RDP can be a challenge to implement — here are a few steps that you can take to secure its use

The often-exploited Remote Desktop Protocol (RDP) is once again in the news. This time, it has a new attack vector that was discovered by researchers and subsequently patched earlier this month by Microsoft. Since all Windows versions from the past 10 years—both desktop and server—require patching, prioritize this issue. Hackers can easily exploit the new vulnerability.

The Dark Side of RDP

RDP has a valuable function in today’s connectivity. It provides remote access, allowing users to work without being physically present at their computers or servers. However, this utility has brought a dark past to the protocol and made RDP a security sinkhole. One of the more infamous attacks, BlueKeep, occurred in 2019 and was covered in our previous reports. That was a full-on remote execution vulnerability that triggered warnings from the US National Security Agency for quick patching. 

As a side note, the response to BlueKeep included help from Marcus Hutchins, who found a way to stop the WannaCry outbreak back in 2017. We also wrote how RDP is one of the more common ways that ransomware attacks can be launched and can also be used to initiate denial of service attacks.

The Latest RDP Exploit: Named Pipes

In the latest incarnation of RDP exploits, hackers can gain access to data files using a man-in-the-middle attack across a Windows feature known as Named Pipes. Windows created this feature over 30 years ago to enable application-to-application communication, connecting processes on the same computer or across a network.

RDP needs to be implemented with care, as the protocol itself doesn’t have any inherent security features (such as the secure versions of Domain Name System or email protocols). Indeed, you might say that it has inherent insecurities, including:

  • A well-known TCP/IP port (3389): Easy to track by hackers.
  • Weak sign-in credentials: If users have a weak Windows login, hackers can use credential stuffing or brute force attacks to compromise this password.
  • Numerous ways can exploit remote connections. The latest issue, Named Pipes, is just one method for attacks to infiltrate your systems. Attackers might use “Show Options” or Help menus at the remote gateway to browse directories or bypass file execution block lists.

Steps to Secure RDP Use

All of this makes for challenging implementations of RDP. Here are a few steps that you can take to secure its use:

1. Disable RDP when it isn’t needed. You should try this when you’re patching everything, as suggested by Microsoft.

2. Use better passwords, especially on your local Windows equipment. Employ password managers and single-sign-on tools. You have heard this advice before, no doubt, but it remains key!

3. Lockdown port 3389, either through your network firewalls or other security tools. This can be tricky because many users require remote access. All it takes to pull off an RDP exploit is compromising a single desktop.

4. Invest in better antivirus. Remote Access Shield is one of the features available in Avast Premium Security that can block RDP exploits.

5. Create more effective Active Directory group policies that block and allow specific applications. Additionally, manage remote help options to ensure they are run appropriately. Also, be sure to audit who has administrative privileges to ensure that the absolute minimum number of people have access.

Used with Permission from Avast