While enterprises have experimented with work from home policies for years, the experiment suddenly shifted to be the only option as COVID-19 forced millions of employees into remote work in an attempt to slow the transmission of the deadly disease. While WFH is not a new concept, it had never been attempted at this large of a scale, nor had it been embraced by all companies.
As a result, many IT teams found themselves suddenly in a position where they needed to equip office workers to continue to do their jobs, from home. For companies where employees did not have issued laptops, this proved to be a particularly hairy problem.
While some employees have opted to bring their company-issued desktops home with them (yes, you read that right), that's not the case or possible for everyone. In order to keep business running, many IT teams have enabled remote desktop protocol (RDP) as a portal into their workstations. Multiple sources have reported an increase in RDP. During an April panel discussion put on by ISC2, Glenn Leifheit, Senior Security Program Manager of Customer Security and Trust at Microsoft indicated that use of RDP had grown substantially. Similarly, Shodan reported significant growth in RDP exposed to the Internet in March.
RDP is a tool that enables agility when it's absolutely necessary. However, after the BlueKeep and the later DejaBlue vulnerabilities, which had IT teams around the world scrambling last year, the risks of RDP are well understood.
IT enabling RDP access should do so with eyes-wide-open to the risks that it introduces to the business, should it be used as a vector in an attack. For more information on the security risks of RDP, I'd recommend that you check out ExtraHop's Security Advisory on RDP, which dives into the specifics of what's possible under an RDP-enabled attack.
If you must enable RDP for remote access, ExtraHop recommends that IT teams follow these best practices:
- Run the RDP connection through a VPN or remote desktop gateway where login attempts will receive more scrutiny.
- Enforce strong passphrase rules. Passcodes should be at least 14 characters with specials upper and lower.
- Enable two-factor authentication on all RDP and VPN traffic. In addition to strong passcodes, two-factor authentication is a critical step to ensuring that access is only granted to those who have permission. If you had been meaning to set up two-factor authentication but had not gotten around to it, now is a great time to do so.
- Enable access only temporarily. Opening RDP should not be considered a long-term fix for remote access. Experts are unsure how long social distancing recommendations could remain in place, so it is prudent to explore alternatives such as purchasing company-issued laptops or Desktop-as-a-Service (DaaS) solutions.
- Make sure to close access as soon as it is no longer necessary. It is very common for people to forget to disable RDP access. Be sure to set a reminder for your team to do so.
While we have presented some best practices, the risk level of public-facing RDP is hard to understate and it should only be used in extenuating circumstances. For many cybersecurity insurance policies, RDP exposed to the Internet could be listed as a "get out of jail free" clause, should it be found to be a vector in an attack because it indicates that the policy holder did not take adequate precautions.
Get the security advisory for real-world examples of malicious RDP activity we've detected using ExtraHop Reveal(x), as well as mitigation strategies.