How to secure RDP (Remote Desktop Protocol)


Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that has been bundled with Windows products for the past two decades. It allows users to connect to their office computer which is, for example, on a corporate network and operate the device remotely. It allows users to access networks without using a VPN and means that data or applications do not have to travel beyond the workstation server.

However, the access that RDP gives users can also be used by attackers to infiltrate networks. The sharp increase in the number of workers using the remote desktop protocol during the Covid-19 lockdowns and the ongoing WFH has provided hackers with even more vulnerable endpoints to try to compromise. In 2020, ESET security researchers uncovered over 29 billion attempted attacks on RDP, an increase of 768%. The UK’s National Cyber ​​Security Center said the remote desktop protocol remains the “attack vector most commonly used by hackers to gain access to networks.”

Access to RDP endpoints is also one of the most popular forms of hacking material, with thousands of endpoints for sale on dark web marketplaces at any given time. If an attacker wants to target a specific organization, they can simply purchase RDP access that has already been compromised.

Since it is an essential tool for enterprises, but also provides full network access to attackers if compromised, enterprise security teams need to figure out how to secure RDP for their networks. .

How to Secure RDP: Attack Vectors

Before looking at how to RDP, it’s important to understand how attackers gain access to it in the first place.

1. Access

The first step in any RDP attack is to access a trusted endpoint. Since every network user is a target, attackers have several options, as they usually only need one username and password to pass the authentication process. With RDP attacks, the primary avenues for attackers to breach authentication are:

  • Brute force: If an attacker has a username, they will make multiple login attempts with different passwords, such as dictionary attacks or lists of commonly used passwords.
  • Phishing: A user receives an email, supposedly from the administrator, asking them to log in and perform an action, such as changing a password. However, the link is to an attacker-controlled proxy, which reveals the user’s login information.
  • Social engineering: This preys on a user’s social tendencies to trick them into giving up their password. An example is accessing a colleague’s email account and sending an email to the victim asking for their login details so they can cover an emergency. The relationship of trust and the sense of urgency can cause users to react quickly without thinking about security best practices.

2. Recognition

Once the attacker bypasses authentication and gains network access, they will perform reconnaissance to find account privileges and see how they can escalate the attack.

3. Preparation

As we have seen in attacks like that of solar winds, some attackers are comfortable observing traffic and systems for months before executing anything else. One of the main issues for administrators researching how to secure RDP is that intrusion detection is much more difficult, as an RDP network will naturally receive a large number of connections from disparate locations and users.

4. Launch an attack

The reasons why an attacker wants to gain access to the network vary but boil down to three things: data exfiltration, malware deployment or attack escalation. Once the attacker has done their reconnaissance and preparation, they will leverage this access to the Remote Desktop Protocol to perform one of these three.

How to Secure RDP: Defenses

Fortunately for any team looking to secure RDP for their organization, there are several countermeasures they can deploy.

Multi-factor authentication (MFA)

Since the primary avenue for attackers is authentication, this should be a primary prevention goal. Authentication that only requires a username and password offers virtually no protection, and attackers are actively seeking systems that rely on this type of authentication. To mitigate this vulnerability, any organization seeking to secure RDP should deploy, at a minimum, multi-factor authentication. MFA challenges users to provide something they own (OTP, device, security key) or something they are (face scan, fingerprint) in addition to or instead of something they know (password, PIN code).

Completely Passwordless MFA

Security can be significantly improved by completely removing shared secrets from authentication, making it impossible for attackers to guess or steal authentication factors and much more difficult to impersonate. Specifically, passwordless authentication based on FIDO Standards resist phishing, MitM Attacks and hacking attempts as it does not use insecure factors such as SMS or OTP. Additionally, since it is based on public-key cryptography, there are no server-side shared secrets to steal in order to raise a successful breach.

Role Based Access Control (RBAC)

This allows users to access data based on complete need and theoretically prevents an authentication breach from giving an attacker wide access to the network. However, enforcing and monitoring access control can present significant challenges as user roles and needs evolve, requiring constant assignment and revocation of privileges.

Patch management

There are several versions of RDP dating from the past two decades, with several major flaws found among them. Therefore, organizations should keep their versions patched and updated as attackers can easily locate systems that are still using vulnerable versions.


Like RBAC, microsegmentation aims to establish clear divisions between unconnected data assets and repositories to limit the damage caused by a breach. Although this can lead to knowledge silos within an organization, it can be overcome by tools such as data virtualization.

Ensure correct port configuration

Although RDP uses TCP 3389 and UDP 3389 by default, custom configurations can leave unauthorized ports open. Therefore, monitoring and hardening security on port usage is essential for securing Remote Desktop Protocol networks.

HYPR can help

The Remote Desktop Protocol is included with Microsoft systems and its use has grown significantly over the past three years, allowing users full access to their desktops from remote locations. Unfortunately, it is also the primary attack vector for attackers looking to gain access to the network by taking advantage of authentication issues. Systems that only require a username and password are the most vulnerable, as they allow attackers to use brute force, phishing, and engineering to gain RDP access.

If you are looking to secure RDP for your organization, your first step in defense should be to deploy strong authentication systems. The most robust systems completely remove passwords and all shared secrets from their RDP authentication.

HYPR’s MFA True Passwordless™ platform enables your employees to securely log into remote access systems, including RDP, with a frictionless user experience. To find out how HYPR can be a solution to securing remote desktop protocol for your staff and protecting your business assets, contact our team.New call to action

*** This is a syndicated blog from the HYPR Blog Security Bloggers Network written by the HYPR team. Read the original post at:


Comments are closed.