How To Secure Microsoft RDP and RDS
The purpose of this post is to explore common methods for securing internet-accessible Microsoft remote desktop systems (RDP & RDS); explain associated drawbacks or vulnerabilities; and present a simpler and more secure method for remote computer access.
What is Microsoft RDS?
Microsoft RDS is a feature of the Microsoft Windows Operating System that allows the remote use of a Windows computer over a network or internet connection. Microsoft RDS is built into most client (Windows XP and later) and server (Windows 2000 and later) versions of the Windows Operating System. Microsoft RDS uses the Remote Desktop Protocol (RDP).
Why do People use RDS?
As a secure remote desktop system, RDS is a widely-used feature of Windows that allows people to connect from anywhere over the internet, to Windows systems running in their homes, offices, or data centers. People typically connect to remote Windows RDS systems to use applications running on these systems. For this reason, Microsoft RDS is a very effective productivity tool for accessing remote Windows applications over the RDP protocol, and can be a very effective method for securing applications and data.
People connect to remote Windows RDS systems by using Windows, Macintosh, iPad, or Android devices running the Microsoft Remote Desktop Protocol (RDP) client software. Windows remote desktop tools facilitate stronger production no matter where the users are.
Why should RDS be Protected?
To start with, it is strongly recommended that any Windows computer system that is accessible over the internet be protected and running a secure RDP. Negligence from completely protecting internet-accessible computers running RDP / RDS will certainly expose them to compromise and data theft and / or data destruction.
Methods for Securing RDS and their Drawbacks
When RDP / RDS is enabled on a Windows system for remote computer access, it opens the default RDP protocol port, TCP port 3389, which is required to accept incoming login from remote users. Although this port can be changed, it is never recommended to directly expose a computer running RDP / RDS to the internet. Since there are a variety of ways to attempt to secure RDS (or secure RDP), below is a table that shows common methods of securing Microsoft Remote Desktop systems, and their drawbacks.
Method to Secure Windows RDS
Drawback / Vulnerability
Place behind firewall with default RDP port, TCP 3389, or changed TCP port allowed from the Internet
a. Placing a Windows system with the RDS port open to the Internet is the equivalent of placing a Windows computer in a public place so that anyone can try to login to it. In fact, it is worse since anyone on the internet can attempt to login
b. Exposing a Windows system running RDS to the internet in this manner exposes it to the possibility of a denial-of-service attack; data theft; and data compromise
Place behind firewall and restrict external access to trusted IP addresses
a. It is not a good solution for supporting people working from locations that do not have fixed IP addresses
b. It limits the ability to work from public locations with untrusted, even if fixed IP addresses
c. There is a need to constantly verify that trusted IP addresses can continue to be trusted
d. It is not an effective way to support remote access to several Windows RDS systems in a centralized location due to need to secure one IP address for each Windows system
Place behind firewall and secure with Microsoft RD Web and RDS Gateway. RD Web and RD Gateway are features of RDS for enterprise use
a. Microsoft RD Web and RD Gateway grant access to Windows systems running RDP / RDS via a web login page. This login page is not much more secure than exposing each Windows RDS system directly to the internet for random login attempts or with stolen credentials
b. RD Web and RD Gateway can be subjected to denial-of-service attacks
Integrate third-party Multi-Factor Authentication (MFA) with Microsoft RD Web and RD Gateway
a. Since there are several third-party MFA solutions for Windows RDS, integration can be difficult and multifaceted. Moreover, with malicious intent and adequate preparation and resource, MFAs that rely on SMS messages can be compromised
b. Despite MFA integration, RD Web and RD Gateway can still be subjected to denial-of-service attacks
Integrate corporate VPN with third-party Multi-Factor Authentication (MFA) and Microsoft RD Web and RD Gateway
a. This is an effective but complex solution to implement. It requires integration of products from possibly three vendors (VPN vendor, MFA vendor, and Microsoft)
b. A VPN gateway can be subjected to denial-of-service attacks
The Simplest and Most Secure Way to Secure RDS (Secure RDP)
TruGrid is the simplest and most effective way to secure a Windows RDS environment for the following reasons:
- TruGrid does not require firewall ports to be opened on networks with Windows RDS systems. This way, nothing is directly exposed to the internet and nobody knows that your Windows RDS systems exist.
- TruGrid does not need Microsoft RD Web or RD Gateway. It does not require any third-party VPN or MFA solutions.
- TruGrid is automatically integrated into your on-premises Active Directory without the need to replicate your Active Directory to the cloud or require users to remember additional separate credentials.
- TruGrid creates a cloud protective layer with integrated MFA and Push Authentication, to protect against denial-of-service attacks. The TruGrid MFA does not send passwords until MFA is validated – thereby reducing the ability for passwords to be compromised.
- TruGrid can be added to any Windows RDS network in under 15 minutes.
- TruGrid can link Windows RDS systems in multiple data centers for effortless business continuity.
- TruGrid includes integrated Dark Web scanning to alert if corporate user credentials are found compromised on the Dark Web.
Click here to setup your free trial of TruGrid today and secure your own Microsoft RDS environment.
Reference: How To Secure Microsoft Remote Desktop Protocol (RDP) and Remote Desktop Services (RDS)