Block public facing Remote Desktop Protocol (RDP)

Remote Desktop Protocol (also known as Terminal Services or Remote Desktop Service) allows someone to remotely connect to another computer, providing the same user experience as if being physically present. 

According to our 2021 Active Adversary Playbook, Microsoft’s built-in Remote Desktop Protocol (RDP) was used to access organizations from the Internet in 32% of attacks, rating it the number one method used for initial access. 

Unlike some other remote access tools, RDP does not usually require anything more than a username and password and often the username is left exposed (you know, to make it easier to log in the next time). RDP has even suffered from vulnerabilities over time that allow access with no credentials at all. 

Misuse of RDP falls into a few different MITRE ATT&CK techniques, but the main one would be T1133 (External Remote Services).  Other MITRE ATT&CK techniques involving RDP include: 

  • T1563 – RDP Hijacking 
  • T1021 – Lateral Movement using RDP 
  • T1572 – Tunneling over RDP 
  • T1573 – Command and Control over RDP 
  • T1078 – Using Valid Accounts with RDP 
  • T1049 – System Network Connections Discovery 
  • T1071 – Application Layer Protocol 

Once a threat actor has successfully logged on to an RDP session, it is about as close as they can get to literally sitting in front of the keyboard and mouse, and not even the most physically secure data center in the world can help. 

Externally exposed RDP has a simple fix – just don’t expose it. Don’t forward port TCP:3389 on your firewall to anything.  And don’t think that using a different port helps… I see you – twelve thousand RDPs on port 3388! 

While the cure sounds simple, Shodan.IO (a search engine for the Internet of Things) shows over 3.3 million RDP port 3389 exposed globally and easily found. Why is it so popular? Allowing access to RDP is a quick and easy way to allow someone to provide remote system administration, such as for a Managed Services Provider to manage a customer’s server, or a dentist to access their office system from home. 

If remote access to RDP or terminal services is required, it should only be made accessible through a secure Virtual Private Network (VPN) connection (with Multi-Factor Authentication) to the corporate network or through a zero-trust remote access gateway. 

 By Rob Collins

Rob is a Specialist Systems Engineer for Sophos Managed Threat Response and Rapid Response. He is part of the global Systems Engineering team helping organizations recover from cyber attacks and improve their security posture by uplifting to Managed Threat Response. Rob has over 20 years’ experience in the cybersecurity Industry. Prior to joining Sophos, he worked with several Tier 1 security vendors in a pre-sales capacity and has worked on the front line in several high-profile Incident Response engagements. He also had the opportunity of working within the end user market, heading up APAC infrastructure and information security for a large pharmaceutical company in Singapore early in his career. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.