Remote Desktop is the SMB (Server Message Block) administrator’s go-to remote administration tool. Remote Desktop is very useful for remote administration as it enables you to have an interactive session with your remote systems – where the SMB administrator can work with them exactly as if they were local.
Remote Desktop enables the SMB administrators to diagnose and resolve problems remotely. However, Remote Desktop is a powerful tool that often uses highly privileged access to the remote systems in your network. As such security for Remote Desktop is critically important. The failure to implement the proper security precautions can open the door to both malware and ransomware attacks and that Remote Desktop exploits can be difficult to spot because they have no user input.
Understanding RDP
To properly secure Remote Desktop it’s important to understand how it works. Remote Desktop uses the Microsoft’s proprietary protocol Remote Desktop Protocol (RDP) to connect to remote systems.
By default, RDP uses TCP port 3389 and UDP port 3389. RDP is designed to support different types of network topologies and multiple LAN protocols. On the target server, RDP uses its own video driver to render display output into network packets and then uses the RDP network protocol to send them to the Remote Desktop client. The RDP client receives rendered display data and converts it into Microsoft Windows graphics device interface (GDI) API calls that are displayed by the Remote Desktop client.
Mouse and keyboard events are redirected from the client to the server. The RDP server uses its own keyboard and mouse driver to process these events. In addition, RDP has the ability to redirect other local client resources to the remote RDP target including the clipboard, printers, and local drives.
RDP Security Risks
Remote Desktop is a powerful tool and there are a number of possible RDP security risks – especially if your Remote Desktop servers are accessible from the Internet.
An Internet-wide scan carried out by security researchers showed that there were over 11 million devices with 3389/ TCP ports left open online. Many businesses – especially SMBs -- are unaware of the risks that come with potentially exposing RDP over the Internet.
RDP can be an attractive hacking target as the security is typically bound to an Active Directory (AD) domain for authentication. If AD or its domain trusts are improperly configured hackers can obtain credentials for your organization’s private internal resources.
For instance, even if you use a DMZ domain for Remote Desktops, improperly configured trusts within your corporate domains can lead to security breaches. RDPis an important security vector and if hackers find a way into RDP they can validate user accounts, expose passwords, and infect your internal systems with malware and ransomware.
By default, the highest available encryption supported by both the client and server is used for RDP connections. NLA is also enabled by default, however, some people disable it because they have an incompatible client.
If you want to verify encryption of a particular session you can perform a capture using Message Analyzer and examine the decrypted data to see the negotiation, cipher used, etc.
You can check the encryption level on target server where you got connected, open TS Manager and check the status of RDP connection, there you see encryption level.
Always set Encryption Level to High, Security Layer to SSL, and requiring NLA via group policy, with those settings enforced unencrypted or low level encryption connections will be refused.
One critical thing is to make sure that your servers can be authenticated by the client in order to prevent MiTM(Man in the Middle) attacks. When the client is domain-joined and on the same network as the server Kerberos can usually be used. Depending on your needs you may want to purchase certificates (or perhaps single wildcard)from a trusted public provider and assign to the RDP-Tcp listener on each server.