP to access servers, collaborate with other employees, and remotely access desktops to perform tasks similar to how they would with a physical office presence.

The most common RDP apply cases, include:

• Provide a bastion host with applications into an environment that mimics local resources.
• Allow a virtual desktop interface (VDI) for (or into) cloud environments using a common office environment (COE) for employees or contractors.
• Provide a graphic user feel to remote servers, regardless of their location, for maintenance, prepare up, and troubleshooting.
• Provide access for assistance desks, telephone call centers, and service desks into remote users that provide technical support.
• Permit employees, contractors, vendors, or auditors access to a desktop to provide a like user feel as being in an office.

These are all valid utilize cases, and extremely important in a work-from-anywhere world. Withal, some of these utilise cases pose far more dangerous risks than others.

Best Practices for Addressing RDP Security Risks

In platonic and environmentally-controlled situations, the remote desktop protocol works great. However, securing RDP to prevent rogue sessions, hijacking, inappropriate admission, exploits, privileged escalation, etc. requires a level of It security maturity that goes far beyond default RDP settings.

RDP's default settings simply provide a baseline for encryption and bones security. If these setting are solely relied on for security and used as is, they create a situation that presents an unacceptable take a chance to most organizations. With that said, how do you secure RDP for both internal and external operations?

First security rule of RDP—information technology is absolutely unacceptable to go out RDP exposed on the Net for access—no affair how much endpoint and systems hardening is performed. The risks of such exposure are far as well high. RDP is meant to be used only beyond a local expanse network (LAN).

Since RDP hosts support a listening port pending inbound connections, even the nearly secure installations can be profiled as a Windows Operating System and its version. Once this is known, social engineering science, missing security patches, nil day exploits, credentials on the dark spider web, insecure password management, etc. all could allow inappropriate access via RDP.

So, let's have securing RDP on external hosts off the table. It is just a bad idea. This even encompasses mobile devices similar laptops used by employees at home or to support a mobile workforce. No devices that can have, or do have, a public TCP/IP address should have RDP enabled. This is why many organizations require VPN or modern remote access solutions to connect to external resource—even if they are in the DMZ or deject—to mitigate these potential risks.

But what's involved with adequately securing RDP for internal apply? We can start with what we know about the default configuration:

• Admission lists: Enabling RDP on Windows Hosts, by default, simply allows admission by the local or domain administrators (depending on its current configuration). While this prevents access past a standard user, it represents an unacceptable risk, since only administrators can authenticate via RDP into the asset. This does not follow the security best practise of least privilege. Therefore, access for administrators should be eliminated. Just the appropriate standard user accounts should exist granted RDP access, and this should adhere to a just-in-time model, pregnant access is for the briefest duration needed to complete a chore. Moreover, session action should exist fully monitored to ensure information technology is appropriate. The necessary least privilege, just-in-fourth dimension access, and session monitoring controls tin can be most thoroughly enforced via a privileged access direction (PAM) solution.
• Default accounts: If the access lists recommendation above is not strictly followed, a threat player can hands guess the ambassador business relationship for access into the resources. And, if the administrator's default username is "ambassador", a breach, at least on some level, is almost foregone. Then, my recommendation is that the administrator account for the local auto or domain be renamed to something different, unique, and not guessable. In add-on, RDP'ing (yep, it commonly used equally a verb also) as an ambassador should simply be performed in utilize cases where information technology is unavoidable, but not for daily remote admission needs.
• Authentication: Network Level Hallmark offers the strongest available method for authenticating RDP communications. If this not turned on, credentials are sent in articulate text to a remote host or domain controller.
• Encryption: The 'Loftier' encryption level offers the strongest bachelor encryption for RDP network communication. If this is not fix, the maximum key force supported past the target is negotiated (instead of the maximum key forcefulness set past group policy options) through a domain controller.
• Clipboard redirection: RDP Servers offer clipboard redirection, so remote sessions tin easily cutting/copy and paste content from remote systems to the connecting device, and vice versa. This practice is ripe for abuse, such as by information extraction, or pasting of system information, like passwords.
• Network and LTP printer redirection: RDP Servers offer printer redirection for remote access sessions. This characteristic allows for the connectedness of network and LTP (Line Concluding Printer) printers from local devices and domain controllers to the remote asset. This can allow the press of critical information and the introduction of malicious printer drivers into an environment. RDP should be configured without redirection for network and LTP printers.
• Session management: Windows Servers permit for multiple RDP sessions per user account. If a user is unintentionally asunder, the results could be a loss of productivity or information, because a new session does non reconnect to the previous session—information technology is orphaned. By restricting admission, especially by limiting administrators to one session, this situation can be mitigated. This setting too acts as a rudimentary session management solution for malicious RDP since only one session can occur at a time, which makes tracking easy.

