TIME TO READ: 5 MINUTES
A few years ago, we shared the story of a new customer who came to us after a serious cyberattack. Someone hacked into their company network and spread ransomware, ruining workstations and servers, and destroying data.
How did they get in? Through the server's
Remote Desktop Services (RDS).
This same thing happened to two other new customers the next year.
In our experience, RDS is the most exploited cyberattack vector, after email. What is it about RDS that makes your network vulnerable?
What Happens when Cybercriminals Break in Via RDS
Just this March, another prospective customer contacted us in a bad state.
They’d suffered a catastrophic attack that crippled their network, destroyed backups…the hackers even stole funds out of their bank account.
The hackers got access to the network through RDS, which the customer had set up for the finance director. Unfortunately, the login had administrative privileges.
What does RDS do?
RDS stands for “Remote Desktop Services,” often referred to as just “Remote Desktop.” It’s a Windows Server component.
RDS speeds up data transfer, which is why it’s so popular for server access to data-intensive applications. It provides a server-level connection, instead of a local client connection, which is typically slow for things like financial applications
due to the amount of data that has to move between the client and the server.
The Big Mistake: Allowing Remote Access Without Adequate Security
Given that most companies do not adhere to best practice password security policies, RDS is easily compromised through “brute force” attacks.
In addition to brute force, RDS has several well-known security holes:
- One example is BlueKeep, which allows cybercriminals to steal data or turn your server into a cryptocurrency miner.
- Another is the default port. RDS uses Port 3389 to operate by default. You can change the port number, but most don’t. That means RDS comes with a big security hole on Day 1…and cybercriminals scan for that port.
Unless you apply extra security, RDS leaves servers and workstations vulnerable to hackers.
A successful hack means a cybercriminal now has a backdoor into your network. Many times, we see that cybercriminals linger inside networks for 3-6 months before installing ransomware. That’s more than enough time to steal any data of value,
and then damage servers, workstations, and/or backups on their way out.
Recovering from hacks like these costs a lot too – in IT disaster recovery, stolen funds, hardware replacement, employee downtime, loss of customer trust, fines for private data exposure, etc.
Solution: Protect All RDS Accounts by Allowing Access Only Through a Hardware VPN
A hardware VPN is a device running just outside your company network. It acts as a secure tunnel between your remote computers and the server they want to access.
RDS runs on the server you’re connecting to, using an internal connection to speed up data transfer and increase security. Unless you’re using the VPN, you don’t even see RDS.
This combination greatly reduces your risk of attack.
Here’s how the setup works:
Remote Computer → VPN → RDS Connection → Server Access
“What About X?” Two Often-Asked Questions Involving RDS and VPNs
Customers sometimes ask us if they need “this much security” when we tell them about hardware VPNs and RDS.
“Can we use a cloud-based VPN instead?”
Cloud-based VPNs are definitely less expensive, and the better ones can connect with your Active Directory for security. The main issue with cloud-based VPNs is that they are slow.
“What about a VDI (Virtual Desktop Infrastructure)?”
A VDI works differently from RDS. The main difference is where the target is.
- RDS creates a channel to a shared desktop
- VDI creates virtual workstations on a remote server (like the cloud) for each user
VDI doesn’t replace the need for Remote Desktop, if your goal is to secure and speed up server-intensive applications. VDI needs secure tunnels just as much and if you are utilizing CPU/memory intensive applications, you will still want to implement
RDS. That means a VPN.
How to Set up Truly Secure Remote Access
- Install a hardware VPN for your network. We recommend Pulse Secure.
- Implement MFA (multi-factor authentication) for VPN access.
- Use best practices for password security:
- Require password changes every 120 days
- Require complex passwords
- Never give everyday user accounts administrative privileges
- Carefully manage all RDS accounts. Turn off accounts when employees separate from the company.
If you use RDS at all, it needs protection. Now.
The fact is, Remote Desktop port 3389 should never be “exposed” to the Internet. Unsecured RDS means your servers are vulnerable to exploitation.
Use a VPN to keep it safe. Every network using RDS needs one.
Unsure if using RDS in your environment will compromise security? Using remote access without a VPN? Contact PlanetMagpie's Support Team to make it secure, at firstname.lastname@example.org.