How to Ensure Your RDP Is Secure From MitM Attacks

First of all, Remote Desktop Protocol (RDP) is a network communications protocol developed by Microsoft mainly for remote access. The management of remote servers, virtual desktops, terminal servers, and applications is also done through a remote desktop protocol. RDP sessions run via an encrypted channel. Overall, it prevents outsiders from viewing the encrypted sessions by secretly monitoring the network or changing the traffic (site) between the victim and the attacker.

When these sessions are being monitored, we called it a Man-in-the-middle (MitM), which is a well-documented method of gaining unauthorized access to any RDP session. To emphasize, their goal is to steal your login credentials or personal information. They can also spy and steal your data. Ultimately, these attacks can be costly and complicated for a company. In 2019, in the USA only, it was estimated that ransomware cost 7,5 billion to businesses. This is why RDP security is very important, especially when all your workers are remote and using their personal devices and networks.

Types of Attacks

Unfortunately, MitM is not the only attack on the internet. There are other types of attacks that can happen either on your browser, software, email, etc. To demonstrate, here’s a list of common attack used to hijack an RDP session:

• Keylogging (or keystroke): It’s malware that tracks every key you press on your keyboard without your knowledge. It’s used to steal login credentials. Linked is a complete article about keylogging and how to prevent them.
• Ransomware: Attackers can use it to encrypt all your data files and, to get it back, you’ll have to pay a ransom, which can be very pricey, usually in Bitcoins. Here’s a linked article on how we helped a company after a Ransomware attack.
• EternalBlue: Known as the most damaging, it attacks the system software with a maximum impact. It can affect Windows Vista, Windows 7, Windows 8.1, and Windows 10. Here’s everything you need to know about Eternal blue.

Ensure RDP Security

To clarify, Microsoft has a huge role, and obligation, to constantly fix the vulnerabilities being disclosed. However, it’s fundamental that admins and security consultants take proactive measures to prevent and reduce the risks posed by the remote desktop protocol (RDP) on their system.

Some proactive measures can be implemented immediately, not to stop an attack, but to overcome an attacker’s likelihood of wreaking havoc on your network if they gain access to a machine anywhere along the chain.

Before we get to the preventive measure, let’s talk a little about the most recent Credential Security Support Provider protocol (CredSSP) vulnerability. According to Microsoft, CredSSP is a protocol that enables an application to securely pass on a user’s credentials from a client to a target server.

Remote Desktop Protocol Vulnerability

The most recent RDP uncovered vulnerability was a result of a logical flaw in the Credential Security Support Provider protocol; a Security Support Provider.

It was used by a Remote Desktop Protocol to secure a transfer of credentials to a target server. It was discovered by Preempt researchers. Although it’s been patched by Microsoft in the March Patch (CVE-2018–0886), this tells you how vulnerable a network using the RDP can be if no preventive measures are put in place to secure your remote sessions.

This vulnerability could have been leveraged by attackers using the man-in-the-middle method to take over machines on a network. At V2 Cloud, we specialize in Ransomware Data Recovery to prevent these types of attacks.

10 Steps to Secure Your RDP

Here’s an effective list to ensure your RDP sessions are secure. We recommend following these 10 protective measures:

1. Ensure your workspaces and remote servers are well patched.
2. Use two-factor authentication on highly sensitive systems.
3. Reduce the number of privileged remote account users on the server.
4. Use a strong password.
5. Don’t save your credentials in your RDP file.
6. Delete your RDP file.
7. Activate Network Level Authentication (NLA).
8. Restrict access using firewalls.
9. Use Remote Desktop Protocol Gateways.
10. Change the listening port for Remote Desktop.

With this in mind, following the recommendations on the checklist doesn’t guarantee that your system will be 100% protected from attacks, although it does make it a lot harder to be a victim of attackers. Although, keep in mind that these protective measures can be challenging to implement for someone who isn’t tech-savvy.