To implement these settings, organizations should configure them all in Grouping Policy Options and apply them via Active Directory. Resource that are non domain-joined must be individually set. Regardless, for both configuration scenarios, if one host is misconfigured, it could correspond an enormous risk. Withal, this happens all the time.

While we keep security all-time practices for the configuration of RDP in mind, there are other risks that must be regularly monitored and managed:

• Vulnerabilities: Since the inception of RDP, various versions accept had myriad vulnerabilities, including a few, such equally BlueKeep and DejaBlue, that have allowed remote code execution and privilege escalation. For whatsoever environment using RDP, data technology administrators need to stay apprised of security updates and apply them in a timely manner. Without many of these security patches, few mitigating controls tin foreclose exploitation.
• Clients: The RDP protocol is well-documented. Many third-party products support acting equally an RDP client. In addition, other operating systems, such equally macOS and Linux, also contain native RDP clients based on open source and proprietary lawmaking. If a vulnerability is discovered in any of these clients, then the risk can be propagated back to an RDP host server. Therefore, controlling, limiting, and managing the RDP clients allowed in your environment (such equally via awarding control) is disquisitional to ensure the finish user's access does not go the attack vector.
• Licensing: Microsoft requires licensing of the RDP protocol for its utilize in an surroundings. Deploying a third-party solution or open up source versions may violate your licensing agreements with Microsoft. As silly every bit this sounds, ensure whatever third-party solutions using RDP that you deploy have a proper license with Microsoft in order to instrument their technology.

Secure Alternatives to RDP for Remote Admission

RDP security risks are unjustifiable for many organizations. Even the slightest incompliance, whether internally or externally when using RDP, is unacceptable. Such organizations require a strategic solution for remote admission that is not dependent on native operating organization functionality. This leaves a few choices for modern Microsoft Windows devices and other operating systems that support RDP as a client or server:

1. VNC (Virtual Network Computing): VNC is an alternative remote access protocol that competes with RDP. It is a graphical desktop sharing solution that uses the remote frame buffer protocol to control the screen, keyboard, and mouse of another computer by relaying screen updates. The chief advantage of VNC over RDP is that it is platform-independent and has multiple server and client implementations from various sources on the same platform. With VNC, you lot can basically pick your vendor, open source, or way and implement it.

Unfortunately, VNC suffers many of the same security and hardening shortcomings every bit RDP, including potentially weak encryption, clear text transmissions, and limitations for hardening authentication. While some proprietary solutions take been built upon VNC to solve these problems, they are paid solutions merely like any other proprietary implementation. And like RDP, assets using VNC should never exist exposed directly to the Internet, and internal assets should be managed appropriately.

2. SSH (secure Shell): Modernistic versions of Microsoft Windows let almost every function to be executed via the command line. In 2018, Microsoft formally added native Secure Beat out (SSH) to the operating organization to facilitate this functionality remotely.

While non graphically-based, SSH allows a secure method to log in remotely to a Windows host and execute commands and scripts. Hardening of SSH entails similar steps to RDP. SSH needs to be properly configured for business relationship access, encryption, and access command lists. To that end, it should simply be used internally—never exposed directly on the Internet, if possible.

iii. Third-Political party Solutions: Proprietary implementations of remote admission technology are typically architected in a vastly different manner than RDP, VNC, and SSH. In lieu of opening a listening TCP/IP port on a host, these technologies tend to use amanuensis-based technology to telephone call out to a manager or gateway technology and expect an inbound connectedness asking. Such implementations are ideal for placing on the Net, since the exposure has been mitigated and authentication is performed at the remote access manager versus at the target itself. In addition, traffic is routed through the manager and gateway to secure the network path as opposed to bespeak-to-bespeak advice that may exist blocked by firewalls.

