How to Secure Remote Desktop on Windows?
With the use of remote desktop software on the rise worldwide, many people are worried about security issues, which come with the territory, and wonder how they can have a secure remote desktop experience. In this article, we explain how to secure remote desktop on Windows and discuss using a more secure RDP alternative.
Remote Desktop Connection security issues
Microsoft Remote Desktop Services (RDS), formerly known as Terminal Services, enables users to access and control remote computers over the Internet or their local network. Remote Desktop Protocol (RDP) is a proprietary protocol used by RDS client, Remote Desktop Connection, to access remote systems.
Interest in teleworking, remote support, and online troubleshooting has been on the rise for several years, but the Covid-19 outbreak has left many more companies and individuals in need of a remote desktop solution they can rely on for work, education, etc.
Like many other remote desktop tools, Remote Desktop Service and its associated port are not immune to cyberattacks. Even NSA and FBI have warned about increasing exploitation of vulnerable RDP sessions by cybercriminals to steal or ransom sensitive information, such as credentials.
One of the most common ways malicious actors use to infiltrate systems via RDP is brute-force attacks , in which hackers automate many login attempts using password guessing tools, until they find the target’s password. Another effective strategy is exploiting a software vulnerability to take control of an RDP server. For example, BlueKeep which was a wormable remote code execution vulnerability, was discovered in RDP in 2019. Using BlueKeep which allows for the possibility of remote code execution, hackers can gain complete control of RDP servers.
Another remote access security issue that often arises in companies and organizations using RDP, is managing users’ access to RDP, especially if RDP is used by system administrators to manage cloud and on-premises systems and software. Allowing administrative access of server and cloud systems directly through RDP could be of high risk, because the accounts used for these purposes usually have higher levels of access to systems, including system administrator access.
How to secure remote desktop connection?
Now that we have discussed some of the security risks facing RDP users, let’s discuss some simple steps to secure remote desktop services.
- The first step is to use strong passwords and two-factor authentication to make sure your system is not too weak against common cyberattacks such as Brute Force.
- Another defense tactic against Brute Force attacks is setting an account lockout policy that automatically locks an account after a defined number of failed login attempts.
- A vital precaution you should take is updating your system to make sure your computer is at least protected against known vulnerabilities. As of mid-2019, about 800 million users were deemed at risk of vulnerabilities like BlueKeep, due to failing to install new security patches.
- You definitely need a trustworthy firewall with carefully defined rules to secure Remote Desktop Services. For example, you can use Windows Firewall to allow or restrict RDP access for certain IPs or groups of users.
- Enable Network Level Authentication. Windows 10, Windows Server 2012 R2/2016/2019 all have Network Level Authentication (NLA) enabled by default, but in the older versions, it is not the default choice. NLA equips the system with an extra level of authentication before a connection is established. However, if you need to use Remote Desktop clients on other platforms that don't support NLA, you should allow connections without NLA.
- If possible, do not allow direct RDP access to clients or servers from any external network. But if it is necessary, you should use extra percussions to secure remote desktop connection. For example, using an RDP Gateway is strongly encouraged. This way, access to Remote Desktop ports is tightly restricted, while remote connections are still possible through a single Gateway server. The Gateway server listens for Remote Desktop requests over HTTPS (port 443) and connects the client to the Remote Desktop service through an encrypted and more secure connection.
- Another solution for reducing the risk of external networks is tunneling Remote Desktop access through IPSec or SSH to encrypt your traffic. IPSec is built-in to all Windows operating systems since Windows 2000. As for the SSH, having an SSH server is required.
- Since RDP default listening port (TCP 3389) is a favorite target for many hackers, changing it could help you hide to some extent, and protect your system against some RDP worms such as Morto. You can change your RDP port through the Windows Registry.
- And last, but not least, you should always limit RDP access to specific groups of users and monitor RDP connections. An easy way to do so is to use an existing management tool for RDP connections, such as Windows in-box remote desktop client (MSTSC), or universal Remote Desktop client. Another popular tool for that purpose is Remote Desktop Connection Manager (RDCMan).
How secure is remote desktop connection manager?
Remote Desktop Connection Manager (RDCMan) is a free standalone application that helps IT administrators to better organize and supervise remote desktop connections. It was created by a developer on the Windows Live Experience team in the late 2000s.
System administrators can use RDCMan to monitor and control multiple RDP connections in a single window. It also enables them to use different RDP settings for separate servers or groups. These features make Remote Desktop Connection Manager a very helpful tool for admins of systems with several different groups or large server farms.
Although RDCMan was never included in the Windows operating system, it was available for free download on the Microsoft website for years, and it soon became very popular among system administrators. RDCMan was last updated by Microsoft in 2014, but the application still has many users and fans. Microsoft is not one of those fans, though. In the past couple of years, Microsoft has urged its customers to move on from RDCMan and instead, use a more secure remote desktop manager, namely Microsoft Terminal Services Client (MSTSC) which is a built-in remote management tool in the Windows OS or Universal Client for Windows 10. According to Microsoft, both these tools will receive security updates regularly.
Finally, in March 2020, Microsoft officially discontinued RDCMan. Microsoft also announced that it received a new bug report in RDCMan that enables hackers to retrieve data from systems using RDCMan. "To exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file," Microsoft said in an advisory for CVE-2020-0765.
Long story short, RDCMan users should bear in mind that this bug has not been fixed (nor it ever will be), so users should be careful not to open any RDCMan connection configuration (RDG) files they receive from untrusted sources.
But this is not the only security concern, which RDCMan users have to deal with, as RDCMan lacks many security options such as 2FA, managing privileged accounts, securing sensitive data, generating strong passwords, and creating audit logs.
Alternative remote desktop software
There are many remote desktop tools out there and some people may prefer using a more secure tool, instead of trying to secure Remote Desktop Connection. For example, AnyDesk is a very popular tool with a free version for private use. It uses banking-standard TLS 1.2 technology, RSA 2048 asymmetric key exchange encryption, RSA public/private key exchange and AES (256 bit) session encryption. TeamViewer which also has a free edition for personal use, enjoys 2048 RSA private/public key exchange and AES (256-bit) session encryption, as well as 2FA. Zoho Assist is another remote desktop tool and is equipped with 2FA, SSL and 256-bit AES encryption.
Of course, many Windows users find using Windows built-in remote desktop software more economical and may not be able to afford another piece of software, even if they would like to do so. These people always ask, “What is the best free secure remote desktop software?” As mention earlier, several great remote desktop tools exist that are free for personal use. But unfortunately, nowadays, most secure remote desktop tools require you to purchase a license for business use.
Besides, regardless of the remote desktop tool you choose, there are always extra measures you need to take to secure your remote desktop sessions.
No remote desktop software is completely secure without some extra efforts. Necessary steps like setting up your firewall with proper security rules or limiting remote desktop access to specific user groups or IP addresses could always secure your remote desktop connections, no matter what remote desktop tool you are using. So, in a way, the best way to secure remote desktop experience is staying alert and not forgetting the potential risks. Especially, for environments with more sensitive data, it is good practice to use a powerful firewall such as Comodo firewall or ZoneAlarm, or you can use a firewall like SunFirewall that is specially designed for advanced, comprehensive remote desktop protection. SunFirewall can dynamically change Remote Desktop Port, find suspected RDP users and detect and block Brute-Force attacks. It also provides RDP users with an advanced two-step authentication method and lets you thoroughly monitor your network traffic by offering detailed report logs.