Weak user authentication and port targeting are two of the main vulnerabilities present in the Remote Desktop Protocol (RDP).
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
RDP, or the Remote Desktop Protocol, is one of the main protocols used for remote desktop sessions, which is when employees access their office desktop computers from another device. RDP is included with most Windows operating systems and can be used with Macs as well. Many companies rely on RDP to allow their employees to work from home.
A vulnerability is a gap or an error in the way a piece of software is constructed that allows attackers to gain unauthorized access. Think of an improperly installed deadbolt on the front door of a house that allows criminals to break in.
These are the most important vulnerabilities in RDP:
*In networking, a port is a logical, software-based location that is designated for certain types of connections. Assigning different processes to different ports helps computers keep track of those processes. As an example, HTTP traffic always goes to port 80, while HTTPS traffic goes to port 443.
To reduce the prevalence of weak sign-in credentials:
Single sign-on (SSO): Many companies already use SSO services to manage user logins for various applications. SSO gives companies an easier way to enforce strong password usage, as well as implementing even more secure measures like two-factor authentication (2FA). It is possible to move RDP remote access behind SSO in order to shore up the user login vulnerability described above. (Cloudflare Zero Trust, for instance, allows companies to do this.)
Password management and enforcement: For some companies, moving RDP behind SSO may not be an option. At the bare minimum, they should require employees to reset their desktop passwords to something stronger.
To protect against port-based attacks:
Lock down port 3389: Secure tunneling software can help stop attackers from sending requests that reach port 3389. With a secure tunnel (e.g. Cloudflare Tunnel) in place, any requests that do not pass through the tunnel will be blocked.
Firewall rules: It may be possible to manually configure a corporate firewall so that no traffic to port 3389 can come through, except traffic from allowlisted IP address ranges (e.g. the devices known to belong to employees). However, this method takes a lot of manual effort, and is still vulnerable to attack if attackers hijack an allowlisted IP address or employee devices are compromised. In addition, it is typically very difficult to identify and allowlist all employee devices in advance, resulting in continual IT requests from blocked employees.
RDP has other vulnerabilities that have technically been patched, but which are still severe if left unchecked.
One of the most severe vulnerabilities in RDP is called "BlueKeep." BlueKeep (officially classified as CVE-2019-0708) is a vulnerability that allows attackers to execute any code they want on a computer if they send a specially crafted request to the right port (usually 3389). BlueKeep is wormable, which means it can spread to all computers within a network without any actions from users.
The best defense against this vulnerability is to disable RDP unless it is needed. Blocking port 3389 using a firewall can also help. Finally, Microsoft issued a patch that corrects this vulnerability in 2019, and it is essential that system administrators install this patch.
Like any other program or protocol, RDP has several other vulnerabilities as well, and most of these can be eliminated by always using the very latest version of the protocol. Vendors typically patch vulnerabilities in each new version of software they release.
Cloudflare Zero Trust and Cloudflare Tunnel enhance remote access security by jointly closing off the two main vulnerabilities in RDP described above. One advantage of using Cloudflare is that, unlike typical corporate firewalls, it is not hardware-based and does not require manual configuration. Protecting RDP connections with Argo Tunnel is often as simple as a few clicks from the Cloudflare dashboard. To learn more about Cloudflare and RDP, read our blog post or watch this demo.