Preventing attacks on Remote Desktop Services

Understanding Remote Desktop Vulnerabilities

Allowing users to remotely use a computer or use a virtual machine, Remote Desktop Services (RDS) can be a major advantage for businesses, letting staff work on projects no matter where they are (as long as Internet connectivity is available).

While RDS can be incredibly helpful, if not properly secured, the service can open up some major vulnerabilities. CERT-UK, the official UK Computer Emergency Response Team, has indicated that in recent months, there’s been a significant increase in attacks on businesses using RDS, with cybercriminals managing to access private servers in order to steal valuable data, spread ransomware and generally inconvenience companies.

Using port-scanning software SHODAN, CERT-UK estimated that roughly 72,000 devices are running RDS in a way which may be insecure - a major potential issue, particularly given the value of the data that can be stolen or ransomed in the event of a successful attack.

Typically, attacks on RDS involve cybercriminals brute forcing their way into an unsecured RDS, trying a vast number of potential passwords until one ends up actually being correct, then using their access to copy files or spread ransomware, preventing data from being accessed until a ransom is paid.

Responding to the increased rate on RDS-using businesses, CERT-UK issued a range of best practice points - we’ve gone through them below, and would highly recommend reading and taking them into account if you use Remote Desktop Services of any kind.

Best Practices to reduce RDS vulnerabilities

RDS Public Availability: In many cases, the vulnerabilities associated with RDS can be heavily mitigated if the service is not publicly reachable at all, with access to login only granted to trusted users. It’s recommended that RDS users consider whether their service needs to be publicly available and prevent access if not.

Password Policies: Brute-force/dictionary attacks are the most common kind of attack on RDS servers, and can be partially be mitigated by introducing genuinely strong passwords (only used in one location, with numbers and characters placed at random intervals,etc) and potentially introducing account lockouts if the user gets their password wrong too many times.

Proactive Monitoring: Keeping an eye on how your RDS is used can let you spot and react to any abnormal traffic or usage (which can indicate an attack).

Account Permissions: Users shouldn’t be given levels of access permission above what they actually require - having an established policy for this can be effective.

Configuration: By configuring RDS to cut off non-essential features in the case of a successful attack, you can lower the level of access that an intruder has to your systems and services.

Whitelisting: By ensuring that only approved applications can be run on RDS, you can prevent a number of security issues if an attacker is able to get access.

Two-Factor Authentication: If RDS services need to be visible to the public, adding an additional level of security can help ensure that only authorised users can access the RDS.

Authentication Controls: A potential point for consideration - making Internet-enabled RDS-running devices standalone rather than attached to a domain can cut down on access for hackers, though may increase your workload somewhat.

Security Controls: CERT-UK recommends that companies using RDS adopt a stronger set of security controls in general, such as cutting out services where not required.

Interested in finding out more about cybersecurity? We recommend taking a look around the CERT-UK Archive and staying up to date on the latest news via any CyberSecurity Cluster meetings.