Last updated at Thu, 03 Dec 2020 19:24:34 GMT

What is RDP? (Remote Desktop Protocol)

RDP is a proprietary protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. It has been a native OS feature since Windows XP.

Most of the time, RDP is used for legitimate remote administration—when companies outsource IT, or remote admins have to access a server or a network users machine, they most commonly use RDP to connect to it.

Risks associated with RDP

One of the main risks associated with RDP comes when you allow external clients access to your network. The RDP protocol typically uses TCP port 3389. Attackers often find instances of this port open by scanning infrastructure exposed to the internet and using brute force to access open ports.

Once on a system, attackers can disable endpoint protection, establish a foothold in the organization, and more. Once this happens, it’s difficult for an endpoint security solution to save you. For example, they might download and install low-level system tweaking software and use it to disable or reconfigure anti-malware software on the machine. RDP connections can also be used to transfer data out of a network.

Recently, I spoke to a network manager whose business need was around getting visibility inside their network and not for RDP specifically. Shortly after they started to monitor network traffic, they noticed a lot of inbound RDP connections from many different countries.

When their firewall was checked, they found what they described as a legacy rule to allow third-party vendor access. Nobody checked this, and because they had no visibility inside their network, they had no idea systems running RDP were exposed to external clients. They implemented a quick fix, which was to block inbound RDP connection attempts.

How to detect RDP activity

One quick check you can do to check for RDP activity is to see whether TCP port 3389 is open on your firewall. While this is not an indication of activity, you should consider shutting it down for all external clients. It is also possible to run RDP over a different port number, so focusing on TCP port 3389 alone is not enough.

A better approach is to use a tool that monitors network traffic going to and from the internet using a SPAN, mirror port, or network TAP. Once a traffic source is established, you can use a solution like InsightIDR to detect whether RDP is in use on your network. You will need a system that is application-aware, since RDP can run over any network port, so looking for activity on TCP port 3389 alone is not sufficient.

We host everything in the cloud. Should we worry about RDP?

Absolutely. It does not matter where you host your servers. If RDP is left open on a server, it increases your attack vector. Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.

What should you do about RDP?

  1. Audit your network for systems that use RDP for remote communication. Disable the service if unneeded, or install available patches. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
  2. Limit access. Consider changing the default port of TCP 3389, using virtual networking/VLANs/etc. to limit access to critical systems via RDP. Block inbound RDP access from the internet, as it is far too risky to leave open.
  3. Make sure systems that have RDP enabled use network-level authentication with complex passwords and that all activity is monitored closely.
  4. Monitor endpoints. Make sure you have visibility on your network and you know who is connected to what. This is especially true for inbound connections from hosts on the internet.
  5. If you have a requirement for remote desktop access from outside your network, consider using a commercial product with encryption and more advanced user account options.

[On-Demand Demo] See How Our SIEM Solution Monitors and Analyzes Network Traffic