The Remote Desktop protocol provides a popular method of accessing remotely located Windows computers from Windows or Linux systems. The number of RDP servers accessible through the Internet is over 4.5 million. There are countless more machines connected to corporate LANs and private networks. Many businesses rely on RDP servers to access remote machines.
Recently there have been vulnerabilities discovered in the protocol that may allow attackers to gain unauthorized access to desktops and workstations. The possibility of more bugs being uncovered is high, raising the question of how secure Remote Desktop sessions can be established.
Two Types of RDP security
RDP provides two types of security to establish secure Remote Desktop access between endpoints.
RDP’s standard security employs RSA’s RC4 encryption algorithm to protect data transmission. Random values are shared between client and server when a connection is initialized while the machines are in the Basic Settings Exchange phase. Remote Desktop encryption protects transmitted data from unauthorized use.
With RDP’s enhanced security, all phases of security such as encryption, decryption, and integrity checks can be outsourced to one of the following external security protocols:
- • Credential Security Support Protocol (CredSSP)
- • Transport Layer Security Protocol (TLS 1.0/1.1/1.2)
- • Radio Data Systems (RDS) TLS to enable Network Level Authentication. This forces client sessions to authenticate with the RDP server
The enhanced protocol can be implemented using a direct or a negotiation-based approach.
The direct option is more concerned with security than compatibility and requires the client to perform an external security protocol handshake before transmitting anything related to RDP.
In a negotiation-based configuration, connection initialization is outside the scope of the security protocol. The client and server select a security protocol after initialization. After completing the external protocol handshake, the external security protocol encapsulates all other stages of the Remote Desktop connection.
The most valuable characteristic of RDP Enhanced Security is that it allows Network Level Authentication (NLA) to secure Remote Desktop access.
Network Level Authentication
Network Level Authentication (NLA) employs CredSSP to authentic users before they initiate the RDP connection. This ensures that only authenticated users can access the RDP server’s resources. NLA can be used to limit user access to minimize RDP security issues.
Recent Remote Desktop Vulnerabilities
Is RDP safe to use in your environment? Let’s take a look at critical Remote Desktop security risks that were recently discovered and how they impact the protocol in general.
DejaBlue (CVE-2019-1181 & CVE-2019-1182) is an RCE vulnerability found in the Microsoft RDP servers in 2019. The security flaw affected all versions of Windows 7 through 10 until it was patched. The exposure is related to an integer overflow problem in one of the RDP server’s base dynamic link libraries. It is found in RDPCoreTS.dll or RDPBase.dll based on the version of Windows running.
The specific issue is with the function used to decompress data transmitted over a Dynamic Virtual Channel (DVC). When compressed data is sent over a DVC it is in a PDU in the form of RDP_SEGMENTED_DATA and can contain multiple segments. Part of the compressed RDP_SEGMENTED_DATA will specify the uncompressed size of the data.
When a compressed DVC PDU is received by the RDP server it decompresses the information with the DecompressUnchopper::Decompress() function. The function allocates memory for the decompressed data, giving it a size of uncompressedSize + 0x2000. No checks are performed on the result size. Cybercriminals can manipulate the memory allocation to make it smaller than the size required to store the decompressed data. This leads to a heap overflow which can be used to inject malware into an organization’s infrastructure.
BlueKeep (CVE-2019-0708) is an RCE vulnerability in the RDP server that impacted systems running Windows 2000 to Windows 7 and Windows Server 2008 R2. It was addressed by Microsoft in a patch provided in May of 2019. The vulnerability was present in termdd.sys, the Windows kernel driver responsible for handling RDP connections.
BlueKeep is a use-after-free vulnerability that can result in a Remote Desktop exploit when the connection is being initialized. Negotiations between client and server are conducted to determine which static virtual channels will be initialized for the connection. Certain channels are allocated regardless of the requests.
The MS_T120 channel is one of those allocated channels and is pointed to by a table created by termdd.sys. The Static Virtual Channel MS_T120 is created at index 0x1F by default before the connection sequence begins and can be used by hackers for malicious purposes.
How to Secure RDP
Is Remote Desktop secure? While there are vulnerabilities in the protocol, following some general security measures can make it more difficult for criminals to launch a successful attack against your RDP servers. Here’s how to secure Remote Desktop by taking two simple steps.
- • Enable Network Level Authentication (NLA).
- • Keep your RDP servers behind firewalls so they are not exposed to the Internet. This will make them impossible to find with Shodan, a favorite tool of hackers searching for potential targets.
The attack surface is reduced by these steps. Attacks can only be perpetrated by individuals who have been authenticated and are already on your network.
Consider implementing the following additional best practices to secure your RDP servers:
- • Configure remote desktop gateways to enforce multi-factor authentication (MFA) to access RDP servers. The gateways should be the only way to access services resident on enterprise computers.
- • Make sure your IT team or provider keeps the RDP clients updated with the latest code and patches.
- • Implement strong password policies that lock users out of their machines after several unsuccessful attempts. Users will need to contact an administrator to reset the password, providing the systems with additional security.
- • Only provide administrative access when Remote Desktop is used for system administration. Use a Group Policy Setting to limit the number of system admins that can modify the RDP configuration. Local administrative accounts with RDP access should be disabled whenever possible to provide enhanced security.