Microsoft Remote Desktop services (RDP) are very often used to:
Using RDP over Internet
A very tempting way of using RDP is to expose the RDP server to the Internet by “opening” the needed port on the edge firewall; typically the server listens on TCP port 3389. Then the remote user uses his RCP client to connect to this server.
Why not expose directly to the Internet the RDP server
There are a couple of problems with directly exposing the RDP server to the Internet:
- Your RDP server can become a target for automated brute-force attacks. For example the Morto worm targeted RDP a while ago and huge spikes in RDP TCP port 3389 scans were reported by the SANS Storm Center at that time. The worm used a list of passwords for the default administrator user name in an attempt to gain access to the system over RDP.
- Attackers specifically search for open RDP ports and attempt to log into the RDP server by guessing the username and password. Publicly available tools like ncrack, tsgrinder or RDP Brute Force make easy such attacks.
- You may forget that RDP was allowed from the Internet to an internal machine and an RDP vulnerability to appear; in the most fortunate scenario attackers may “only” manage to DoS the exposed server.
- Normally in the default configuration the RDP connection is vulnerable to MITM attacks as it only provides encryption but does not authenticate the server. While you can mitigate these using TLS or Network Level Authentication (NLA), you need to configure appropriately both the servers and clients; specifically all your RDP servers and clients.
- Not only the server is exposed, the client can be too; speaking about MITM attacks, in the context of the MS09-044 RDP vulnerability, a hacker could execute code on the client’s machine.
Why access the RDP server over VPN
Accessing the RDP server over VPN provides certain advantages:
- The VPN server authenticates and authorizes the users to use RDP; first a user must successfully authenticates himself with the VPN server (strong authentication it’s easy to implement these days), then the VPN server will allow only permitted users to access the administrator specified RDP servers. And the attempted access will be logged on the VPN server.
- Mitigates MITM attacks and prevents unauthorized access to the RDP server.
- At no time attackers have direct access to the RDP server/client.
- A SSL VPN server it’s easy to setup. Users can use the browser for clientless SSL VPN access or a full blown SSL VPN client if needed. SSL VPN can be used from many remote locations where outbound traffic is restricted and also allows the secure access to other internal resources.
Using RDP without VPN exposes both RDP servers and clients to various attacks. SSL VPN can represent a simple and convenient way of securing RDP.