Is Windows Remote Desktop Safe for Internet Use?

By Andrew Plato, CISSP, CISM, QSA
President / Principal Consultant
Anitian Enterprise Security

At least once a week a client asks me this very question. "Is Remote Desktop (RDP) safe for use over the Internet?"

The short answer: no.

The long answer is complicated. There are numerous, compounding reasons for discouraging RDP usage over the Internet. This article outlines some of the reasons why RDP is not an ideal remote access solution. If, however, if you must use RDP over the Internet, then consider the suggestions at the end of this article.

Although this article centers on Microsoft’s Remote Desktop or Terminal Services, many of the issues discussed can also apply to Citrix XenApp or WinFrame and their remote access technologies as well. While Citrix has evolved into a different kind of remote solution, many of its underlying technologies are similar to Windows RDP.

RDP Is Not a Secure Access Technology

RDP was designed for remote administration of systems. The original RDP protocol is a derivative of the ITU-T T.128 application sharing protocol (which is also the basis for Citrix XenApp or WinFrame). It was never designed or architected to be a solution for secure remote access. In the past few years, Microsoft has added security features, and the latest version supports network layer authentication and TLS, which is good and offers reasonable security. These are, however, add-ons, and not integral to the technology.

Open RDP Presents a Tempting Target

Providing direct access from the Internet to any system creates a target. The larger your "attack surface area" is, the more likely it will attract attention. An open RDP port presents a tempting target to attackers.

RDP is susceptible to brute-force attacks. A hacker uses automated tools in a brute-force attack to try millions of password combinations. Although brute-force attacks are not particularly elegant, they can cause serious trouble. If account lockouts are enabled, then the attacker can purposefully lock accounts, thus causing a Denial of Service (DoS) condition.

Furthermore, if an attacker is able to steal credentials in another manner, an open RDP provides them easy access to the environment. Unfortunately, obtaining login credentials is easier than ever. “Spear-phishing” attacks, where a hacker sends targeted emails with embedded code or infected URL links, can harvest credentials from end users when a user opens the email or clicks the malicious URL links. The most recent RSA SecureID breach was the result of a targeted "spear-phishing" attack.

Lastly, if the system does not use the network layer authentication (NLA) features, then each connection will reload the logon GUI. This can gobble up resources and lead to a DoS attack. Even with NLA enabled, connections still consume resources. An attacker could easily make thousands of millions of connections and overwhelm the system.

RDP has Vulnerabilities, Some May be Unknown

Windows RDP has vulnerabilities. The Common Vulnerability and Exposures database lists hundreds of vulnerabilities that reference Windows Remote Desktop. Microsoft has fixed all of these with updated and patched versions, but it’s highly likely there are more. It’s also possible that these vulnerabilities are known, but only to the hacking community. It can take months or years for serious vulnerabilities to become publicized and then fixed. During that period, hacking groups may protect their knowledge of those vulnerabilities, as a tactical advantage when attacking a target.

RDP is Susceptible to Man-in-the-Middle Attacks

A Man-in-the-Middle (MITM) attack is when an attacker intercepts data between the end user’s system and the target system and "proxies" the communications. This allows the attacker to record the session and harvest information, such as authentication credentials. MITM attacks are easy to conduct inside an organization. Anitian routinely tests for vulnerability to MITM attacks by executing ARP poisoning attacks, attempting to redirect network traffic from switches or routers to another host.

MITM attacks using wireless connections are also easy to execute. There are ample freely available tools that automate the process of detecting, cracking, and "sniffing" wireless traffic. If a user is using RDP over a wireless connection, and that connection becomes compromised, it would be very easy for the attacker to harvest authentication credentials from the RDP session.

MITM attacks are more difficult to execute over the Internet, because there must be access to the interconnections between the two sites. However, if an attacker gained access to a wiring closet they could easily execute such an attack. Also, a rogue employee at an Internet Service Provider (ISP) could execute a MITM.

Ultimately, if an attacker can successfully execute a MITM attack, it is fairly trivial to crack password hashes and authentication data. Once cracked, the attacker would have legitimate account credentials and unfettered access to the environment.

SSL-VPNs are Better and Inexpensive

One of the strongest arguments against using RDP via the Internet is the prevalence of inexpensive remote access technologies such as SSL-VPNs. SSL-VPNs provide a robust, flexible, and secure manner to gain access to protected hosts. More importantly, an SSL-VPN is specifically designed and built to provide secure remote access. An SSL-VPN can also be integrated with numerous authentication methods and end-point verification capabilities, increasing the security of each connection.

With an SSL-VPN, users must first authenticate to the SSL-VPN. Once authenticated and a secure, SSL encrypted session is established, users may launch RDP sessions which "tunnel" through the SSL session. Furthermore, because most commercial SSL-VPN appliances use their own RDP client software, there is a lower likelihood of the client software being compromised.

There are Better Remote Assistance Technologies

One of the more common usages for RDP was allowing third-party vendors to provide assistance to systems they support. Now, however, there are better ways to conduct remote access. There are dozens of third-party companies offering easy-to-use remote assistance technologies, such as WebEx, Fuze Meeting, LogMeIn, and GoToMeeting. These products support remote desktop sharing for support and administrative purposes, and permit much greater control over access. In many cases, you can watch, in real-time, what the vendor is doing.

Minimizing Internet RDP Risks

While there are plenty of good reasons to avoid direct RDP connections into your environment, there are some situations where using RDP across the Internet makes sense and can be done in a secure manner. If you must allow RDP connections from the Internet, then consider these best practices:

• Figure 1 – Use NLA for Remote Desktop.

  Restrict Source IP Addresses: If you are going to open up RDP, then at least restrict connections to specific source IP addresses. On your perimeter firewall, create rules that limit only approved source IP addresses from connecting. Do not rely on the host-based Windows firewall for this restriction. If you are allowing RDP for vendors to remotely access systems for support, work with those vendors to obtain their source IP addresses.
• Use Network Level Authentication (NLA): Microsoft’s NLA forces RDP to use a TLS encrypted tunnel for communications. This not only prevents eavesdropping, it also reduces the likelihood of a brute force attack.
• Use RDP Version 6.0 (or better): Do not use older, deprecated versions of Remote Desktop or, as it used to be called, Terminal Services. Upgrade older XP clients to use the latest RDP client (6.1). This can be downloaded from Microsoft: Remote Desktop Connection (Terminal Services Client 6.1) for Windows XP. You should also make sure that all patches have been applied to close any known and remediated vulnerabilities.
• Lock Down Permissions: Restrict access to only those users that are allowed to remotely connect. This can be done through Group Policies: go to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and configure the option for Logon to a session on the Terminal Server. For systems that are in Remote Administration mode, you can use the Remote Desktop box (shown above) to select specific users to logon.
• Use Intrusion Prevention: IPS technologies are included in most commercial firewalls. While IPS cannot prevent every attack, it can give you warning that somebody is trying to hack your RDP connections.

Conclusion

Remote Desktop is a good tool for remote administration. It is easy to use, offers good performance, and has some reasonable security controls. As a general rule, however, it is not best practice to allow direct access from the Internet to systems using RDP.

For more information, please call 888.ANITIAN, or email Anitian Enterprise Security.