The 4 Most Effective Ways to Secure Microsoft Remote Desktop Services (RDS)
The COVID-19 pandemic has forced many companies to switch to remote work models, which has led to a significant increase in cloud computing usage. Cloud computing offers several benefits, such as cost savings, scalability, and remote accessibility. However, this convenience comes with its own set of risks, particularly when it comes to remote desktop services.
Remote desktop services (RDS) allow users to remotely access a desktop or application hosted on a server in the cloud or datacenter. However, these services can be vulnerable to cyberattacks, which can result in data breaches, system compromises, and other cybersecurity incidents. In this article, we will explore the best practices and solutions for securing remote desktop services in the cloud.
Did you know that remote desktop protocol (RDP) is one of the top attack vectors for cybercriminals? Read on to learn how you can secure your RDS in the cloud and prevent cyberattacks.
These are the 4 Most Effective Ways to Secure Microsoft RDS
1. Use Zero Trust. Close All Inbound Ports & Avoid VPN
The first rule for securing Microsoft RDS (and RDP) is to close all internet-facing inbound ports. This is because it is practically impossible for hackers to externally breach a network that is closed to the outside world. Naturally, the next question is, how does one access Microsoft RDS or RDP over the internet? We don’t recommend VPN because all VPN connections become extension of the network that one is trying to protect. Therefore, a breach of a remote VPN user can traverse the VPN connection to infect the RDS system and the network.
A Zero Trust solution is what we recommend for securing Microsoft RDS. The research firm Gartner predicts that Zero Trust solutions will replace VPN by 2025.
A Zero Trust solution for Microsoft RDS / RDP works by allowing organizations to completely close all firewall ports, yet requiring end users to authenticate in the cloud before access is ever granted to the protected RDS systems. All of this is done with no firewall exposure. Please see the video referenced at the end of this article to learn more about Zero Trust solution for RDP.
2. Use Multi-Factor Authentication (MFA)
One of the most effective ways to secure remote desktop services is by using multi-factor authentication (MFA). MFA requires users to provide two or more forms of authentication to gain access to a system or application. This could be a combination of something the user knows (such as a password), something the user has (such as a smart card), or something the user is (such as biometric data). According to Microsoft, MFA can block over 99.9 percent of account compromise attacks.
MFA can significantly reduce the risk of unauthorized access to RDS, even if a cybercriminal has managed to obtain a user’s password. Many cloud providers offer MFA as a built-in feature, so it’s essential to enable it when setting up RDS.
3. Limit User Access
Another best practice for securing remote desktop services is to limit user access. Not all users require access to all applications or data, so it’s essential to restrict access to only those who need it. This can be done by creating security groups and assigning users to specific groups based on their roles and responsibilities.
Additionally, it’s important to regularly review user access permissions and remove access for users who no longer require it. This can help prevent insider threats and minimize the risk of data breaches.
4. Keep Software and Application Updated
Outdated software and applications can be a significant security risk, as they may contain vulnerabilities that cybercriminals can exploit. Therefore, it’s crucial to keep all software and applications used in RDS up to date with the latest security patches and updates.
Many cloud providers offer automatic updates for their services, which can help ensure that RDS remains secure. However, it’s important to check that automatic updates are enabled and to regularly review the update settings to ensure they are working correctly.
What about Remote Desktop Gateway and VDI?
A Remote Desktop Gateway (RD Gateway) is a Microsoft solution that enables secure remote access to RDS over the internet over secure HTTPS protocol. RD Gateway uses Remote Desktop Protocol (RDP) over HTTPS, which provides a secure encrypted connection between the user’s device and the RDS server. The problem with RD Gateway and RD Web is that there are documented vulnerabilities and exploits against them. Search the internet for “RD Gateway CVE” and “RD Web VCE” to reveal these known vulnerabilities.
Virtual Desktop Infrastructure (VDI), offered by various companies, is another solution for securing remote desktop services in the cloud. VDI allows users to access a virtual desktop hosted on a server in the cloud, providing a more secure and controlled environment for remote access. VDI can be configured to limit user access to specific applications and data, and all user activity can be logged and monitored. Additionally, VDI provides a centralized management console that allows administrators to configure policies and settings for all virtual desktops. The challenge with many VDI solutions is that remote access to them over the internet is often via a gateway behind the company firewall. There have been several documented instances of successful breaches against the most popular VDI gateways. Please search for “Citrix NetScaler CVE” to reveal the known vulnerabilities.
Remote desktop services (RDS) is a convenient way to enable remote access to applications and data hosted in the cloud. However, it can be vulnerable to cyberattacks, which can result in data breaches and system compromises. By following the best practices outlined in this article and implementing the solutions discussed, organizations can significantly reduce the risk of security incidents and ensure that their remote desktop services are secure and protected.
To learn more, please watch this video for a Zero Trust solution for Microsoft RDS/RDP.