The Challenge of Securing Microsoft’s Remote Access Solutions
For decades, Remote Desktop Protocol (RDP) software has been used to connect to users and computers remotely. Recently, the number of implementations has increased ten-fold as organizations responded to the global pandemic and the need to work remotely was a requirement of survival.
Organizations of all sizes, including those that already had remote access solutions in place, found themselves having the need to support almost their entire workforce now working remotely. In many cases, this resulted in organizations either deploying new technologies, boosting the capabilities of existing solutions or installing secondary and tertiary solutions in case the primary access method suffered a failure of some kind.
In almost all cases, some form of RDP/RDG or VPN was utilized to allow access to corporate resources. However, Cypfer found that in many cases security best practices were either only partially implemented or entirely overlooked, resulting in failures.
We covered in detail many of the reasons that RDP/RDG and VPN present such a high risk when exposed directly to the internet. Microsoft provided a solution to the numerous RDP-related security woes by releasing a service called Remote Desktop Gateway (RDG). Introduced in Windows Server 2008 and Windows Home Server, RDG addresses some of these concerns by enabling organizations to keep their RDP endpoint servers behind a firewall by exposing just the RDG server to the internet in order to forward the RDP connections. In addition, the technology offers many security features such as Multi-Factor Authentication (MFA) and encryption of RDP traffic using Transport Layer Security (TLS). These offerings are optional in nature and in most cases are never utilized, creating a significant increase in risk of exploitation by threat actors.
Is RDG the solution?
The essence of the cyber security challenge is that no single technology provides a complete solution. RDG is no different. While implementation of RDG does mitigate some of the risks previously discussed, it does not mitigate them all, and threat actors are perfectly aware of this and use it to their advantage.
RDG is part of the solution, most effectively, when an organization is able to implement the technology with a focus on ensuring best practices are followed.
What are some of the key security capabilities to consider with RDP/RDG and VPN?
Implementing remote access into your corporate environment and resources should be handled carefully and thoughtfully. The following are a subset of recommendations to help ensure your implementation is hardened:
- Do not expose RDG or RDP directly to the Internet, place the RDG server behind a VPN solution.
- VPN solutions should utilize a separate authentication database to authenticate users than your active directory domain. You will need to maintain 2 databases, but it serves no purpose to have threat actors figure out a login/password combination to the VPN and use the same combination for access to other internal resources.
- Implement MFA on VPN solutions.
- Implement MFA on the RDG server.
- Visibility is key, ensure all remote access solutions have logging turned on, and that logging is centralized on a separate server such as a SIEM solution.
- Restrict access to resources based on user roles and business needs.
- Segment critical systems from other resources and implement additional access requirements to these critical systems.
- If you are using an LDAP or Active Directory for user authentication, ensure the following capabilities are implemented:
- Password complexity – 12 characters or more using a combination of characters, numbers and symbols;
- Implement account lock-out capabilities; and
- Restrict user access to remote access capabilities.
Cypfer has experience in hardening remote access solutions and can work with your team to help ensure you are using security controls in a layered methodology. Applying security controls in a layered approach creates an “onion-like” configuration. Threat actors may try to “peel” some layers only to be met with additional controls which ultimately can serve to frustrate them and may force them to give up.
Configuration is key, quite literally
As a market leader, Microsoft’s products can offer a great set of capabilities in a secure manner. The products have been around for decades and have undergone significant investment in improving security and reliability. The challenge with remote access tools such as RDP/RDG and VPN is that they can be deployed quite rapidly, and in doing so, security best practices are sometimes overlooked, or they can be deployed thoughtfully and in a secure manner. Certainly, the path of least resistance is also often the least secure. Deploying the technologies in a secure fashion requires skill sets that might not be readily available in most organization. Cypfer can assist in reviewing your organization’s architecture and deployment plan and work with your team to help ensure an appropriate and secure configuration is implemented.
Before exposing any of these technologies directly to the Internet, follow best security practices such as those established by Microsoft such as: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure
If you have already deployed one of these technologies or are looking to deploy them, Cypfer can assist in assessing your security risks and vetting your architecture to help minimize the risks associated with such technologies. Use the contact-us form to submit a request through our website or call us and we will work with you to deploy these technologies using relevant and recognized best practices.