How to secure Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP) enables seamless remote access to Windows devices, but its security risks are significant. This guide covers essential steps to protect remote desktop connections, from encryption and network-level authentication to best practices like limiting exposure to the internet.
What is Remote Desktop Protocol?
Remote Desktop Protocol (RDP) is a type of remote access software that allows remote access to Windows devices. It transmits output from the remote server to the client device, and input from the client device to the remote server.
Put simply, it allows you to see the monitor of the remote machine on your own monitor and to use your mouse and keyboard to interact with the remote machine.
The use of RDP has never been more common than it is now, as platforms such as Hyper-VMicrosoft Azure use it as their default remote connection protocol. With RDP, a remote machine can be used as smoothly and simply as a local one.
Benefits of RDP
There are any number of reasons why you might want to use RDP to remotely access individual computers or a network. For example, RDP gives technical support providers and other help desk services an easy way to access a remote user’s machine. It also allows remote users to access the same resources they could if they were in the office.
Using RDP provides a number of other benefits that increase efficiency and enhance security, including:
- Remote file sharing. With RDP, the need for traditional data transfer methods, such as USB or cloud drives, is eliminated. Your data stays in one place, and it remains accessible to anyone who would normally have access to it — without requiring any additional software. You can read more about the file-sharing function of RDP in this article.
- More control. RDP allows you to have control over who can access what. You can specify users’ permissions, restricting their access to sensitive or unauthorized resources. RDP also allows for the management of the network in real time from a remote location.
- Increased efficiency. RDP allows the efficient setup of remote working mechanisms. Once remote access is enabled on the remote device and you’ve configured your network appropriately, the device will remain accessible to your team, regardless of the team’s location.
Best practices to secure RDP
In this section, we’ll look into some of the best practices for securing RDP, along with step-by-step instructions on how to implement them. We’ll cover details of how to not expose your desktop to the internet, setting up encryption, and — for some use cases — enabling network-level authentication.
Don’t expose your RDP to the internet
According to CyberArk, more than 4.5 million RDP servers are exposed to the internet. This highlights how often RDP security is overlooked or misconfigured, making those devices easy targets for cybercriminals and other malicious actors.
Remote Desktop Protocol is one of the most commonly exposed services on the internet. These remote desktop services are usually exposed with the default port number 3389. You may think that changing it would be a good first step to securing your setup, but in practice threat actors are already scanning every port on every IP address on the public internet. This will only delay the inevitable instead of preventing it. The best way to secure your RDP servers is to not expose them to the public internet at all, and instead expose RDP only over Tailscale.
Encryption
By default, RDP uses Transport Layer Security (TLS, the same thing that HTTPS and your bank use) for encryption. But making RDP accessible over Tailscale obviates the need to care too much about which encryption method is used: Once the RDP session runs over Tailscale, RDP’s own security is augmented by Tailscale’s use of WireGuard, an end-to-end encrypted tunnel. This adds a second level of end-to-end encryption that can additionally protect your most private information from threat actors.
Network Level Authentication
If you’re working in a managed enterprise environment where both the client and the target server are managed by the same Active Directory instance, you can also use Network Level Authentication (NLA), which adds an additional layer of security to the process by requiring strong authentication using Credential Security Support Provider before the connection will be established. NLA also reduces the chances of man-in-the-middle attacks. Please note that this will only apply in managed enterprise networks. Enabling this on non-enterprise installs of Windows has a very high likelihood of breaking everything related to RDP authentication.
You can enable Network Level Authentication using the following steps:
- Open Control Panel and navigate to System.
- Click on Advanced settings under the Enable Remote Desktop.
- Enable the check of Configure Network Level Authentication.
That’s all that it takes to enable Network Level Authentication, significantly improving the security of your remote desktop services.
How Tailscale can help
An easy way to achieve network configuration is with a VPN like Tailscale, which allows you to make your RDP host accessible outside of the local network.
Watch this video to understand how Tailscale works, then download Tailscale to start using it for free.
FAQs
What are the consequences of not securing RDP?
The consequences of not securing RDP can be devastating. If someone exploits a vulnerability or brute-forces a password, they’ll have access to your entire system. RDP exploits are common vectors for data theft, malware, and ransomware.
How can I make RDP less risky?
There are several steps you can take to increase the security of RDP, including enabling encryption and Network Level Authentication.
Are there better security options?
The safest way to use RDP is to avoid exposing it to the internet at all. This can be done by using it exclusively on local networks, or by setting it up as part of a VPN like Tailscale.
