Remote Desktop Protocol (RDP) Security
Common Remote Desktop Protocol (RDP) Vulnerabilities
- Terminal Services Encryption Level is Medium or Low
- Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness
- Terminal Services Doesn't Use Network Level Authentication (NLA) Only
Terminal Services Encryption Level is Medium or Low
Vulnerability Assessment:
Host Assessment:
Remediation:
Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Set client connection encryption level
Set client connection encryption level to High
Note:
High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.
Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.
Verification:
Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness
Vulnerability Assessment:
Host Assessment:
Remediation:
Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Require use of specific security layer for remote (RDP) connections
Set Security Layer to SSL (TLS 1.0)
Note:
Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated.
RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated.
SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails.
Verification:
Terminal Services Doesn't Use Network Level Authentication (NLA) Only
Network Level Authentication is an authentication method that completes user authentication before you establish a full Remote Desktop connection and the logon screen appears. This can help protect the remote computer from hackers and malicious software. The advantages of Network Level Authentication are:
- It requires fewer remote computer resources than earlier versions of Remote Desktop Connection. The remote computer uses a limited number of resources before authenticating the user, rather than starting a full Remote Desktop connection as in earlier versions.
- It can help provide better security by helping to reduce the risk of denial-of-service attacks. (A denial-of-service attack attempts to limit or prevent access to the Internet.)
- It uses remote computer authentication, which can help protect users from connecting to remote computers that are set up for malicious purposes.
Vulnerability Assessment:
Host Assessment:
Remediation:
Option 1: Select Allow connections only from computer running Remote Desktop with Network Level Authentication (more secure) among Remote Desktop options.
Verification:
Code Execution on RDP Clients
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/Baseline for RDP
https://www.fireeye.com/blog/threat-research/2018/04/establishing-a-baseline-for-remote-desktop-protocol.htmlWindows Firewall for RDP
Navigate to Windows Firewall with Advanced Security > Remote Desktop (TCP-In) > ScopeAdd white listed IP addresses at "Remote IP address" section
IP addresses which is not listed will not able to connect to RDP.