In 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive 23-02 (BOD 23-02): Mitigating the Risk from Internet-Exposed Management Interfaces – a directive aimed at securing both network management devices and device management interfaces (e.g., firewalls, routers, VPNs, etc.) and any device that can be remotely managed using a variety of internal enterprise network protocols including hypertext transfer protocol (HTTP), file transfer protocol (FTP), SSH, SMB, and Remote Desktop Protocol (RDP).
While BOD 23-02 is mandatory for federal civilian agencies, CISA has strongly encouraged private sector organizations to follow the same guidance. The risks created by internet-exposed management interfaces are not unique to government environments, and the directive reflects broader cybersecurity best practices that apply to any enterprise network.
Understanding CISA BOD 23-02
The CISA BOD 23-02 directive mandates that federal agencies and sub-agencies make applicable interfaces across federal information systems – whether internally discovered or “within 14 days of notification by CISA” – only accessible internally or enforce access controls where a policy enforcement point is established from a separate device (a basic tenet of Zero Trust architecture capabilities).
The directive applies specifically to dedicated device interfaces used for administrative access and requires that they be removed from the public facing internet or protected through a policy enforcement point separate from the system being accessed.
CISA, the federal infrastructure security agency, which is part of the Department of Homeland Security, also clarified that they planned to scan for devices and interfaces as part of ongoing asset management efforts to identify devices in scope of the Directive and notify agencies of all findings. This includes identifying newly added devices and devices residing outside expected network boundaries, with agencies expected to maintain visibility through a centralized reporting interface.
Not more than two weeks later, an analysis of more than 50 federal civilian executive branch agencies was conducted by Internet threat-hunting vendor Censys. In total, Censys found over 250 instances of “web interfaces for hosts exposing network appliances, many of which were running remote protocols.”
How Exposed Interfaces Expand Your Attack Surface
The analysis definitely confirms CISA’s worst fears: that, despite a belief that an agency’s enterprise network is secure, there are plenty of exposed ports tied to misconfigured management interfaces, which provide threat actors with management communication protocols used to perform administrative activities that can potentially be misused for malicious purposes.
The attack surface created by these exposures often includes legacy services such as simple network management protocol or trivial file transfer protocol, which were never designed to be safely accessible over modern networks.
Securing Network Devices and Network Infrastructure
So, what should organizations in the private sector take away from this directive and subsequent risk analysis? Three things come to mind:
1. Any Kind of Remote Access Can Be a Risk
While we spend a lot of time on this blog talking mostly about remote access from an authorized user “remotely accessing a desktop” perspective, CISA’s list of protocols in the directive is rather extensive and aligns with the long list of examples found within two Initial Access techniques from the MITRE ATT&CK Framework: Exploit Public-Facing Application and External Remote Access.
Beyond RDP, services such as virtual network computing, remote login, and even legacy teletype network access methods continue to appear in real-world environments, increasing the likelihood of exploitation.
CISA does mention a number of remote desktop-type protocols in their directive as well, furthering the notion that this kind of access remains a risk.
2. You Have More Present Risk Than You Think
The Censys analysis found an average of five interfaces per agency that met the Directive’s criteria. Some of them were even using the Windows SMB protocol (meaning, in theory, an external machine could map a drive to a Windows share at the exposed IP address).
In many environments, exposed access also extends to load balancers, application programming interfaces, and management portals that were never intended to be reachable externally.
Unless your organization does its own threat hunting and port scanning, you should assume you have more exposure than you know about and commission an analysis of your own externally facing risk.
3. “Secure” is the Goal
While CISA’s first mandate is to “remove the interface from the internet,” it’s only mentioned as an alternative, should an agency not be able to bring the exposed under proper controls. From the directive:
For the purposes of this Directive, as outlined in the required actions section below, networked management interfaces are allowed to remain accessible from the internet on networks where agencies employ capabilities to mediate all access to the interface in alignment with OMB M-22-09, NIST 800-207, the TIC 3.0 Capability Catalog, and CISA’s Zero Trust Maturity Model.
Zero Trust Architecture is an enterprise approach to designing and implementing access policies that assume no implicit trust and require continuous verification for every access request.
This approach often includes placing management access behind an isolated management network and deploying capabilities that continuously validate identity, device posture, and session context.
The practice minimizes uncertainty by enforcing least-privilege access decisions across information systems and services, ensuring that users and devices receive only the access required for a specific task, session, and duration.
So, CISA is saying that IF you can properly secure your remote access (using Zero Trust as the standard), it’s acceptable to have it continue to be accessible from the public Internet.
“Zero Trust Remote Access”?
All four of the referenced documents help to define Zero Trust principles and Zero Trust capabilities.
It’s important to keep in mind that there are only Zero Trust principles and solutions that adhere to them. There are no actual “Zero Trust solutions” (i.e., solutions that have somehow received a nonexistent Zero Trust certification, etc.).
According to CISA, what’s important when applying this to your organization’s secure remote desktop access is:
-
that the remote access is secured by policy
-
that the policy engine (the system that establishes and pushes out security policies) be separate from the system providing the remote access.
So, to bring any remote access under “compliance” (if you will) with CISA’s directive for Zero Trust principles to be in place, there are a few things you can initially do:
1. Use a Centrally Managed Remote Access Solution
If you are using, say, a single endpoint providing RDP access externally, you’re definitely not secure.
You need to use a remote access solution that centrally establishes who can access which systems remotely, from where, and when, etc.
2. Use Multi-Factor Authentication (MFA)
Nestled somewhat within the NIST 800-207 document that describes Zero Trust as a core tenet that states that MFA should be used. While not stated as required at all times, we’re talking about providing access to an endpoint within organizational information systems; it potentially could also be a persistent foothold for threat actors. So, MFA is needed here always.
3. Determine if Secure Remote Management and Access is All You Need
The state of organizational cybersecurity, in general, is moving towards Zero Trust, albeit slowly; fully implementing Zero Trust can take years. It’s why I emphasize the immediate need to embrace Zero Trust principles and not be concerned so much with needing to be “compliant” with Zero Trust (as if it’s a standard with specific implementation requirements… which it’s not).
But for those of you thinking that you want to better understand what differentiates solutions like Zero Trust Network Access and a Secure Remote Access solution, read about which solution is right for your organization.
Mitigating the Risk: Secure Your Remote Access… And Fast!
If nothing else, the directive from CISA makes the case that the risk created by exposed remote access is something that needs to be addressed quickly. Their 14-day required response time indicates how big a problem this is, and how fast your organization should address the risk, regardless of whether you are in the public or private sector.
