Blog

How To Secure Microsoft Remote Desktop Protocol (RDP) and Remote Desktop Services (RDS)

TruGrid blog image - Microsoft RDS & How to secure it

The purpose of this post is to explore common methods for securing internet-accessible Microsoft remote desktop systems (RDP & RDS); explain associated drawbacks or vulnerabilities; and present a simpler and more secure method for remote computer access.

What is Microsoft RDS?

Microsoft RDS is a feature of the Microsoft Windows Operating System that allows the remote use of a Windows computer over a network or internet connection. Microsoft RDS is built into most client (Windows XP and later) and server (Windows 2000 and later) versions of the Windows Operating System. Microsoft RDS uses the Remote Desktop Protocol (RDP).

Why do People use RDS?

As a secure remote desktop system, RDS is a widely-used feature of Windows that allows people to connect from anywhere over the internet, to Windows systems running in their homes, offices, or data centers. People typically connect to remote Windows RDS systems to use applications running on these systems. For this reason, Microsoft RDS is a very effective productivity tool for accessing remote Windows applications over the RDP protocol, and can be a very effective method for securing applications and data.

People connect to remote Windows RDS systems by using Windows, Macintosh, iPad, or Android devices running the Microsoft Remote Desktop Protocol (RDP) client software. Windows remote desktop tools facilitate stronger production no matter where the users are.

Why should RDS be Protected?

To start with, it is strongly recommended that any Windows computer system that is accessible over the internet be protected and running a secure RDP. Negligence from completely protecting internet-accessible computers running RDP / RDS will certainly expose them to compromise and data theft and / or data destruction.

Methods for Securing RDS and their Drawbacks

When RDP / RDS is enabled on a Windows system for remote computer access, it opens the default RDP protocol port, TCP port 3389, which is required to accept incoming login from remote users. Although this port can be changed, it is never recommended to directly expose a computer running RDP / RDS to the internet. Since there are a variety of ways to attempt to secure RDS (or secure RDP), below is a table that shows common methods of securing Microsoft Remote Desktop systems, and their drawbacks.

 

Method to Secure Windows RDS

Drawback / Vulnerability

1.     

Place behind firewall with default RDP port, TCP 3389, or changed TCP port allowed from the Internet

 

a.   Placing a Windows system with the RDS port open to the Internet is the equivalent of placing a Windows computer in a public place so that anyone can try to login to it. In fact, it is worse since anyone on the internet can attempt to login

b.   Exposing a Windows system running RDS to the internet in this manner exposes it to the possibility of a denial-of-service attack; data theft; and data compromise

2.     

Place behind firewall and restrict external access to trusted IP addresses

a.   It is not a good solution for supporting people working from locations that do not have fixed IP addresses

b.   It limits the ability to work from public locations with untrusted, even if fixed IP addresses

c.   There is a need to constantly verify that trusted IP addresses can continue to be trusted

d.   It is not an effective way to support remote access to several Windows RDS systems in a centralized location due to need to secure one IP address for each Windows system

3.     

Place behind firewall and secure with Microsoft RD Web and RDS Gateway. RD Web and RD Gateway are features of RDS for enterprise use

 

a.   Microsoft RD Web and RD Gateway grant access to Windows systems running RDP / RDS via a web login page. This login page is not much more secure than exposing each Windows RDS system directly to the internet for random login attempts or with stolen credentials

b.   RD Web and RD Gateway can be subjected to denial-of-service attacks

4.     

Integrate third-party Multi-Factor Authentication (MFA) with Microsoft RD Web and RD Gateway

 

a.   Since there are several third-party MFA solutions for Windows RDS, integration can be difficult and multifaceted. Moreover, with malicious intent and adequate preparation and resource, MFAs that rely on SMS messages can be compromised

b.   Despite MFA integration, RD Web and RD Gateway can still be subjected to denial-of-service attacks

5.     

Integrate corporate VPN with third-party Multi-Factor Authentication (MFA) and Microsoft RD Web and RD Gateway

 

a.   This is an effective but complex solution to implement. It requires integration of products from possibly three vendors (VPN vendor, MFA vendor, and Microsoft)

b.   A VPN gateway can be subjected to denial-of-service attacks

The Simplest and Most Secure Way to Secure RDS (Secure RDP)

TruGrid is the simplest and most effective way to secure a Windows RDS environment for the following reasons:

  • TruGrid does not require firewall ports to be opened on networks with Windows RDS systems. This way, nothing is directly exposed to the internet and nobody knows that your Windows RDS systems exist.
  • TruGrid does not need Microsoft RD Web or RD Gateway. It does not require any third-party VPN or MFA solutions.
  • TruGrid is automatically integrated into your on-premises Active Directory without the need to replicate your Active Directory to the cloud or require users to remember additional separate credentials.
  • TruGrid creates a cloud protective layer with integrated MFA and Push Authentication, to protect against denial-of-service attacks. The TruGrid MFA does not send passwords until MFA is validated – thereby reducing the ability for passwords to be compromised.
  • TruGrid can be added to any Windows RDS network in under 15 minutes.
  • TruGrid can link Windows RDS systems in multiple data centers for effortless business continuity.
  • TruGrid includes integrated Dark Web scanning to alert if corporate user credentials are found compromised on the Dark Web.

