RDP Vulnerability: How Exploits Expose Remote Desktop Vulnerabilities
Understanding RDP Vulnerabilities to Keep Your Data Secure
Since the release of Windows XP, all versions of Windows use the remote desktop protocol, or RDP. This proprietary software allows the operating system to show images from other computers across a shared network. In layman's terms, it allows you to access a computer on the same network but in a different location.
Microsoft's official name for this protocol has changed a few times. It was previously known as Terminal Services Client, but now it's officially designated Remote Desktop Connection. Although Microsoft's RDP was the first, it isn't the only one available these days. There are similar options for other operating systems like Linux and Apple computers. Despite how common this type of software is, it's not as safe as you would expect. The FBI has recommended that corporate clients and small businesses use RDP alternatives in order to avoid unauthenticated attackers accessing vulnerable systems.
What Makes RDP Vulnerable?
Since the Remote Desktop Protocol was originally developed to facilitate communication between computers on the same network, it allows unauthorized attackers to access your computer through channels with preexisting permissions. This means that the attack can happen without any additional authentication. You won't get a dialogue box warning you of the attack. The lack of warning makes you assume all is well.
Disconcertingly, some of these RDP exploits have even traveled through the internet and into computers, accessing specific domains and websites. Since RDP works through the user's screen, attackers who take control of this vulnerability can use your computer as though they're sitting directly in front of it, offering opportunities for them to go through your private data and cause catastrophic failures in your operating system.
There are no limits to what attackers can do to your computer or server once they gain access. They're capable of installing programs, creating new user accounts, and both accessing and deleting data.
To make things worse, many of the methods used to exploit RDP vulnerability are "wormable." That means they can travel from computer to computer once there's a single infection, creating magnified dangers for businesses that use a single Wi-Fi network.
What Kinds of Remote Desktop Vulnerabilities Should You Worry About?
There have been a variety of exploits designed to attack computers through RDP vulnerability. These range from complex bits of hacking used against preexisting targets to brute-force attacks that scan all the default ports for RDP vulnerability, which is commonly known as the port 3389 exploit.
BlueKeep, designated as CVE-2019-0708, is the most recent and concerning RDP vulnerability. This exploit was first reported in May 2019 and is a major threat to unprotected RDP servers on Windows XP, Windows 7, and Windows Servers 2003 and 2008. This wormable method of attack is one of the most insidious seen to date; even the NSA has warned against putting off Microsoft's patch. It's important to note that BlueKeep isn't common yet, but that means now is the time to secure your system.
CVE-2019-0863, another known security issue, exploits another Windows-patched RDP vulnerability. It uses an unrestricted execution on a system linked through the Remote Desktop function to run code that allows downloads, deletions and the creation of new administrator accounts for further system attacks. This exploit uses the Windows Error Reporting (WER) system, a protocol that identifies the very kinds of problems that CVE-2019-0863 seeks to cause.
Exploits in RDP vulnerability have also infected mobile devices, such as the Android operating system. Specifically, CVE-2019-0932 allowed attackers to access the Skype application on Android phones, both listening to and recording voice calls without the user's knowledge. Business professionals use Skype on a regular basis, which makes this an RDP vulnerability of note.
Only officially recognized exploits receive CVE designations, but there are plenty of RDP vulnerabilities that Microsoft has never noted or released patches for. A CVE designation refers to "common vulnerability and exposure." It means that it is a possible entry point for an attack, but no known attacks have occurred there to date. These are less critical in that they require users to make mistakes before they're dangerous, but they still present threats in specific situations.
One of these vulnerabilities, noted in 2018 but officially deemed noncritical, allows an unauthorized attacker to exploit a vulnerable system and alter text on the clipboard. The clipboard is a hidden interface that stores copied and cut chunks of text, and it's purposely designed to be the same between computers sharing a single RDP network. While this lends additional function to a healthy connection, it can be catastrophic if you're under attack.
Let's say that you need to use an administrator password but it's a long string of letters and numbers. You either can't remember it or you don't want to type it out, so you highlight and copy it. It's a simple and common process, but if you're under attack by this exploit, you've just given the attacker unmitigated access to files behind admin firewalls.
How Can You Prevent RDP Vulnerability Attacks?
Luckily for individual Windows users and businesses that use RDP in their offices, several fixes and patches exist. Some of these, like the patch for BlueKeep, are easy enough to find and download. For others, you'll need to change system settings manually.
The most efficient way to do this is to use Group Policy settings to change the settings on every computer on the network at the same time. You can also switch to remote desktop software that is specifically designed to limit these attacks.
Set Up Network-Level Authentication
You can try using Network Level Authentication (NLA). It adds an additional level of security to your overall network by requiring possible attackers to sign in using a password before they can tap into an RDP vulnerability. Unfortunately, hackers using Remote Code Execution (RCE) software can override NLA, and someone who has managed to get valid credentials will breeze through with no problems.
Implement a Firewall
You can use firewalls to restrict access further, although you should remember that firewalls become functional as a result of machine learning. They offer minimal defense against active attackers who can use abstract thinking to get around the defenses.
This is a common problem for firewalls, which are more effective at stopping malicious programs like Trojan viruses or ransomware. A firewall will, however, restrict the damage that malicious downloads inflict until you lock the attacker out of the system.
Use Better Passwords
Obviously, updating your software is the most basic step you can take, but it isn't especially difficult to set better passwords. The days when a child's name or a favorite pet offered unmatched security ended when password generation software became a hacker's best friend.
Password encryption systems across the server can go a long way toward reducing remote desktop vulnerability and attacks against your network. Make all your employees aware of the encrypted passwords and remember that sending an email to the whole department defeats the purpose.
Choose Two-Factor Authentication
Two-factor authentication adds an additional step of security for your network. These are most well-known in the form of CAPTCHAS, which are small interfaces that give the user a word written in distorted fonts to unscramble and send back. Automated brute-force attacks will fail these tests, but computer criminals who are actively attacking your system may be able to bypass them.
Less common versions of two-factor authentication use third-party communications, like text messages or email, to force unauthorized attackers into sharing an additional channel for the purposes of tracking.
Create an Account Lockout Policy
Even a complex and unique password doesn't ensure a perfect defense. To avoid attacks, you can implement an account lockout policy to close the remaining vulnerabilities. This prevents a self-spreading attack within your computer system.
These settings lock down an account trying to enter the network after a specific number of tries, limiting password generation software that hackers often use to force their way through passwords. You may experience some hiccups with employees forgetting their passwords, causing an administrator to have to let them back in, but network security should be a priority for your business.
If you're trying to secure your RDP system and prevent attacks using an RDP vulnerability, any of these tips will work to improve overall network security. The best option you can take to protect your critical servers is to seek an alternative to the Windows Remote Desktop Protocol through secure remote support software.
Netop Remote Control provides your business with advanced logins, multifactor authentication and stringent passwords. These combine to create a top-notch security solution for your needs. Netop Remote Control meets the highest security standards and is widely used in many industries for safeguarding proprietary and sensitive information.
Sam Heiney is the Product Manager for Netop Remote Control.