How to secure Remote Desktop Protocol
There are few remote access protocols as prevalent as Remote Desktop Protocol. Developed by Microsoft, RDP allows a user to connect to a remote machine and interact with it through a graphical user interface. In this article, you’ll learn more about what RDP is, its use cases, and how to secure it.
What is Remote Desktop Protocol?
Remote Desktop Protocol (RDP) is a protocol that allows remote access to Windows devices. It transmits output from the remote server to the client device, and input from the client device to the remote server. Put more simply, it allows you to see the monitor of the remote machine on your own monitor and to use your mouse and keyboard to interact with the remote machine.
The use of RDP has never been more common than it is now, as platforms such as Hyper-V and Microsoft Azure use it as their default remote connection protocol. With RDP, a remote machine can be used as smoothly and simply as a local one.
Benefits of RDP
There are any number of reasons why you might want to use RDP to remotely access individual computers or a network. For example, RDP gives technical support providers and other help desk services an easy way to access a remote user’s machine. It also allows remote workers to access the same resources they could if they were in the office.
Using RDP provides a number of other benefits that increase efficiency and enhance security.
Remote file sharing
With RDP, the need for traditional data transfer methods, such as USB or cloud drives, is eliminated. Your data stays in one place, and it remains accessible to anyone who would normally have access to it — without requiring any additional software. You can read more about the file-sharing function of RDP in this article.
More control
RDP allows you to have control over who can access what. You can specify users’ permissions, restricting their access to sensitive or unauthorized resources. RDP also allows for the management of the network in real time from a remote location.
Increased efficiency
RDP allows the efficient setup of remote working mechanisms. Once remote access is enabled on the remote device and you’ve configured your network appropriately, the device will remain accessible to your team, regardless of the team’s location. An easy way to achieve this network configuration is with a VPN like Tailscale, which allows you to make your RDP host accessible outside of the local network.
Best practices to secure RDP
In this section, we’ll look into some of the best practices for securing RDP, along with step-by-step instructions on how to implement them. We’ll cover details of how to not expose your desktop to the internet, setting up encryption, and — for some use cases — enabling network-level authentication.
Don’t expose your RDP to the internet
According to CyberArk, more than 4.5 million RDP servers are exposed to the internet. This highlights how often RDP security is overlooked or misconfigured, making those devices easy targets for cybercriminals and other malicious actors.
Remote Desktop Protocol is one of the most commonly exposed services on the internet. These remote desktop services are usually exposed with the default port number 3389. You may think that changing it would be a good first step to securing your setup, but in practice threat actors are already scanning every port on every IP address on the public internet. This will only delay the inevitable instead of preventing it. The best way to secure your RDP servers is to not expose them to the public internet at all, and instead expose RDP only over Tailscale.
Encryption
By default, RDP uses Transport Layer Security (TLS, the same thing that HTTPS and your bank use) for encryption. But making RDP accessible over Tailscale obviates the need to care too much about which encryption method is used: Once the RDP session runs over Tailscale, RDP’s own security is augmented by Tailscale’s use of WireGuard, an end-to-end encrypted tunnel. This adds a second level of end-to-end encryption that can additionally protect your most private information from threat actors.
Network Level Authentication
If you’re working in a managed enterprise environment where both the client and the target server are managed by the same Active Directory instance, you can also use Network Level Authentication (NLA), which adds an additional layer of security to the process by requiring strong authentication using Credential Security Support Provider before the connection will be established. NLA also reduces the chances of man-in-the-middle attacks. Please note that this will only apply in managed enterprise networks. Enabling this on non-enterprise installs of Windows has a very high likelihood of breaking everything related to RDP authentication.
You can enable Network Level Authentication using the following steps:
- Open Control Panel and navigate to System.
- Click on Advanced settings under the Enable Remote Desktop.
- Enable the check of Configure Network Level Authentication.
That’s all that it takes to enable Network Level Authentication, significantly improving the security of your remote desktop services.
Conclusion
The three most important practices you can follow to secure RDP are not exposing it to the internet, setting up encryption, and enabling network-level authentication.
Finally, one of the best ways to keep your RDP connections secure is how you keep the rest of your network secure: by keeping it behind a VPN. Tailscale is a modern VPN service that gets you up and running in minutes, making all of your devices available to you from anywhere, quickly, easily, and most importantly, securely.
FAQs
What are the consequences of not securing RDP?
The consequences of not securing RDP can be devastating. If someone exploits a vulnerability or brute-forces a password, they’ll have access to your entire system. RDP exploits are common vectors for data theft, malware, and ransomware.
How can I make RDP less risky?
There are several steps you can take to increase the security of RDP, including enabling encryption and Network Level Authentication.
Are there better security options?
The safest way to use RDP is to avoid exposing it to the internet at all. This can be done by using it exclusively on local networks, or by setting it up as part of a VPN like Tailscale.
