The Remote Desktop Protocol (RDP), used by many organizations for Windows management, is an incredibly powerful, widely used tool. Developed by Microsoft, the complex protocol provides users with a graphical interface to connect to another computer over a network connection. It’s a helpful tool for businesses, since the user experience is the same as using a Windows workspace: You can run all applications and interact with the whole system.
So, what’s the catch? RDP has had several reported vulnerabilities in the past few years, with the most recent one – CVE-2019-0708 – reported in May 2019. This recent vulnerability, known as BlueKeep, could allow a wormable malware, such as a ransomware, to propagate through vulnerable systems. BlueKeep allows attackers to connect to RDP services. From there, they can issue commands to steal or modify data, install malware, and conduct other malicious activities.
It’s a notable vulnerability for several reasons, including the unsettling fact that exploitation of the vulnerability doesn’t require authentication by the user. In other words, bad actors wanting to exploit this vulnerability have free reign, since it doesn’t require victims to click anything to activate. If you’re running one of the implicated Windows Operating Systems, and you haven’t applied the patch, you could be under attack at any time. In fact, security researchers have recently discovered a BlueKeep campaign in the wild, being used as part of a hacking campaign.
In the wake of the discovery and weaponization of this vulnerability, it’s clear that RDP can be a high-risk area when it comes to security. It’s a risk that organizations aren’t focusing enough attention on. Beyond patching for specific vulnerabilities, how can organizations continue to use the all-important RDP protocol, while still ensuring the security of their IT systems?
Limit Internet-facing protocols
Eliminating RDP and replacing it with other tools may be difficult, if not nearly impossible, for many organizations. The tool is simply too valuable. But, there are smarter, safer ways to use it. Right now, too many organizations are leaving RDP exposed to the Internet, making it more susceptible to exploitation by bad actors. When services directly connected to your back office are facing the public internet, that puts critical business processes at risk.
Organizations should focus on opening as few applications in the public Internet as possible. Instead, they can concentrate on using well-known standardized protocols, like HTTPS, a protocol that secures the communication between two systems.
Use a Zero Trust approach
The Zero Trust framework also provides guidance on how organizations can better secure their processes around using RDP. Zero Trust is a strict approach to cybersecurity where every individual or device requesting access to a private network is required to be identified and authorized. Zero Trust is often described by the axiom “don’t trust, always verify.” Even if individuals and devices are already within the corporate network, there’s still a possibility they’ve been corrupted, as is possible with RDP vulnerabilities like BlueKeep.
Segregation of duties
There are a few Zero Trust strategies that organizations can apply to improve the way they use RDP. The first is segregation of duties. The basic idea is that it’s dangerous for any one individual or device to have access to all of an organization’s critical IT resources, since if they were hacked, the hacker would gain unfettered access to everything in the corporate network. Segregation of duties ensures that employees only have access to the IT resources they absolutely need in order to do their jobs.
Least privileged access
Segregation of duties is often achieved by giving each user least privileged access. According to the Zero Trust model, you should limit access to applications and services to the narrowest possible group, based on users’ roles within the organization. Additionally, users are validated and authenticated for each individual access request.
Essentially, it’s a way of ensuring that users are only interacting with the applications and services that are relevant to them, limiting exposure and security risk. With a Zero Trust approach, organizations wouldn’t have to hand out access to everything when using an RDP.
Access management solutions that enable web access provide security benefits by using HTML5 standards to implement remote access. They can control what applications and what services are open to users, based on their roles. In this way, you can apply controls to RDP.
By using an access management solution as a gateway, you can apply Zero Trust principles to part of the process. Once users are authenticated within the internal network, you can use the RDP protocol internally. Only validated users can continue accessing internal services with service specific protocols, like RDP, making it more secure all around.
The RDP protocol is commonly used and difficult to replace, but it’s also a high-risk area. By minimizing what’s exposed to the Internet and applying Zero Trust principles to RDP, organizations can be smarter about how they use it and make sure they’re not risking the security of their IT systems in the process.