How to Make RDP Invisible to Hackers
The purpose of this post is to explore the most secure and cost-effective way to permanently protect RDP from over-the-internet vulnerabilities. Protecting RDP is a must, given wide-spread attacks against exposed RDP ports. Exposed RDP is now a leading source of ransomware attacks.
What is Microsoft RDP and why do people use it?
Microsoft RDP (or RDS) is Microsoft’s Remote Desktop Protocol. It is built into all recent versions of the Windows operating system. It is one of the fastest ways to remotely connect to Windows for remote work.
Why should RDP / RDS be Protected?
RDP, when used over the internet, must be protected in order to avoid attackers from logging into exposed computers and compromising them. Exposing RDP over the internet is like inviting strangers to login to your computer. It is a big security risk and should not be done.
Why do people have difficulties securing RDP?
While there are many ways to secure RDP, nearly all of the methods are complicated, inconvenient, or costly. As a result, many forego the security, with the expectation that they would not be a target. This approach is worse than leaving the door to your house open with the hope that intruders will not come in – this is exposing your PC to the entire world to be attacked.
How to permanently prevent RDP Vulnerabilities
Due to the cost, complexity, and inconvenience of securing RDP, some have suggested that people stop using RDP altogether. This is quite unrealistic because people often need to use RDP for remote work, and it happens to be the fastest protocol for connecting to remote PCs. As explained later in this blog, the best method for securing RDP from attacks is to make it invisible to hackers without any complexity or complications.
First, let’s review common methods for security RDP and their drawbacks so that we can have an appreciation for the simplest and most secure method.
- Place RDP host behind firewall with default port 3389 changed to another port over the internet
- This approach is dangerous because RDP attackers can scan and connect to RDP over any port
- Place RDP host behind firewall and restrict external access to trusted remote IP addresses
- This approach is inconvenient because it means one cannot connect to RDP while traveling, using hotel or airport WiFi
- Place RDP host behind firewall and secure with Microsoft RD Web and RDS Gateway
- This approach exposes the Microsoft RD Web to being compromised with stolen Dark Web passwords
- Integrate third-party Multi-Factor Authentication (MFA) with Microsoft RD Web and RD Gateway
- This approach introduces complexity and additional cost via multiple add-ons
- Integrate VPN with third-party Multi-Factor Authentication (MFA)
- This is an effective but complex and costly solution to implement. It requires integration of products from possibly three vendors (VPN vendor, MFA vendor, and Microsoft)
With the various complicated and costly methods summarized above, the easiest way to secure RDP over the internet is to make it invisible to hackers, so that they don’t even know that it exists. While there are very few technologies that can accomplish this in a cost-effective manner, many of them are limited in their capabilities.
TruGrid SecureRDP makes RDP invisible to the Internet. It is simple and cost-effective, and it is a reliable way to secure RDP without sacrificing features. TruGrid does this with integrated MFA, no firewall changes, and no VPN. TruGrid does this in a matter of minutes. TruGrid can also secure RDP from multiple locations for a user. TruGrid is useful for individual users and organizations that connect to multiple RDP hosts in different datacenters or cloud.