Remote Desktop Applications` Security

Remote Desktop Applications (RDA) usage is growing and with that the importance of keeping them secure. Learn about the most commond RDA vulnerabilities and what you can do to secure your RDA environment.

Remote Desktop Applications (RDA) are software solutions that have been successfully used for decades but gained their importance during the Covid pandemic. An ever-growing number of companies and organizations enable their employees the possibility of remote or hybrid work which results in an increased usage of RDA. That is good news, since people don’t spend that much time on commuting to and from work. It also minimizes the risk of spreading the disease. On the other hand, the risk of becoming a victim of a cyber-attack increases, especially in terms of device and network security. The security of remote desktop applications is usually assessed by so-called penetration tests. Such tests reveal the actual security of RDA. Remote working solutions include Virtual Private Network (VPN), Remote Desktop Protocol (RDP), and a Virtual Desktop. The tests comprise of automated scans and manual assessments that reveal all the vulnerabilities and enable avoiding them in the future by, for example:

  • Enabling Two-factor Authentication and Session management controls
  • Identifying the attack method
  • Detecting insecure configurations to avoid data loss or a security breach
  • Improving access controls

This results in a more secure remote work environment which prevents reputational and financial damage in case of a cyber attack. But let’s check which vulnerabilities are the most frequently detected due to security flaws and misconfigurations.

Most common RDA vulnerabilities

RDA Exposed to the Internet

RDA management is usually performed by the users with Administrator access rights, or at least that is the default setting of Windows OS. However, there is no need to expose RDA to the Internet and thus enable unauthorized access attempts. The first account that an attacker would try is the »Administrator«. If the password is figured out successfully, the consequences might be devastating.

Man-in-the Middle Attacks (MiTM)

Even though RDA has data between the client and the server encrypted, it does not provide the identity check on the Terminal Server. That enables attackers to exploit the vulnerability and intercept the traffic between the Client and Terminal Server. That is usually performed by Address Resolution Protocol (ARP) spoofing or Domain Name System (DNS) spoofing, which redirects the traffic to the attacker. There are easy-to-use free tools available to protect such types of intrusions, such as Cain and Abel software. Similar attacks can also be performed on the encrypted RDA traffic, but usually even a medium level encryption chases away most of the attackers.

Cybercriminals usually perform a man-in-the-middle attack in two steps — interception and decryption. In traditional MITM attacks, hackers gain access to unsecured/poorly secured Wi-Fi routers that are often available in public spaces (such as free Wi-Fi hotspots) or even at home if people don’t protect their networks. Hackers can then scan a router for vulnerabilities – such as weak passwords. Cybercriminals use special software to intercept and read the transferred data when a vulnerability is discovered. Attackers can also implement special software tools between the attacked computer and the important websites that the user visits and capture the credentials, bank information, and other sensitive personal data.

Unfortunately, a MiDM attack does not stop at the interception. The data stolen is then decrypted by using other unique tools and techniques.

Decryption Attacks

RDA uses the strongest possible encryption for the Server-Client traffic supported by the Client. But the network frequently consists of earlier-version clients. This results in some weaker connections having lower levels of encryption that might be decrypted in reasonable time.

Service Denial (Network Level Authentication)

Network Layer Authentication (NLA) on a Terminal Server is another defense mechanism that can present a risk unless properly configured. NLA protects against Denial-of-Service Attacks where malicious users make continuous connection attempts that prevent legitimate users’ connection.

After presenting a few possibilities of an intrusion, the following key questions arise: “Are there even more vulnerabilities than the already discovered ones?”, and “Can we use the RDP software safely and reliably?

Basically, RDP Security can be divided into two major types:

  • Standard Security and
  • Enhanced Security

Standard Security uses RDA RC4 Encryption Algorithm to protect the data being transferred. The encryption is based on the exchange of random values between the Client and Server which protects the data from an unauthorized use.

Enhanced Security on the other hand is based on outsourcing of one or several phases of security, such as encryption, decryption, and integrity checks. Security outsourcing can be done by using the following external protocols:

  • Transport Layer Security Protocol (TLS 1.0/1.1/1.2);
  • Credential Security Support Provider (CredSSP);
  • Network Level Authentication (NLA) that forces the Client sessions to authenticate with the RDP server.

The Enhanced Protocol uses direct or negotiating methods. A Direct method is focused on the security, whereas a Negotiation method uses connection initialization established outside of the security protocol where the Client and Server select the security protocol only after the initialization. The main advantage of the Enhanced Security RDP is the implementation of the Network Level Authentication (NLA) which uses CredSSP for user’s authentication before they can even access the RDP servers.

How can you protect RDA?

Despite the already mentioned vulnerabilities, users are not helpless. There are still some relatively simple measures that make it more difficult for attackers to intrude into a system. Two strong recommendations are to enable Network Level Authentication (NLA) and to keep RDA servers behind the firewalls, and therefore not directly exposed to the Internet. These preventive measures significantly reduce the Attack Surface.

But there is more than you can do:

  • Disable any local administration accounts with RDP access.
  • Allow Administrative Access only for the System Administration on a Remote Desktop.
  • Limit the number of System Administrators that can perform the RDA configuration.
  • Enforce multi-factor authentication (MFA) to access RDP servers by configuring remote desktop gateways properly. The gateways should be the only access points to your company’s computers.
  • Enforce the least privilege with PAM (privileged access management) solution that can enable effective Windows administration without domain admin or other superuser privileges.
  • Ensure that all the RDA Clients are updated with the latest patches.
  • Establish strong password policies that lock users from their computers after a few unsuccessful logins.
  • Limit Domain Admin account access.
  • Lock out users and block or timeout IPs that have many failed login attempts.
  • If using a corporate VPN don’t use outdated encryption methods.

Note that there are over 4.5 Mio. RDA servers on the Internet and numerous machines connected to company or private networks, therefore it is impossible to ensure a complete safety. But if you still have doubts and want to increase the security of your network even more, you can always contact a Cyber Security Operation Centers (so-called SOCs), such as Conscia/NIL Security Operations Center (SOC) to perform a Penetration Test on the network for vulnerabilities and ensure almost a hundred percent protection. Stay secure!

CyberSec Bites Podcast