In the current cloud landscape, security has never been more important than it is today. This applies to Remote Desktop Protocol (RDP) security as it relates to securing your networks. Generally, on-premises connections over RDP will require the client to be connected to the on-premises network, however, in the cloud the RDP host may be connected to over the Internet and accessible via anyone in the world. This provides a situation where your networks and virtual machines are dangerously exposed to the Internet. Your exposed RDP endpoints could be offering up your entire network to be exploited by hackers using BlueKeep or other exploits to take control of your systems, steal your data, and cause irreparable damage to your organization. You never want to just leave an RDP endpoint open to the public Internet (or really even a private network) without taking a few precautions to protect and enhance the security of your use of RDP to remotely connect to and manage the virtual machines (VMs) in your networks.
There are several tips and techniques that can be used to better secure RDP endpoints. This include simple things like obscuring the endpoint, to using VPN, including more advanced features like Just-in-time access controls.
To better show how important this is, please watch this short video from SophosLabs that demonstrates the BlueKeep (CVE-2019-0708) exploit being used to gain access to an otherwise “secure” VM over RDP.
Microsoft has already issued a patch for the BlueKeep vulnerability to Remote Desktop Services, but it’s always best practice to keep your RDP endpoints as secure as possible. This will really help keep hackers out, and keep your organization, customers, and employees safe.
Now, let’s take a look at a few options for enhancing the security of you RDP endpoints, and not leave them exposed for exploitation by hackers.
Require VPN to Connect
The best method to secure remote connection to any network, over RDP or otherwise, is to setup a VPN. This sets up a secured networking tunnel for the client machine to connect directly to a VPN Gateway to grant access to the network being connected to.
This is the most secure method for granting a client computer secure access to resources on an Internal network located on-premises or in the cloud.
VPNs are the most secure method of securing an internal network connection by remote machines.
A VPN Gateway enables a secure, encrypted connection between a client computer(s) and an internal network. Within Microsoft Azure, a VPN Gateway can be setup to create a secure connection, over the Internet, to secure all traffic from a single machine or on-premises network to an Azure Virtual Network in the cloud.
Block Internet or Unknown IP Addresses
If an RDP endpoint must be exposed to be connected to over the Internet, then you’ll want to block all Internet or Unknown IP addresses that do not need to connect. By doing this you can configure only your branch office, or other known IP address ranges, to connect to the RDP endpoint. All other machines and IP address on the Internet will then be blocked from even attempting to connect.
Within Microsoft Azure, you can use Network Security Groups (NSGs) to secure individual Virtual Machine (VM) or an entire Virtual Network (VNet) by blocking these Internet or Unknown IP addresses from connecting.
This is a best practice for setting up any kind of VM that needs to expose an RDP endpoint. For example, if you stop a Jumpbox that can be connected to via RDP in order to facilitate remote access and administration of your network. You can explicitly set your Network Administrator home IP address to be the only address allowed to connect remotely to the RDP endpoint. This would result it knowing that only clients located at that IP address would be able to attempt connection; thus vastly increasing the overall security of the RDP endpoint.
Disable RDP When Not in Use
It’s best practice to disable any endpoint when it’s not needed. When you need to remotely connect to your VM, then enable the RDP endpoint and perform your remote administration. When the connection is no longer needed, then disable the RDP endpoint. This will block any attackers from attempting to exploit the RDP endpoint when you’re not using it; which should be the majority of the time.
Hacker can’t exploit an endpoint that doesn’t exist. You can disable the RDP endpoint by turning off the VM when not needed. This can be easily don’t in cases where a Jumpbox is used to connect over RDP.
Another method that can be used is to disable the RDP endpoint when not in use is to disable connection to the RDP endpoint itself over port number 3389. You can do this by configuring firewall rules; such as configuring Network Security Groups (NSGs) to block all connections to the RDP port. This will enable you to keep your VM running and/or configured when not in use, but make sure it’s unable to be connected to when not needed.
