How to Prevent RDP (Remote Desktop Protocol) Attacks?

RDP is based on the T-120 protocol family standards and first gained prominence when Microsoft allowed users to remotely connect to and control other computers over networks. It secures network communications and lets users operate desktops from a distance.

However, RDP isn’t without risks. It can be exploited to gain unauthorized access to devices. There have been 16 major Windows releases since its debut, meaning threat actors have had plenty of opportunities to hijack it and gain remote access to Windows servers and devices. This guide will walk you through how to prevent RDP attacks and stay protected.

What is an RDP (Remote Desktop Protocol) Attack?

RDP is a communication connection protocol developed by Microsoft that lets users control desktop devices remotely (or any device with Microsoft OS). Remote desktop connections use the TCP (Transmission Control Protocol) port 3389 which is the main hub of remote connections. When threat actors compromise its encrypted channels and take over, that’s what we call a remote desktop protocol attack.

Here is a brief breakdown of how RDP attacks work:

• Attackers will first start by scanning your RDP port. If there are any active devices connected to it, then they will serve as an entry point to your network. The threat actor may brute force their way into the network through this port and take advantage of the large volumes of RDP connections.
• After they succeed in doing the initial compromise, the attacker will scan entire networks with subnets and escalate their penetration. They could use the Windows Management Instrumentation™ connections for multiple endpoints over distributed computing environments or remote procedure calls and trigger a variety of attacks.
• When a device is compromised, the attacker will take over the control. Using the command and control interface, they will send commands to other endpoints and networks in the infrastructure. They can use the compromise machine to create new RDP connections to non-standard ports.
• When an attacker gets to this stage, they can laterally move into networks and penetrate your enterprise deeper. They can gain access to increased privileges, retrieve sensitive data, and take ownership of high-value resources. When they get to this point, they can also evade detection from the organization’s latest security stack.

How Do Cybercriminals Exploit RDP?

RDP attacks are targeted specifically at distributed workforces and third-party contractors. There is a lot of value in hijacking computer-intensive resources and RDP can grant better visibility into accessing Windows servers and sessions.

Traditional RDP did not come with security and privacy measures as we know of today. A username and password combination was all that was needed for user authentication. RDP lacked built-in multi-factor authentication by default.

How to Detect Unauthorized RDP Access?

Here are steps you can take to detect unauthorized RDP access:

• Check your RDP logs to look for signs of odd behaviors or malicious activities. Look for failed login attempts, frequent logins, and logins from unrecognizable IP addresses. These attempts show that the hacker has tried to access the system.
• You can examine and analyze network traffic by using network monitoring tools like SentinelOne. Try to look for network anomalies, odd traffic patterns, and see if a lot of data is being sent to or coming from specific IP addresses.
• Port 3389 will show spikes in activity if something is going wrong. Record and monitor your network traffic, scan it to identify unwanted access attempts.

Best Practices to Prevent RDP Attacks (cover 10+)

Here are some of the practices to follow in order. You can grasp how to prevent RDP attacks once you implement them:

• Make super strong passwords by mixing up special characters, numbers, letters, and symbols. We recommend at least a length of 15. You also want to scramble up passwords and not reuse the same password for all accounts. Use a password vault if you struggle to remember and keep track of all your passwords.
• Apply Microsoft updates automatically for all your client and server software versions. Make sure the setting is turned on and updates are installed in the background without manual requests. You should also prioritize patching RDP vulnerabilities with known public exploits.
• Implement multi-factor authentication and use the latest account lookout policies to fight against brute-force attacks. You should also change the default RDP port from 3389 to something else for added safety.
• Use allowlisting of your connections and limit them to specific trusted hosts. We suggest restricting access to the Remote Desktop Port to selected and verified IP addresses only. If you modify the server setting, it will prevent itself from accepting any connection attempts from IP addresses that fall outside the scope of the allow list. It will automatically block malicious attempts and processes.
• Build a Zero Trust Network Security Architecture (ZTNA) and enforce the principle of least privilege access across all accounts. It is critical to perform regular checks and make sure that all RDP ports are kept secure.
• Restrict access to RDP connections by installing firewalls. You should also add the company’s virtual private network address pool to your RDP firewall exception rules. Enable network-level authentication before establishing new RDP connections.
• Set up remote desktop servers to accept connections without NLA if you’re using remote desktop clients on non-supporting platforms. Check your group policy settings and make user authentication mandatory for all remote connections.
• You can also set up account lockout policies. For a given number of incorrect guesses, this will prevent hackers from gaining unauthorized access by using automated password guessing tools. You can set up to three invalid attempts with lockout durations of three minutes each.
• Use advanced AI threat detection and anti-malware solutions. Set up background scanning processes and endpoint security monitoring so that your devices, networks, and users are constantly monitored. This will help prevent insider and shadow IT attacks, and it adds an extra layer of protection.
• Educate your employees about how to recognize failed RDP connections and access attempts. Encourage them to report their findings anonymously, if needed, and promote a culture of transparency in the workplace. If your employees become active and involved, then the whole team will be on the same page. All your departments should know about how to prevent RDP attacks and be aware of the steps attackers take to escalate controls and privileges. Safety begins with safeguarding the users who use these technologies first before using automation tools and workflows for defenses.

