More people working from home has led to an increase in remote desktop access, putting corporate systems at risk.
Microsoft has warned of the risks associated with allowing remote access to desktop services while working from home, publishing guidance on how IT teams can maintain secure working environments when faced with an increase in remote connections.
It said there has been an increase in the number of systems accessible via the traditional Remote Desktop Protocol (RDP) port and a well-known « alternative » port used for RDP.
Although Remote Desktop Services (RDS) can be a fast way to enable remote access for employees, there are a number of security challenges that need to be considered said James Ringold, enterprise security advisor for Microsoft’s Cybersecurity Solutions Group.
« Attackers continue to target the RDP and service, putting corporate networks, systems, and data at risk (e.g. cybercriminals could exploit the protocol to establish a foothold on the network, install ransomware on systems, or take other malicious actions). »
The rapid outbreak of COVID-19 and the resulting lockdowns meant many businesses were unable to prepare for the demands remote working would place on IT teams and technical resources.
Ringold said that companies that were forced to quickly find means of allowing employees to access work networks may have relied on the default RDP, potentially leaving corporate networks and applications vulnerable.
Research from IoT search engine Shodan suggests that this has resulted in an increase in the number of systems accessible via both the standard RDP as well as the ‘alternate’ 3388 port in March, both of which can be exploited fairly easily by hackers if exposed.
The risk is even higher when providing administrators with access to on-premise systems, owing to the fact they have much higher access privileges that can go to both network- and operating-system level.
According to Microsoft, various considerations should be made when offering remote desktop access to employees, including reviewing firewall policies to access whether any systems are directly exposed to public internet; controlling and logging remote access by employees; implementing multi-factor authentication; and assessing whether it would be possible for a hacker to move laterally through a corporate network once they gained access.
Ultimately, considerations for remote access should be weighed against businesses’ own cybersecurity resilience and risk appetite, Ringold said.
« Leveraging remote desktop services offers great flexibility by enabling remote workers to have an experience like that of working in the office, while offering some separation from threats on the endpoints, » he said.
« At the same time, those benefits should be weighed against the potential threats to the corporate infrastructure. Regardless of the remote access implementation your organization uses, it is imperative that you implement best practices around protecting identities and minimizing attack surface to ensure new risks are not introduced. »
Microsoft said to identify whether their company is using RDP, IT professionals should perform an audit and review of firewall policies, and they should scan the internet-exposed address ranges and cloud services they use, to uncover any exposed systems. Firewall rules may be labeled as « Remote Desktop » or « Terminal Services. » The default port for Remote Desktop Services is TCP 3389, but sometimes an alternate port of TCP 3388 might be used if the default configuration has been changed, it said.