Some vendors that supply proprietary implementations for remote access accept solved all the challenges and deficiencies associated with RDP. Nevertheless, these are enterprise solutions and not free. The underlying protocols used for these solutions are proprietary to the vendors.

The most advanced of these tertiary-party secure remote admission solutions may offer features like screen recording, multiscreen sharing, safety mode booting, and fifty-fifty remote registry access—without the need for a full session. However, account management can remain a challenge since every solution needs to grant authentication privileges based on a directory service or through a local role-based access model to each potential target. This needs to be fix regardless of whether the users and assets are grouped in Active Directory, LDAP, or Azure AD. Administrators demand to set upward who access to what, and when, in lieu of wide-open access that poses a huge risk to the concern.

Bolstering RDP Security with BeyondTrust

BeyondTrust's Secure Remote Access solution, which is part of our best-in-grade privileged access direction portfolio (PAM), helps organizations drastically meliorate remote access security and eliminate dangerous threat vectors. BeyondTrust tin can exist leveraged to better protect RDP sessions, or to replace information technology and other technologies, such as VPNs, for higher security use cases, such as any remote sessions involving privileged admission.

BeyondTrust has the only remote access solution that meets the rigorous requirements of FIPS 140-two Level ane. Our solution controls privileges and sessions beyond all remote access points, with the ability to proxy admission to RDP, SSH, and Windows/Unix/Linux Applications.

BeyondTrust's Secure Remote Access solution is comprised of the following two products:

• BeyondTrust Privleged Remote Access: Empowers It teams to control, manage, and audit remote privileged access by authorized employees, contractors, and vendors—without compromising on security. Enforces least privilege and exerts granular control and visibility over remote admission for insiders and third parties, while enabling user productivity.
• BeyondTrust Remote Support: Empowers help desk teams to speedily and securely admission and prepare any remote device, on any platform, with a unmarried solution. Organizations of all sizes tin heave service desk-bound productivity, efficiency, and security by consolidating and standardizing help desk support via a single, powerful solution.

Let'southward take a closer expect at how BeyondTrust Secure Remote Access helps solve for the security shortfalls of native RDP.

Eliminates use of risky open up ports and closes remote access backdoors: Typically, establishing remote desktop connections to computers on remote networks entails VPN tunneling, port-forwarding, and firewall configurations that create security holes (i.e. opening the default listening port, TCP 3389).

BeyondTrust Secure Remote Access enables organizations to eliminate these RDP security bug.

When you route remote desktop through our solution, yous can still use native RDP to support systems on remote networks, only since BeyondTrust works through firewalls, you avoid exposing listening ports to the internet. With our solution, every remote connection is outbound through Port 443.

i. Centralized, identity-based controls: BeyondTrust integrates with LDAP, Active Directory, RADIUS and Kerberos. When you use RDP through BeyondTrust, your user access privileges and hallmark methods pour down to remote desktop sessions. This makes it easier both to crave secure authentication before enabling remote access and manage remote access in an ongoing manner. For instance, if an employee departs the visitor, their RDP privileges are automatically removed from BeyondTrust once deleted from the AD or another identity-based directory, helping forbid backstairs access via an orphaned account.

2. Enforcement of least privilege: Different RDP, VPNs, and other remote access technologies, BeyondTrust Secure Remote Admission can enforce granular privilege controls, ensuring users can only perform those specific activities for which they are authorized, and within the proper context.

With BeyondTrust, organizations tin establish policies to control when the accounts are accessible (time of day, location, and other contextual parameters), and alert when specific access policies are invoked. Moreover, enterprises can extend these adaptive access controls to lock down access to resources (i.due east. cloud control panes, web application consoles, etc.

Additionally, the solution enables a just-in-time access model, which helps minimize threat windows past ensuring duration of access is finite.

three. Password security for remote access session – no matter the location: With BeyondTrust, you lot can ensure enterprise-class password security for remote sessions—whether initiated by an employee or vendor. A congenital-in vault manages credentials and injects them directly into sessions—never exposing passwords to the cease users. The vault tin regularly rotate passwords, or fifty-fifty expire them after each use for the nigh sensitive accounts.

