As work from home is the
new norm in the coronavirus era, you’re probably thinking of enabling remote
desktop connections for your off-site-staff. Here ‘s how to do it securely.
By Aryeh Goretsky &
Cameron Camp
Accessing your servers’ or
workstations’ desktops remotely is a great way to manage them. It’s also a huge
target for hackers.
For example, if hackers can
gain access to the administrator login to your Domain Controller, they
effectively own your Windows infrastructure and can quickly wreak havoc on your
organization. From sending corporate emails to accounting departments and
books, to siphoning off your company’s intellectual property, to encrypting all
your company’s files and holding them for ransom, hacks on Remote Desktop
Protocol (RDP) can be very bad.
In this context, although
we will mainly say “RDP”, we mean all kinds of remote desktop and remote access
software, including VNC, PC Anywhere, TeamViewer and so forth, not just
Microsoft’s RDP. The good news is there are many defenses against RDP attacks,
starting with turning it off. If you don’t really need remote access, the ‘off’
switch is the simplest.
If you do need to allow
such access, there are a variety of ways to restrict it to the good guys:
First off, allow access
only from internal IP addresses coming from your company’s VPN server. This has
the added benefit of not exposing RDP connection ports to the public internet.
Speaking of exposing ports,
if that’s your only choice, you may want to serve up RDP on a non-standard port
number to avoid simplistic worms from attacking your network through its RDP
ports. Keep in mind, though, that most network scanners check all ports
for RDP activity, so this should be viewed as “security through obscurity”,
since it provides practically no additional security against modestly
sophisticated attackers. You will have to be extremely vigilant about reviewing
network access and login activities in your RDP server logs, as it may be more
a matter of when and not if an
attacker accesses your network.
Second, make sure to enable
Multi-Factor Authentication (MFA) for remote users as another authentication
layer, which we discussed in Work from home: Improve your security
with MFA.
Third, whenever possible,
only allow incoming RDP connections from your users’ public IP addresses. The
easiest way for remote employees to look up their public IP address is to
search Google for What is my IP address and the first result will be their IP
address. Then your remote workers can provide that information to your
IT/Security staff so that your company or organization can build a whitelist of
allowed IP addresses. It is also possible to build a whitelist of allowable IPs
by allowing their subnet, since dynamic home IP addresses would normally still
fall within a subnet after a router reboot or other network maintenance on the
client end.
Even if you secure your RDP
access, there has recently been a flurry of exploits against it, so make sure
it’s patched to the current secure level to avoid issues. More information on
securing RDP can be found in It’s time to disconnect RDP from the
internet.
ESET has been here for you
for over 30 years. We want to assure you that we will be here in order to
protect your online activities during these uncertain times, too.
Protect yourself from threats to your security online with an extended trial of our award-winning software.
Try our extended 90-day trial for free.
Protect yourself from threats to your security online with an extended trial of our award-winning software.
Try our extended 90-day trial for free.