RDP: Red Flag or Red Herring?

Exposed RDP is interesting to an attacker if they have credentials — focus instead on, MFA, strengthening passwords and minimizing attackers’ ability to move laterally

Exposed RDP is the new favorite scapegoat of the security industry. RDP (Remote Desktop Protocol) allows users or IT departments to access computers remotely. The problem is that having this interface exposed to the internet allows attackers to brute-force logins or use stolen credentials to access the system.

In fact, 32% of ransomware attacks now involve external-facing RDP, per Sophos. Because of this, the industry now considers exposed RDP to be a primary attack vector for ransomware. This has shifted industry focus to removing RDP portals in an effort to reduce ransomware risk. Leading cyber insurance firms, such as Coalition, are now even refusing to insure organizations with exposed RDP.

It is true that a company’s attack surface should never contain any features that do not actively serve a business function; this is what we call reducing the attack surface. However, RDP can be a highly valuable tool to a business, and being afraid of exposed RDP is a bit like calling cars unsafe to drive because people might not use their seatbelts. Yes, our own research found that

25% of organizations have RDP exposed to the internet, but exposed RDP does not have to be a problem if you’re aware of it, monitoring it, you have good password hygiene and MFA.

The industry has determined that having an RDP portal on the internet is dangerous because of what ultimately boils down to poor credential policies. They’re fixating on the tool, but not solving the problem. But if security teams focus on fixing their credential problems, they will inadvertently be solving their RDP problem by extension. Insurance providers are not as concerned with the RDP itself as they are with the correlation between RDP and poor security hygiene.

As an attacker, an exposed RDP portal is interesting to me if a lot of other things have also gone right for me. If it’s unpatched it might have a weakness I could exploit and bypass all sorts of protections, but RDP has had relatively few exploitable vulnerabilities. Being real: most attacks on RDP are probably just a hacker stuffing creds into the service (just like any portal, filling in the username and password), and therefore RDP is only as dangerous to the network as the credentials an attacker has and is able to use.

How I Might “Exploit” RDP

If I manage to get a user’s credentials from the “dark web” or just from phishing, MFA can still prevent me from accessing the system. If I were to somehow get my hands on the user’s phone, too (or their fob or token, or…) I would need the passcode (or pin, or an exploit) in order to proceed. The odds of an attacker accumulating all of favorable circumstances can be made astronomically low. Still, it’s been all too common for Randori’s attack team to successfully conduct an attack with previously disclosed credentials because even basic MFA wasn’t deployed.

And supposing I did bypass the MFA and login via RDP, I still only have access at the level of that employee. If the security team maintains least privilege and has adequately segmented the system, I would be out of luck. Sure, I can drop malware on that computer and send them a ransom request, but the IT department can simply wipe the computer, since my access and damage would have been contained.

When we talk about RDP (or any service-du-jour) being “exposed directly” to the internet, we should remember context. Yes, hiding RDP behind a VPN would certainly get RDP “off of the internet.” But that VPN can be logged into using the same stolen username and password as those for RDP. It’s turtles all the way down. If the root problem you’re really fighting is creds and hygiene, your best bet is to focus there. It’s not that RDP software is actually exploited. Yes, Bluekeep was an issue in 2019, but at this point Bluekeep shouldn’t be an issue if you follow any patching protocols.

So What Should You Do?

Is RDP okay to have on the internet? Sure — if it is necessary to your business functionality and you’ve done the hardening you should do for any service. Here are steps you can take to use it safely:

• Monitor for exposed RDP
• Implement multi-factor authentication
• Segment remotely accessible systems from the rest of your network
• Limit which users allowed to login remotely
• Limit the permissions of users, systems, and services
• Monitor dark web resources for password leaks (credential monitoring)
• Monitor location of logins and only allow those where your employees are located
• Monitor for failed login attempts
• Monitor admin behavior
• Be aggressive about patching your perimeter systems

For more information about what hackers consider tempting targets check out Randori’s latest report. Or if you want to understand how they really see your organization, check out my book Where Attackers Infiltrate Your Network and How to Beat Them, available on the Amazon Kindle Store.