What are the security risks of RDP? | RDP vulnerabilities

Weak user authentication and port targeting are two of the main vulnerabilities present in the Remote Desktop Protocol (RDP).

Learning Objectives

After reading this article you will be able to:

  • Understand the risks of the Remote Desktop Protocol (RDP)
  • Learn how to protect against these vulnerabilities
  • Learn about Cloudflare's solution for RDP security

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is RDP?

RDP, or the Remote Desktop Protocol, is one of the main protocols used for remote desktop sessions, which is when employees access their office desktop computers from another device. RDP is included with most Windows operating systems and can be used with Macs as well. Many companies rely on RDP to allow their employees to work from home.

What are the main RDP security vulnerabilities?

A vulnerability is a gap or an error in the way a piece of software is constructed that allows attackers to gain unauthorized access. Think of an improperly installed deadbolt on the front door of a house that allows criminals to break in.

These are the most important vulnerabilities in RDP:

  1. Weak user sign-in credentials. Most desktop computers are protected by a password, and users can typically make this password whatever they want. The problem is that the same password is often used for RDP remote logins as well. Companies do not typically manage these passwords to ensure their strength, and they often leave these remote connections open to brute force or credential stuffing attacks.
  2. Unrestricted port access. RDP connections almost always take place at port 3389*. Attackers can assume that this is the port in use and target it to carry out on-path attacks, among others.

*In networking, a port is a logical, software-based location that is designated for certain types of connections. Assigning different processes to different ports helps computers keep track of those processes. As an example, HTTP traffic always goes to port 80, while HTTPS traffic goes to port 443.

What are a few ways to address these RDP vulnerabilities?

To reduce the prevalence of weak sign-in credentials:

Single sign-on (SSO): Many companies already use SSO services to manage user logins for various applications. SSO gives companies an easier way to enforce strong password usage, as well as implementing even more secure measures like two-factor authentication (2FA). It is possible to move RDP remote access behind SSO in order to shore up the user login vulnerability described above. (Cloudflare Zero Trust, for instance, allows companies to do this.)

Password management and enforcement: For some companies, moving RDP behind SSO may not be an option. At the bare minimum, they should require employees to reset their desktop passwords to something stronger.

To protect against port-based attacks:

Lock down port 3389: Secure tunneling software can help stop attackers from sending requests that reach port 3389. With a secure tunnel (e.g. Cloudflare Tunnel) in place, any requests that do not pass through the tunnel will be blocked.

Firewall rules: It may be possible to manually configure a corporate firewall so that no traffic to port 3389 can come through, except traffic from allowlisted IP address ranges (e.g. the devices known to belong to employees). However, this method takes a lot of manual effort, and is still vulnerable to attack if attackers hijack an allowlisted IP address or employee devices are compromised. In addition, it is typically very difficult to identify and allowlist all employee devices in advance, resulting in continual IT requests from blocked employees.

What other vulnerabilities does RDP have?

RDP has other vulnerabilities that have technically been patched, but which are still severe if left unchecked.

One of the most severe vulnerabilities in RDP is called "BlueKeep." BlueKeep (officially classified as CVE-2019-0708) is a vulnerability that allows attackers to execute any code they want on a computer if they send a specially crafted request to the right port (usually 3389). BlueKeep is wormable, which means it can spread to all computers within a network without any actions from users.

The best defense against this vulnerability is to disable RDP unless it is needed. Blocking port 3389 using a firewall can also help. Finally, Microsoft issued a patch that corrects this vulnerability in 2019, and it is essential that system administrators install this patch.

Like any other program or protocol, RDP has several other vulnerabilities as well, and most of these can be eliminated by always using the very latest version of the protocol. Vendors typically patch vulnerabilities in each new version of software they release.

How does Cloudflare help secure remote access?

Cloudflare Zero Trust and Cloudflare Tunnel enhance remote access security by jointly closing off the two main vulnerabilities in RDP described above. One advantage of using Cloudflare is that, unlike typical corporate firewalls, it is not hardware-based and does not require manual configuration. Protecting RDP connections with Argo Tunnel is often as simple as a few clicks from the Cloudflare dashboard. To learn more about Cloudflare and RDP, read our blog post or watch this demo.