How to mitigate RDP attacks?

Since the start of the COVID-19 pandemic, the number of brute force attacks targeting RDP endpoints has risen significantly, according to Kaspersky Lab. More than 100 thousand new RDP attacks are registered every day by ESET.

It has become really important to protect your business against RDP attacks. This article will help you to identify potential RDP threats and decide on the best solutions for keeping your business safe. 

To learn more about what RDP attacks are exactly, read our article What are RDP attacks.

How to spot an RDP attack?

  1. The overall performance of the system decreases and the response time becomes longer. What’s tricky here is that sometimes there are no spikes or dips in your traffic, or anomalies in your CPU load.

  2. Remote services cannot be connected to servers and users cannot access their desktops.

  3. Multiple messages about attempts to crack usernames and passwords will appear in the event logs (subject to the event log settings).

Reliable protection methods for RDP attacks

There are multiple ways to protect your business against RDP attacks, starting with more reliable ones: 

A strong password system

According to Verizon's research, 80% of breaches that include hacking are brute force attacks or use stolen credentials. Therefore, organisations must have a policy that enforces strong passwords and mandatory two-factor authentication in their infrastructures. Users should store their passwords in highly protected password managers. Security solutions should also be strengthened by an additional password to avoid disabling during the successful breaches.

Monitor all requests

A really effective method against RDP attacks is to monitor all incoming traffic, unauthorised connections and requests. Additional monitoring systems can be added to the standard event logging to get a complete picture of traffic. For example, Variti's Active Bot Protection monitors requests on all system layers and detects malicious activity in real time. 

If there is no centralised access control system in place, there’s the option to build a PowerShell script to report all authorisation attempts. Or the "Events" system can be configured to display extended information.

Network Level Authentication (NLA)

NLA provides a stronger protection against key spoofing by requiring authentication before and during a session. This method blunts the protocol’s critical vulnerabilities exploitation.

Other helpful practices:

  1. Use more sophisticated systems like Public Key Infrastructure (PKI) and build RDP connections via Transport Layer Security (TLS).

  2. If RDP is not in use, turn it off and disable external connections to local machines at port 3389 (TCP/UDP) or any other RDP ports in the network firewall.

  3. Update all software on employees' devices to the latest versions regularly. Bear in mind that 80-90% of exploits were created after a vulnerability patch was released. Having learned about the vulnerability, the attackers start to look for it in older software versions. In addition, any unsecured or outdated computers should be isolated.

  4. Whenever possible, use device encryption.

  5. Back up key data. Those backups should only be available to a system administrator or a backup user. Backup file accesses should also be limited as much as possible.

  6. Install security solutions on all employees’ devices and solutions to track the equipment in case of a loss.

Not so reliable protection methods for RDP attacks

Access via Virtual Private Network (VPN)

Besides the obvious benefits, this method has a few cons: 

  • Organisations that use VPN sometimes let users to be authenticated without a password.

  • Almost any popular VPN solution has unauthorised access vulnerabilities.

  • If you have never used a VPN before, setting up IPSec connections can be challenging, especially on tight deadlines.

  • The "work from home" tech landscape typically consists of different, sometimes surprising devices and network connections (like a cellular modem or an ancient computer). It could be difficult to explain to hundreds of users how to set up a VPN for a stable connection with no lags or downtimes.

  • Like anything, VPN servers can crash. However the consequences are much more severe as the VPN servers turn into a single-point failure.

  • VPN implies double encryption (in addition to standard RDP encryption), which means extra load and a slower connection, especially for unstable facilities.

  • If VPN is hacked, an attacker gets immediate access to the entire internal network, in contrast to granting access to a single PC in an RDP attack.

Unfortunately, they also have vulnerabilities. For example, in late 2019, security researchers found 37 vulnerabilities in various clients working with the VNC protocol.

Change all users settings to a different port

Probably the least reliable method of all we have described in this article, although many businesses seem to use it successfully. It is highly impractical if you have a few to many end users as it will take a considerable amount of time to change everybody’s settings, especially when every minute counts. 

In addition, it's quite a short sighted plan as the fix will only be temporary. This is due to modern bots with intelligent port scanning software which will quickly find the new port. At Variti, we see bots spotting a non-standard port in 2 - 48 hours.

Connection limits

This technique restricts the number of open sessions at one time and users that can connect to corporate servers online. Access can be reduced by using a certain number of IP addresses, limiting wrong login attempts, setting the suspension time for incorrect passwords and so on. Unfortunately this will only delay the inevitable as bots can work 24x7. 

IP blocking

IP blocking is an effective method to combat less sophisticated or newcomer attackers, but not as effective in more advanced scenarios. 

First, brute force attacks are often launched from a group of addresses or even different subnetworks, so IP ​​blocking works just as a symptom treatment. Second, an IP address is too easy to spoof - attackers can use hundreds and easily change any, including your own or your client's. And finally, IP blocking on a Windows server is quite challenging due to it not always being visible. 

Having an IP whitelist is also a questionable idea for remote locations and home offices. IP addresses can change since users typically possess numerous gadgets and sometimes work outside home with a public WiFi.

There are many more RDP attack protection solutions in the market in addition to the ones mentioned above. There are hardware solutions like firewalls, routers, virtualisation, main database separation and much more.

The brave new world

For many companies, remote work will remain a standard practise whilst RDP still suffers many vulnerabilities. 

The market doesn't have a single all-in-one solution against RDP attacks yet. 

201014 Simpsons messy room vs Skype room capture

The first critical step is to discover if you experience this problem, and if the situation is serious enough. So turn on your monitoring!

To follow, put in place a set of a few various measures to make things harder for hackers. There is a high probability that hackers who meet just a few protection methods will not waste their time and move on to an easier victim.

----
If you would like to find out more about our Active Bot Protection technology, drop us a line via variti.com 

Recent Articles

Layer 7 bot attacks and mitigation techniques

Of all the cyber threats we see on a daily basis, 50% fall into Layer 7 attacks. It is...

What are RDP attacks and how to spot them?

Malicious activities via remote access protocols have been flooding the market – there have been...

Protecting Tochka bank from DDoS attacks

Protecting Tochka bank  the world’s first online-only bank for businesses by efficiently...