Remote Desktop Security for the SMB

Petri Webinar Brief October 5th, 2018

Petri IT Knowledgebase Resource A BWW Media Group Brand


There’s no doubt that Remote Desktop is the SMB administrator’s go-to remote administration tool. Remote Desktop is incredibly useful for remote administration as it enables you to have an interactive session with your remote systems – where the SMB administrator can work with them exactly as if they were local. There’s no need to learn other remote management tools that can be difficult to setup and use or complicated scripting technologies.

Remote Desktop enables the SMB administrators to diagnose and resolve problems remotely. However, Remote Desktop is a powerful tool that often uses highly privileged access to the remote systems in your network. As such security for Remote Desktop is critically important. The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) recommend that businesses review and understand their Remote Desktop usage and take steps to reduce the likelihood of compromise. They point out that failure to implement the proper security precautions can open the door to both malware and ransomware attacks and that Remote Desktop exploits can be difficult to spot because they have no user input. Let’s take a closer look at understanding RDP and some of the main security concerns that the SMB administrator needs to be aware of with Remote Desktop.

Understanding RDP

To properly secure Remote Desktop it’s important to understand how it works. Remote Desktop uses the Microsoft’s proprietary protocol Remote Desktop Protocol (RDP) to connect to remote systems.

By default, RDP uses TCP port 3389 and UDP port 3389. RDP is designed to support different types of network topologies and multiple LAN protocols. On the target server, RDP uses its own video driver to render display output into network packets and then uses the RDP network protocol to send them to the Remote Desktop client. The RDP client receives rendered display data and converts it into Microsoft Windows graphics device interface (GDI) API calls that are displayed by the Remote Desktop client.

Mouse and keyboard events are redirected from the client to the server. The RDP server uses its own keyboard and mouse driver to process these events. In addition, RDP has the ability to redirect other local client resources to the remote RDP target including the clipboard, printers, and local drives.

RDP Security Risks

Remote Desktop is a powerful tool and there are a number of possible RDP security risks – especially if your Remote Desktop servers are accessible from the Internet.

An Internet-wide scan carried out by security researchers from Rapid7 showed that there were over 11 million devices with 3389/TCP ports left open online. The number is up early 2016 when a previous scan found 9 million devices with port 3389 open. Many businesses – especially SMBs -- are unaware of the risks that come with potentially exposing RDP over the Internet.

RDP can be an attractive hacking target as the security is typically bound to an Active Directory (AD) domain for authentication. If AD or it’s domain trusts are improperly configured hackers can obtain credentials for your organization’s private internal resources.

For instance, even if you use a DMZ domain for Remote Desktops, improperly configured trusts within your corporate domains can lead to security breaches. RDP is an important security vector and if hackers find a way into RDP they can validate user accounts, expose passwords, and infect your internal systems with malware and ransomware.

Brute force

One of the most common attacks to exposed RDP systems is brute force password hacking. With a brute force attack the attacker typically has a small list of user ids and then automated hacking software is used to quickly generate a large number of password guesses.

This past July 2018, LabCorp, one of the largest clinical labs in the U.S was hacked by the Samsam group using a brute force attack against RDP. They gained access through RDP and were able to further deploy ransomware on the LabCorp network. While the ransomware attack didn’t result in a data breech it was able to encrypt thousands of systems and hundreds of production servers were forced offline while their systems were restored.

This was basically the same ransomware that was used to attack the city of Atlanta in 2017. Protecting against brute force RDP attacks is vital for any exposed RDP systems.

Password spraying

Another common RDP attack method is known as password spraying. With this type of attack there is typically a long list of users and a small list of strategically-chosen passwords that are used to attempt to login to the different accounts.

Password spraying allows hackers to attempt many logins usually without locking out users as it avoids repeated login attempts with the same user id so there is little notification. This technique can be effective because many employees use weak passwords. The list of potential attack accounts are often built by hackers by mining publicly available sources of information like Google, LinkedIn, and Facebook.

Man-in-the-Middle attacks

Older versions of RDP and misconfigured implementations can also be susceptible to man-in the middle attacks. Essentially, a man-in-the middle attack can cause RDP traffic to flow through a different host than the one the user intends. This man-in-the-middle host is then able to view the RDP network traffic and, in some cases, manipulate it and even possibly alter the security level negotiated between the server and client. This could possibly result in the user’s name and password being captured or other security exposures.

Securing RDP

There are a number of different options that SMBs can incorporate to lock down the security of their Remote Desktop connections. Taking advantage of some or all of these options can go a long way toward ensuring the safety and protection of the IT infrastructure.

Security starts with strong passwords

Security starts by making sure that all of your users are using strong passwords. Strong passwords that can’t be easily guessed provide a core protection for your organization’s sensitive data and can provide a strong layer of protection from brute force and password spraying attacks. Tools like Devolution Remote Desktop Manager (RDM) can ensure that your Remote Desktop passwords are strong by supporting password policies requiring, length, levels of complexity and enforcing password reuse history.