How to Respond to an RDP Attack?

Use SentinelOne Singularity XDR Platform to automate incident investigation and apply the best RDP playbook practices. You can help your SOC team speed up its response. Here are the steps you need to take if you are subjected to an RDP infection:

• Block the compromised user and attacker IP address the moment you discover it. This will contain and help quarantine the threat. Start an ASN investigation and look into user activities. Use SentinelOne’s XSOAR module to detect RDP-related campaigns.
• Singularity Threat Intelligence and Purple AI can give you deeper insights about the attackers’ IP address. Isolate the compromised endpoints and fetch activities according to different MITRE stages.  SentinelOne will guide you all the way through from enrichment, investigation and response. You can close the incident, update, and sync to XDR. You will be able to view all information about internal and external user management ecosystems from the unified dashboard and console.
• If you want to perform a deep dive investigation, you can consider trying out SentinelOne’s threat hunting services. It will reveal to you about other IoCs (Indicators of Compromise) related to attackers’ IP or campaigns.
• Continue using SentinelOne’s platform to defend against RDP brute force attacks and protect your organization’s critical assets. Implement the best cybersecurity measures and fortify your cloud defenses against emerging threats.

Real-World Examples of RDP-Based Cyberattacks

RDP’s default port 3389 can be used to launch on-path attacks. BlueKeep was one of the most serious RDP vulnerabilities and it was officially labeled as CVE-2019-0708. It was a remote-code execution (RCE) with no authentication and adhered to a specific format. It was workable and ended up spreading to other machines within the network. Users couldn’t do anything and bad actors had compromised systems by gaining unauthorized access, moving laterally within the network throughout the process. They had escalated privileges and installed malware, even deploying ransomware.

Attackers can quickly identify misconfigured RDP ports and launch attacks by using web crawlers like Shodan. They can initiate brute-force attacks and gain unauthorized access automatically and even start man-in-the-middle (MitM) attacks. Malware modules like Sodinokibi, GandCrab, and Ryuk can also be involved in RDP attacks and this was the case of the RobinHood ransomware attack that Baltimore city faced.

Mitigate RDP Attacks with SentinelOne

SentinelOne can block Remote Desktop Protocol connections, including suspicious P2P remote desktop attacks. It can use its endpoint security capabilities to secure remote access for full remote shell. You can deploy SentinelOne’s agent and monitor all applications and files, including RDP-related processes and connections.

SentinelOne can automatically deploy remote access to all devices, including RDP-related.

You can also use SentinelOne to take actions, like quarantine files and roll back unauthorized changes. It can detect and block P2P RDP attacks that use commercial off-the-shelf tools like TeamViewer or VMC for remote control.

You can also detect and protect against the latest vulnerabilities, like the BlueKey vulnerability, which is known for targeting and exploiting RDP connections. SentinelOne provides additional security measures, like implementing policy-based access controls. It uses dedicated passwords to encrypt each session, and also implements multi-factor.

It can apply two-factor authentication before allowing access, and has detailed auditing data.

SentinelOne can also be used to deploy remote access to all devices, including RDP-related processes and connections.

SentinelOne’s agent and command line tool can manage its agents. It can check its status, run diagnostics, and monitor and protect endpoints. SentinelOne also integrates with other platforms like SonicWall and NinjaOne with its dedicated app. It ensures seamless RDP connections across multiple platforms and provides the best AI-powered integrated security.

Book a free live demo.

Conclusion and CTA

RDP attacks remain a threat to organizations of any size. You can defend against such attacks by following the practices of this guide. You will need good passwords, multi-factor authentication, and regular updates to remain secure. You can catch suspicious activity early by monitoring network traffic and RDP logs. You must disable RDP when not using it and limit access through firewalls and allowlisting. But you need advanced tools and employee training for good defensive posture. SentinelOne offers AI-powered protection that automatically detects and blocks RDP-based threats, giving you complete visibility and control of your remote desktop environment.

Protect your enterprise today with SentinelOne.