3.4.20

Work from home: securing RDP and remote access



As work from home is the new norm in the coronavirus era, you’re probably thinking of enabling remote desktop connections for your off-site-staff. Here ‘s how to do it securely.

By Aryeh Goretsky & Cameron Camp

Accessing your servers’ or workstations’ desktops remotely is a great way to manage them. It’s also a huge target for hackers.

For example, if hackers can gain access to the administrator login to your Domain Controller, they effectively own your Windows infrastructure and can quickly wreak havoc on your organization. From sending corporate emails to accounting departments and books, to siphoning off your company’s intellectual property, to encrypting all your company’s files and holding them for ransom, hacks on Remote Desktop Protocol (RDP) can be very bad.

In this context, although we will mainly say “RDP”, we mean all kinds of remote desktop and remote access software, including VNC, PC Anywhere, TeamViewer and so forth, not just Microsoft’s RDP. The good news is there are many defenses against RDP attacks, starting with turning it off. If you don’t really need remote access, the ‘off’ switch is the simplest.
If you do need to allow such access, there are a variety of ways to restrict it to the good guys:

First off, allow access only from internal IP addresses coming from your company’s VPN server. This has the added benefit of not exposing RDP connection ports to the public internet.

Speaking of exposing ports, if that’s your only choice, you may want to serve up RDP on a non-standard port number to avoid simplistic worms from attacking your network through its RDP ports. Keep in mind, though, that most network scanners check all ports for RDP activity, so this should be viewed as “security through obscurity”, since it provides practically no additional security against modestly sophisticated attackers. You will have to be extremely vigilant about reviewing network access and login activities in your RDP server logs, as it may be more a matter of when and not if an attacker accesses your network.

Second, make sure to enable Multi-Factor Authentication (MFA) for remote users as another authentication layer, which we discussed in Work from home: Improve your security with MFA.

Third, whenever possible, only allow incoming RDP connections from your users’ public IP addresses. The easiest way for remote employees to look up their public IP address is to search Google for What is my IP address and the first result will be their IP address. Then your remote workers can provide that information to your IT/Security staff so that your company or organization can build a whitelist of allowed IP addresses. It is also possible to build a whitelist of allowable IPs by allowing their subnet, since dynamic home IP addresses would normally still fall within a subnet after a router reboot or other network maintenance on the client end.

Even if you secure your RDP access, there has recently been a flurry of exploits against it, so make sure it’s patched to the current secure level to avoid issues. More information on securing RDP can be found in It’s time to disconnect RDP from the internet.

ESET has been here for you for over 30 years. We want to assure you that we will be here in order to protect your online activities during these uncertain times, too.
Protect yourself from threats to your security online with an extended trial of our award-winning software.
Try our extended 90-day trial for free.