While RDP use feels like it’s on the ropes, it remains a primary contender in cyberattacks today. Part of the blame goes to RDP’s ease of use, its almost native interactive feel, which makes users feel like they’re working locally on their Windows machine, and the fact that VPNs have extended RDPs use outside the organization’s proverbial “four walls”.
No one can deny the productivity value of a “VPN + RDP” strategy; after all, it’s simple and straightforward. But it’s also not the most secure option. In the spirit of this article not being a VPN/RDP bashing session, but – instead – an honest discussion around limitations of your in-place remote access strategy, let’s take a look at three reasons why it may be time that you evolve the user of a VPN and RDP as the means to connect remote users to a corporate endpoint.
1. VPNs Aren’t (Entirely) About Security
From a productivity perspective, the pandemic-driven shift to connect remote users to the office virtually is a brilliant one. But it’s important to emphasize that VPNs are about privacy more than they are about security. The idea of establishing a secure channel between a remote user’s personal endpoint at home with the corporate network really only prevents man-in-the-middle attacks while also keeping the contents of everything streaming across that channel encrypted from prying eyes.
Now, some VPNs are focused on ensuring the remote endpoint attempting to connect is allowed. This is a huge problem, as the entire issue here with most cyberattacks is whether the user account coming across the VPN is not only allowed but is also being used by the owner of the credential in question.
So, as you evaluate your current “VPN + RDP” strategy, it’s necessary to review what functionality your VPN has around ensuring the right employee is using the VPN to connect to the office.
But, even if you make certain you have the right kind of VPN in place, there are still some concerns about this connectivity strategy over on the RDP side of the equation.
2. RDP Remains a Cyberattack Target
I recently wrote an entire article about the latest ransomware strain, Venus, and how Venus’ creators are solely focusing on RDP as their initial attack vector. This is just one example of how RDP is used either to establish a foothold or assist in lateral movement. Of the top 7 most commonly observed ransomware variants in the third quarter of this year, according to ransomware response vendor Coveware’s most recent quarterly ransomware report, 6 of them use RDP as part of their attacks.
The issue here isn’t the RDP is bad; in fact, it’s quite the opposite – it’s a dead-simple way to allow access remotely to a desktop. The issue is that – on its own – RDP is (from a cyberattack perspective) insecure. The security necessary to ensure RDP isn’t being misused is found either on the endpoint being connected to, within Active Directory or as part of a third-party solution – that is, if (and it’s usually a pretty big if) your organization implements more security around RDP at all.
And, to add to this, if your organization is allowing RDP connections for users of a VPN, it means that remote access via RDP is a bit more pervasive throughout the organization – which only enables those cybercriminal gangs (ransomware or otherwise) to achieve lateral movement more easily.
So, because RDP continues to be an asset of the cybercriminal, that half of the “VPN + RDP” equation is looking like it’s only adding risk to the organization.
The good news is it’s not all doom and gloom with this topic…
3. There are Better Remote Access Options
If I had to recommend keeping either the VPN or RDP, from a cybersecurity perspective, I’d choose the VPN (providing it’s validating the user coming across). But whether you use a VPN or not, the choice to use RDP and a VPN is about achieving two goals:
- Establishing a secure communications channel
- Enabling the user to work productively and securely
To this end, there are other means. A web-based remote access solution over HTTPS that supports multi-factor authentication (MFA) would not only more than meet the requirements above but would do so with far more flexibility and security.
Think about it this way. Microsoft initially built out RDP in Windows XP with productivity in mind because the idea of a cybercriminal ecosystem, malicious “as-a-Service” business models, and literal legitimate businesses operating each day trying to figure out how to steal as much money as possible wasn’t a reality back then. So, using such a solution in a situation where ensuring that any external access to the corporate network doesn’t put the organization at risk just doesn’t make sense.
What’s needed is a secure remote access solution that can exist with or without a VPN, that can facilitate access to the internal system regardless of whether the user currently resides within the walls of the organization or is working remotely, and one that supports additional security controls like MFA – in short, one that’s designed with both productivity and security in mind!
To Ditch or Not to Ditch… That is the Question
The VPN half of your remote worker connectivity strategy still remains pretty valid – as long as you recognize the potential limitations of a device-centric VPN and are making sure that your VPN is thinking about security as well as privacy. The RDP half is somewhat non-negotiable; you’re going to need to go shopping for something with a far better security design, that can meet your productivity needs for both internally- and externally initiated remote access.
If you find the right secure remote access solution, it may turn out you don’t actually need a VPN – which only simplifies and likely speeds up the user experience. So, as you consider whether your current remote access strategy is the right one, at very least break up the conversation into its’ two halves, evaluate each half, and build a new strategy based on current remote access solution capabilities that may very well show you a new way to connect users securely and productively to corporate endpoints.
