Establishing a Baseline for Remote Desktop Protocol
For almost every IT staff, Remote Desktop Protocol (RDP) in Microsoft Terminal Services plays a beneficial role for Windows users by allowing for the remote and yet interactive use or administration of a Windows system. Remote Desktop Service (RDS) is the key component of Windows that makes users able to take control of a remote computer or a virtual machine that supports the Remote Desktop Protocol (RDP) via a network connection.
However, remote connection creates its own area of various vulnerabilities that need to be addressed. Providing its countless benefits, it also exposes your system to many potential security risks. Just imagine, if someone can access your computer without having to be there physically, then why couldn’t others be able to do so as well? It gets bolder especially after a series of vulnerabilities emerged recently, starting with discovery of the Microsoft RDP clipboard vulnerability by Checkpoint. RDP continued showing security problems with the wormable BlueKeep vulnerability, followed by the recently discovered DejaBlue, which similarly to BlueKeep had a potential damage severity code of 9.8, and affected over 1 million machines.
It’s become pretty clear now that what used to be estimated as a secure service and protocol is now revealing its vulnerable sides. Security teams and IT operators need to change their approach and put more effort into RDP configuration hardening in this situation. The most straightforward action that should be taken is to decide on which machine should have the service enabled in the first place. Based on their functionality, the service should be disabled in any machine that doesn’t require it. When it comes to those systems that must have RDP enabled, it is necessary to find out the most secure way to configure it. Establishing a baseline for RDP is now more crucial than ever. The following tips will serve as a baseline for Remote Desktop and help you secure RDP access on both ends.
Basic Security Tips for Remote Desktop
1. Strong Passwords
Any account or system with access to Remote Desktop must have strong passwords with considering tips from password complexity guidelines for extra knowledge. This has to be done before enabling Remote Desktop.
2. Two-factor Authentication
Every department should consider using a two-factor authentication approach. Although the topic of 2FA (also known as two-step verification) is beyond the scope of this article, but implementing this policy is way more secure that relying on just passwords. Both third-party tools that provide two-factor certificate and Active Directory of Windows can be used in order to enjoy the benefits from this feature in Windows Remote Desktop.
3. Software Update
Components can be updated with the latest security fixes in the standard Microsoft patch cycle. This is one advantage that Remote Desktop users have over 3rd party remote admin tools. Latest versions of both the client and server software will be running on the system by enabling automatic Microsoft Updates. Since older versions may not support high encryption or have other security flaws, you have to make sure all machines that are being used as Remote Desktop clients or servers have the latest versions.
You can restrict access to remote desktop listening port which is TCP 3389 by default, by using firewalls. Both software and hardware firewalls can be used depending on availability. It is highly recommended to use an RDP Gateway to restrict RDP access to desktops and servers.
5. Enable Network Level Authentication
Network Level Authentication (NLA) is provided by Windows 10, Windows Server 2012 R2/2016/2019 and should be enabled by default. It gives an extra level of authentication before a connection is established. Network Level Authentication can be found at: ComputerPoliciesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurity. For using NLA check out Group Policy setting and make sure it is enabled on the server running the Remote Desktop Session.
6. Limit Remote Desktop Users
All Administrators can log in to Remote Desktop by default. It should be limited to those who need it. That is, if you have multiple Administrator accounts on your computer. Those who don’t use Remote Desktop for system administration, should remove all administrative access via RDP except accounts that require RDP service. Departments that manage many machines remotely, can add a technical group and remove the local Administrator account from RDP access using the following steps:
- Start-->Programs-->Administrative Tools-->Local Security Policy
- Local Policies-->User Rights Assignment--> "Allow logon through Terminal Services" or “Allow logon through Remote Desktop Services”
- Remove the Administrators group then leave the Remote Desktop Users group.
- Add new users to the Remote Desktop Users group using the System control panel.
By default, a typical Microsoft operating system will have Administrators in the Local Security Policy. The problem with that is Local Admin account is also in Administrators. We can use password convention and tightly control access to these conventions in order to avoid having identical local admin passwords on the local machine. Nevertheless, we can’t have a proper log and the ability to identify the person using the system if we use a local admin account to work on a system remotely. That’s why the best option is to change the Group Policy Setting and override the local security policy.
Furthermore, using “Restricted Groups” via Group Policy is helpful to obtain even more control over access to the system. In addition to the above steps, which removed the problematic RDP access of local administrator account, the implemented settings will also work whenever new machines are added in the organization unit under the Group Policy restrictions.
7. Account Lockout Policy
Attackers using automated password guessing tools which is also known as brute-force attack, won’t be able to gain access to your system if you set the machine to lock an account after a specific number of entering incorrect verification information. In order to set an account lockout policy, follow these steps:
- Start-->Programs--> Administrative Tools--> Local Security Policy
- Under Account Policies--> Account Lockout Policies
Here you can set values of your choice for all the options. A common recommended setting is 3 invalid attempts with 3-minute lockout durations.
You can certainly improve your RDP security by additional actions. Especially if you’re managing a sensitive network, you’ll have to do more advanced protections. However, this was a short guide on establishing a baseline for Remote Desktop Protocol. From here on, you’ll have the basic security concerns covered.