Turn off the Virtual Machine or use a Firewall (such as NSGs or other) to block RDP connections when not needed.
Use Azure Bastion
With Virtual Machines (VMs) and Virtual Networks (VNets) in the Microsoft Azure cloud, you can use the Azure Bastion service to enable RDP connection to those VMs directly from within the Azure Portal. When using Azure Bastion, you no longer need to open an Internet accessible RDP endpoint to the VM. Azure Bastion enables a secure connection, over SSL/TSL encryption, through the Azure Portal web application user interface (UI) for remote connections over RDP.
You can use the Azure Bastion service to enable RDP connection to those VMs directly from within the Azure Portal.
Instead of creating a Jumpbox (or Bastion) VM in your Virtual Network (VNet), you simply create an instance of the Azure Bastion service. Then, administrators can connect over RDP to your VMs in the VNet using UI directly within the Azure Portal. This is the most secure method to remotely connect to Azure VMs over RDP for administrators who have access to the Azure Portal.
Preview Note: At the time of writing this, the Azure Bastion feature is still in Private Preview. I anticipate it being released GA (General Availability) sometime over the next few months, perhaps before or around the Microsoft Ignite 2019 conference.
Just-in-time Access in Azure Security Center
In Microsoft Azure, Just-in-time (JIT) Virtual Machine (VM) access can be used to secure remote access to Virtual Machines. This works as a method where Azure Security Center locks down all inbound traffic to VMs by creating and managing a Network Security Group (NSG) rule. Then, when access is needed, Security Center uses Role-based Access Control (RBAC) permissions to grant access to the required ports (such as RDP) when access is necessary.
Hackers have greatly reduced ability to exploit the RDP endpoint when you reduce the amount of time the RDP port is open and exposed to the Internet (or any other network). Just-in-time Access helps better facilitate access to VMs by utilizing RBAC instead of manually modifying the NSG rules directly.
Just-in-Time Access also works by setting a time limit necessary for the remote access to the VM. After the configured access time has expired, then Azure Security Center will automatically re-secure the VM by configuring the NSG and Azure Firewall needed. This helps ensure that an RDP port is not forgotten about and left open by mistake once it’s no longer needed.
After the configured access time has expired, then Azure Security Center will automatically re-secure the VM by configuring the NSG and Azure Firewall needed.
Obscure the RDP Port
Security through obscurity, anyone? Generally obscuring things (or obfuscation) is not a proper method of security. However, you can add multiple layers of protection for hackers to jump through by changing the port number used to connect via RDP.
The default and standard port for the Remote Desktop Protocol (RDP) is 3389. This is well known throughout the industry; by IT Pros and Hackers alike. By changing the port number exposed for RDP connection, you care obscuring its access making it a little more difficult to attempt unauthorized RDP connections.
While this may help give you and your boss a better sense that hackers won’t be gaining access to your system, just be sure to know that this isn’t really security. Obscuring the port number just hides the RDP endpoint in plain sight. Many hackers will likely use port scanners and be able to discover what ports are exposed for external connections. Once they have the list of open ports, it may only be a matter of time until they figure out that non-standard port number used is really exposing RDP connectivity.
Changing the Port number used by RDP from 3389 to something else may help obscure the endpoint, making it more difficult for hackers to discover.
Never rely solely on obscuring the RDP port number. Although, it can be used in addition to other techniques to help mask things to make it more difficult to discover the RDP endpoint in the first place.
Thanks for explaining some of the different options. We have implemented MFA on our RDP endpoints using Duo Security.
That’s good but exploits like BlueKeep allow remote code execution before login. You should consider using some of the other methods in addition to make sure you’re as secure as possible. Thanks!
I just watched the video and understand this better now. I guess no one solution is going to prevent exploits so it’s good to have multiple layers. As well as MFA, we are also using IP white lists and RDP port obscuring. I have just started following your blog and have found it very informative. Thanks again.
That exactly correct, multiple layers of security is best. Thanks for the follow, Zahid!