Original Post from Microsoft Security
Author: Todd VanderArk
As the volume of remote workers quickly increased over the past two to three months, the IT teams in many companies were scrambling to figure out how their infrastructures and technologies would be able to handle the increase in remote connections. Many companies were forced to enhance their capabilities to allow remote workers access to systems and applications from their homes and other locations outside the network perimeter. Companies that couldn’t make changes rapidly enough to increase capacity for remote workers might be relying on remote access using the remote desktop protocol, which allows employees to access workstations and systems directly.
Recently, John Matherly (founder of Shodan, the world’s first search engine for internet-connected devices) conducted some research on ports that are accessible on the internet, surfacing some important findings. Notably, there has been an increase in the number of systems accessible via the traditional Remote Desktop Protocol (RDP) port and a well-known “alternative” port used for RDP. A surprising finding from John’s research is the ongoing prevalent usage of RDP and its exposure to the internet.
Although Remote Desktop Services (RDS) can be a fast way to enable remote access for employees, there are a number of security challenges that need to be considered before using this as a remote access strategy. One of these challenges is that attackers continue to target the RDP and service, putting corporate networks, systems, and data at risk (e.g., cybercriminals could exploit the protocol to establish a foothold on the network, install ransomware on systems, or take other malicious actions). The second is that there are challenges with being able to configure security for RDP sufficiently, to restrict a cybercriminal from moving laterally and compromising data.
Security considerations for remote desktop include:
- Direct accessibility of systems on the public internet.
- Vulnerability and patch management of exposed systems.
- Internal lateral movement after initial compromise.
- Multi-factor authentication (MFA).
- Session security.
- Controlling, auditing, and logging remote access.
Some of these considerations can be addressed using Microsoft Remote Desktop Services to act as a gateway to grant access to remote desktop systems. The Microsoft Remote Desktop Services gateway uses Secure Sockets Layer (SSL) to encrypt communications and prevents the system hosting the remote desktop protocol services from being directly exposed to the public internet.
Identify RDP use
To identify if your company is using the Remote Desktop Protocol, you should perform an audit and review of firewall policies and scan internet-exposed address ranges and cloud services you use, to uncover any exposed systems. Firewall rules may be labeled as “Remote Desktop” or “Terminal Services.” The default port for Remote Desktop Services is TCP 3389, but sometimes an alternate port of TCP 3388 might be used if someone has changed the default configuration.
Use this guidance to secure remote desktop services
Further guidance on establishing Microsoft Remote Desktop Services can be found at https://aka.ms/rds. Remote Desktop Services can be used for session-based virtualization, virtual desktop infrastructure (VDI), or a combination of these two services. Microsoft RDS can be used to secure on-premises deployments, cloud deployments, and remote services from various Microsoft partners (e.g., Citrix). Leveraging RDS to connect to on-premises systems enhances security by reducing the exposure of systems directly to the internet.
On-premises deployments may still have to consider performance and service accessibility depending on internet connectivity provided through the corporate internet connection, as well as the management and maintenance of systems that remain within the physical network.
Leverage Windows Virtual Desktop
Virtual desktop experiences can be enhanced using Windows Virtual Desktop, delivered on Azure. Establishing an environment in Azure simplifies management and offers the ability to scale the virtual desktop and application virtualization services through cloud computing. Leveraging Windows Virtual Desktop foregoes the performance issues associated with on-premises network connections and takes advantage of built-in security and compliance capabilities provided by Azure.
More information about setting up Windows Virtual Desktop can be found here: aka.ms.wvd
Microsoft documentation on Windows Virtual Desktop offers a tutorial and how-to guide on enabling your Azure tenant for Windows Virtual Desktop and connecting to the virtual desktop environment securely, once it is established: aka.ms/wvdgetstarted
Secure remote administrator access
Remote desktop services are being used not only by employees for remote access, but also by many system developers and administrators to manage cloud and on-premises systems and applications. Allowing administrative access of server and cloud systems directly through remote desktop protocol elevates the risk because the accounts used for these purposes usually have higher levels of access across systems and environments, including system administrator access. Microsoft Azure allows system administrators to securely access systems using Network Security Groups and Azure Policies. Azure Security Center further enhances secure remote administration of cloud services by allowing “just in time” (JIT) access for administrators.
Attackers target management ports such as SSH and RDP. JIT access helps reduce attack exposure by locking down inbound traffic to Microsoft Azure VMs (Source: Microsoft).
Azure Security Center JIT access enhances security through the following measures:
- Approval workflow.
- Automatic removal of access.
- Restriction on permitted internet IP address.
More information about Azure Security Center JIT can be found in this documentation.
Evaluate the risk to your organization
Considerations for selection and implementation of a remote access solution should always consider the security posture and risk appetite of your organization. Leveraging remote desktop services offers great flexibility by enabling remote workers to have an experience like that of working in the office, while offering some separation from threats on the endpoints (i.e., user devices, both managed and unmanaged by the organization). At the same time, those benefits should be weighed against the potential threats to the corporate infrastructure (network, systems, and thereby data). Regardless of the remote access implementation your organization uses, it is imperative that you implement best practices around protecting identities and minimizing attack surface to ensure new risks are not introduced.
Go to Source
Author: Todd VanderArk