The solution also integrates easily with other privileged password management solutions, such equally BeyondTrust Countersign Safe. Layering on enterprise password management controls immensely bolsters security and help ensure RDP sessions are non hijacked or leveraged for lateral motility.

4. Total visibility and pinpoint control over sessions: BeyondTrust enables organizations to overcome RDP'due south auditing and oversight shortcomings by providing centralized and tamper-proof logging and reporting features. Secure Remote Admission pinpoints what took place, and by who, during any remote access session. The solution logs everything and also includes searchable video recordings of RDP sessions.

5. More robust encryption for remote sessions: BeyondTrust Secure Remote Admission safeguards every remote desktop connection with 256-AES SSL encryption. This is much more robust than the 128-fleck encryption RDP natively provides, and older versions of RDP may have even weaker encryption in place.

How BeyondTrust Secure Remote Access Technology Works with RDP

BeyondTrust'southward Remote Desktop integration leverages our Jumpoint technology, which can serve as the RDP broker. A Jumpoint is a connection to a remote host, which, in turn, can and so connect to other hosts.

In one case a Jumpoint has been installed on a remote network, an authorized user can leverage the Jumpoint to initiate sessions with computers on that same network—even if those computers are unattended.

Enterprises commonly leverage BeyondTrust Jumpoint technology to securely initiate the follow types of sessions:

• Standard support
• Remote Desktop Protocol
• VNC
• Shell Jump to an SSH-enabled network device
• Shell Jump to a Telnet-enabled network device
• Intel® vPro Windows system

Support sessions, RDP sessions, and VNC sessions can also be started with systems on the aforementioned network segment.

The Jumpoint will only allow RDP access to the authorized users and teams, every bit established by your permissioning. Organizations can restrict installation and use of RDP clients in their surround, while configuring their RDP hosts to only accept connections from the Jumpoint. Once those settings are implemented, the solution's Windows, Mac, iOS, Android, or Linux Technician Panel are the but applications that tin can be used for RDP access.

The BeyondTrust technology tin can besides be used to accost any other remote access use cases involving privileged access, ensuring every session is finely controlled, monitored, and audited.

Replace RDP or Better Secure It?

While Remote Desktop Protocol is a valid solution for some remote access use cases, there are manifold risks with regards to enforcing proper configuration, limiting Internet exposure, and maintaining security updates.

Today, cyber criminals wield automation and scanning tools to continuously seek out RDP exposed to the Cyberspace and other remote access weakness that can exist leveraged to gain a foothold into the environs. A unmarried out-of-compliance asset, whether internally or externally, could jeopardize an unabridged organization. And, even if yous use VPN to restrict access externally, the risks of VPN may actually amplify the problem.

Therefore, many organizations are choosing to discontinue utilise of RDP and supercede it with a solution that provides more than robust remote access security capabilities for the desired employ cases. In those instances, the vast majority of risks can be mitigated.

Some modern solutions, such as BeyondTrust Secure Remote Access, even help enable zero trust security to better solve for the remote access problem.

Secure Remote Access can also be integrated with BeyondTrust other PAM solutions, such as Endpoint Privilege Direction and Privileged Password Management to enforce least privilege and application control, and manage the entire enterprise universe of privileges. Combining these technologies will provide powerful, composite protection against remote access risks and all types of internal/external threats.

In parting, my advice is to identify where you have RDP exposed, appraise that adventure, so make your own judgements. If you place unsafe exposures, but an culling solution is non immediately feasible to implement, at minimum, follow the hardening and security guidelines covered in this blog. It could assist prevent, or at least minimize, the fallout due to an assail on your enterprise.

Morey J. Haber, Master Security Officeholder, BeyondTrust

Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Assail Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Divers Security Alliance (IDSA) Executive Informational Lath. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a office of the eEye Digital Security acquisition where he served equally a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Figurer Assembly, Inc. He began his career as Reliability and Maintainability Engineer for a regime contractor edifice flight and training simulators. He earned a Bachelor of Scientific discipline caste in Electrical Technology from the State University of New York at Stony Beck.

garrettsomptince.blogspot.com

Source: https://www.beyondtrust.com/blog/entry/what-is-rdp-how-do-you-secure-or-replace-it

Share this post