By Zach DeMeyer Posted January 24, 2020
Windows® Remote Desktop Protocol (RDP) enables IT organizations to remotely connect to Windows-based servers, desktops, and virtual machines (VMs). Although generally protected by VPN, sometimes an organization may leave their RDP ports exposed to the Wild West of the internet. If not properly secured, the remote Windows host may be susceptible to brute force attacks, exposing these crucial Windows resources to bad actors. That’s why organizations need to safeguard their Windows RDP ports with multi-factor authentication (MFA) to protect against malicious attempts to access the workstation or server.
The Problem of Open RDP Ports
It’s important to start by saying that any organization that willingly chooses to expose RDP ports to the internet is making a serious error with regards to security. But, why is this a problem?
Well, when an RDP port is left open to the internet, anyone can find the open port and attempt to access it, including those with nefarious intent. If such a person manages to gain access, they can lay waste to an organization’s network.
Brute Force Attacks
Bad actors can use bots or other methods to spam a login window with different password combinations in order to bypass authentication. These attacks are known as brute force attacks, as the perpetrators are generally trying to crash through authentication processes using an onslaught of login attempts to deduce the proper access credentials.
In a study of brute force-style attacks, Kaspersky found that passwords can take anywhere from seconds to years to crack. Often, these brute force attacks rely on a collection of widely reused/weak passwords to stuff credentials through an authentication window. With the aid of bots, the time required to brute force through authentication reduces significantly.
Publicly exposed RDP ports are especially vulnerable to brute force attacks, and even more so when a bot is involved. For example:
GoldBrute is a botnet that has been recently uncovered by security analysts. GoldBrute swarms the web, searching for exposed RDP ports. Once found, GoldBrute stuffs credentials into RDP access windows until the correct credentials are used to crack authentication. Then, once inside the VM, Goldbrute seeks out additional hosts and spreads to other IP addresses that may contain public RDP ports, cataloguing successful credential combinations to later resell on the dark web.
Spanish MSP Everis and their client, Cadena SER, were recently hit with ransomware, compromising many of their systems. The source? Although still somewhat unclear, the leading theory points to thousands of exposed RDP instances. It is unsure whether the attacks on these ports can be attributed to brute-force attempts or some other vulnerability like BlueKeep, but the bottom line is that unsecured public RDP ports are a major source of ingress for bad actors.
Clearly, exposing RDP access to the internet is a dangerous security practice. That’s why organizations need to safeguard their Windows RDP ports with MFA.
Multi-factor authentication is the practice of requiring an additional authentication factor beyond credentials to gate access to resources such as systems. Although organizations should always ensure that their users have strong passwords on all accounts, MFA adds an additional layer of protection to cover for weaker credentials or those stolen from other sources.
In a study of basic forms of MFA, the Google Security Blog found that device-based MFA is 100% effective at preventing account takeover by automated bot attacks. Device-based MFA is among the most popular forms of MFA, so for organizations interested in enforcing MFA to guard VMs and other resources, there’s a solution for you.
Enforcing MFA on Windows VMs
Organizations can use a cloud directory service to implement and enforce device-based multi-factor authentication across their Mac®, Linux®, and Windows system fleets, including those that leverage RDP.
With this cloud directory service, or Directory-as-a-Service® (DaaS), IT admins can not only enforce MFA on systems but on VPNs as well, which should be used in addition to system MFA to provide even more protection to RDP ports. Additionally, DaaS enables admins to require password complexity requirement policies, further safeguarding themselves from brute force attacks.