Click here to setup your free trial of TruGrid today and secure your own Microsoft RDS environment.

Reference: How To Secure Microsoft Remote Desktop Protocol (RDP) and Remote Desktop Services (RDS)

RDP versus RDS

To effectively secure your remote, virtual machine or desktop environment, it’s crucial to understand the distinctions and interplay between RDP and RDS.

  • Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows a user to connect to another computer over a network connection with a graphical interface. RDP is primarily used for remote access and management of systems.
  • Remote Desktop Services (RDS), formerly known as Terminal Services, is a broader infrastructure that provides a suite of capabilities for deploying and managing remote desktop and applications. RDP is a key component of RDS, facilitating the connection process between clients and servers.

In practice, RDP might be used independently for one-to-one remote access scenarios, such as remote PC or server management or remote working arrangements. RDS, on the other hand, becomes necessary when scaling up to provide remote access to applications and virtual desktops to multiple users simultaneously, often in enterprise environments.

Common Threats to RDP and RDS Security

RDP and RDS environments face several security threats that can lead to serious consequences, including data loss and system compromise.

  • Brute-force attacks involve attempting multiple username and password combinations to gain unauthorized access.
  • Credential stuffing uses previously breached credentials, banking on the reuse of passwords across services.
  • Exposing RDP to the internet can make your system a target for attackers, exploiting vulnerabilities to gain access.

Understanding these threats is the first step in formulating a robust security strategy.

Importance of Multi-Factor Authentication (MFA) in RDS Security

One of the most effective measures to enhance RDS security is the implementation of Multi-Factor Authentication (MFA).

  • MFA requires users to provide two or more verification factors to gain access to a resource, significantly reducing the risk of unauthorized access due to compromised credentials.
  • Despite some misconceptions, MFA does not add significant complexity or inconvenience in most scenarios, and its benefits in securing access far outweigh any perceived drawbacks.

Comparative Analysis: RDP vs RDS Security

When comparing RDP vs RDS from a security perspective, several factors come into play.

  • RDP alone, while useful for individual remote access, lacks the comprehensive management and security controls that come with RDS.
  • RDS offers a more scalable and manageable solution, with built-in features for securing and monitoring access on a broader scale.

Choosing between asimple RDP connection and the complete suite of RDS depends on specific security requirements, the scale of remote access needed, and the infrastructure in place.

Best Practices for RDS Security

Securing your RDS environment is an ongoing process that involves several best practices:

  1. Regularly Update Software: Keep your RDS infrastructure, including the operating system and applications, up to date with the latest patches to protect against vulnerabilities.
  2. Implement Strong Password Policies: Enforce complex passwords and regular changes to reduce the risk of brute-force attacks and credential stuffing.
  3. Conduct Security Audits: Regular audits can help identify potential vulnerabilities within your RDS environment and guide the implementation of corrective measures.
  4. User Education and Awareness: Train users on security best practices, phishing awareness, and the importance of reporting suspicious activities. Educated users are your first line of defense.
  5. Utilize Network Level Authentication (NLA): NLA adds an additional layer of authentication before establishing an RDP session, offering better protection against unauthorized access.
  6. Configure Account Lockout Policies: To counteract brute-force attempts, set account lockout policies that temporarily disable accounts after a certain number of failed login attempts.
  7. Use RD Gateway with RD Web: RD Gateway with RD Web acts as a proxy between external users and the internal network, providing a secure path for RDP traffic.
  8. Use MFA with RD Web: The use of MFA with RD Web provides an additional layer of security against password compromise.
  9. Enable Encryption: Ensure that RDP traffic is encrypted to protect data in transit from eavesdropping and interception.
  10. Monitor and Log Activity: Keep detailed logs of RDP sessions and regularly monitor them for any unusual activity that could indicate a security breach.

By implementing these practices, organizations can significantly enhance the security of their RDS environments, ensuring that remote access is both efficient and secure. The key to robust security lies in a layered approach, combining technical measures with user education and regular reviews of security policies and practices.