What started out as Terminal Services, part of Windows NT 4.0 Server, back in 1998, has enabled users to remotely interact with a Windows desktop environment for more than two decades.
But back in 1998 none of us was even thinking about the possibility that someone would (GASP!) misuse the functionality for their own malicious purposes; the idea of a hacker was someone targeting government networks, infrastructure, etc.—nothing even remotely close to the average business.
Fast forward to 2022. Remote Desktop Protocol, in its current iteration, is still very much used by organizations today. That’s because it still meets the simple need of remotely connecting to a Windows machine.
But also, fast forward to the current day, which includes the need to secure a network from any external cyber risk that may exist—and the first thing that should come to mind is RDP.
What is Remote Desktop Protocol (RDP)?
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that enables users to access and control a remote computer over a network connection.
Essentially, RDP allows users to interact with a remote desktop, applications, and resources as if they were physically present at the remote computer.
This capability is widely utilized across various industries, including healthcare, finance, and education, to facilitate remote access for employees, contractors, and partners.
By leveraging RDP, organizations can ensure that their workforce remains productive, regardless of their physical location.
How Does RDP Work?
RDP operates by establishing a secure connection between the client computer and the remote computer. The client computer sends keyboard and mouse inputs to the remote computer, which processes these inputs and sends back the display data to the client computer.
The TCP/IP protocol facilitates this interaction and ensures a reliable network connection. To safeguard the data transmitted between the two computers, RDP employs various encryption algorithms, such as SSL/TLS and RC4.
Additionally, RDP supports multiple authentication methods, including username/password, smart cards, and biometric authentication, to verify the identity of users accessing the remote computer.
Securing RDP is a Security Risk
RDP is just minding its own business, helping users be productive. So, why is it being focused on so much? When considering the service from a cybersecurity perspective, we must use the risk lens to determine its fate.
The reality is that using RDP (without proper compensating controls) creates risk for an organization as cybercriminals can exploit vulnerabilities to gain access to systems. There are a few issues with Remote Desktop Protocol that create this risk:
Readily Available Platform
It’s a built-in service on the “server” side (whether that is a Windows desktop or server OS), with a built-in client on every Windows machine. I mean, c’mon—we’re not even making this difficult for the threat actor!
Directly Accessible from the Internet
Unlike more advanced services like Zero Trust Network Access, which scrutinizes the connection request before connecting the requesting user to the remote desktop, RDP connections are directly exposed to the Internet.
Used Port is Irrelevant
I can’t tell you how many times I’ve heard “I changed the port.” It doesn’t matter. Threat actors use port scanners to look for active ports, testing them to determine what service is exposed based on the response. So, move the port from 3389 to whatever you want; the bad guys will find it anyway.
Uses Single Authentication Factor
By default, RDP relies on AD’s scrutiny of a username and password combination to provide access. This is the very same username and password that could be collected via a credential harvesting phishing scam that collects Microsoft 365 logons.
Enable a Brute Force Attack
If the system hosting the RDP session is Windows 10 or earlier, it may be using a specific default account lockout policy that will not lock out the credential despite repeated unsuccessful attempts to log on using the same account.
Limited Visibility
Unless you implement Microsoft Remote Desktop Services (the current iteration of Terminal Services), organizations may not understand which systems may have RDP enabled, which are exposed externally (especially if the systems in question are sitting in, say, a DMZ outside the firewall), and—most importantly—which ones are being used.
Internal Access to a Compromised Remote Endpoint
When establishing the connection, the externally remote client wishing to access an internal Windows desktop is not considered secure. The assumption is that the user of a credential afforded remote desktop privileges is the owner of that credential.
(Simple) VPNs don’t add any security to RDP
Many organizations believe “RDP + VPN = Security.” But that’s not always—if rarely—true. Assuming the VPN used merely facilitates a secure channel between the externally remote endpoint and the internal system running RDP, while the connection’s privacy is certainly maintained, there is no additional security in this scenario.
Many modern VPN services augment the security of the connection using features like multi-factor authentication, certificates present on the remote endpoint, or IP restrictions (to name just a few). Thus, the overall connection is more secure—but not thanks to RDP itself.
The simple truth is that for an organization today that wants to stop the misuse of Internet-facing remote access by threat actors of any nature, all of the risks above must be eliminated.
The threat actor who wants to gain unauthorized access to the remote access that is in place in your organization should be met with some (if not an extremely high) degree of difficulty along the way:
When they scan your ports, it’s not super obvious, “Oh, that’s RDP!”
The remote client isn’t a Run command away.
They can’t log on as many times as they want without locking the account.
They need to provide additional authentication factors at logon.
And you know which systems are externally accessible and when they are utilized.
So, to answer the question posed in the title of this article, let’s say that RDP is definitely not a secure way to connect remotely over the Internet.
Depending on your organization’s remote access needs, there are plenty of other remote access solutions that exist (keeping in mind that you’d need to wrap Remote Desktop Protocol in a number of third-party solutions anyway to eliminate the risk it natively creates anyway) to provide your remote users with secure access to internal systems that don’t inherently bring with them the same risks as RDP.
Enhancing RDP Security with Virtual Private Network (VPN)
A Virtual Private Network (VPN) is a technology that creates a secure and encrypted tunnel between the client computer and the remote computer.
Organizations can significantly enhance RDP security by encrypting traffic and protecting it from interception and eavesdropping using a VPN.
VPNs also offer additional security features, such as authentication, authorization, and accounting (AAA), to ensure that only authorized users can access the remote computer.
To implement this enhanced security, organizations can deploy a VPN client on the client computer and a VPN server on the remote computer, creating a robust defense against potential threats.
Learn more about: VNC vs RDP: which remote desktop tool is the best?
Best Practices for Secure Remote Desktop
To ensure secure remote desktop access, organizations should adhere to the following best practices:
Use strong passwords and password policies: To enhance security, implement complex passwords and enforce policies such as password expiration and lockout.
Enable Network Level Authentication (NLA): NLA adds an extra layer of security by requiring users to authenticate before establishing a remote desktop connection.
Use a Virtual Private Network (VPN): VPNs encrypt RDP traffic, protecting it from interception and eavesdropping.
Limit RDP access to specific IP addresses and ports: Restrict RDP access to specific IP addresses and ports to prevent unauthorized access.
Monitor RDP activity: Regularly monitor RDP activity for suspicious behavior and take action to prevent unauthorized access.
Regularly update and patch RDP software: Keep RDP software up-to-date with the latest patches to fix vulnerabilities and prevent exploitation.
Use secure communication protocols: Encrypt RDP traffic using secure communication protocols, such as Transport Layer Security (TLS).
Implement multi-factor authentication: Add an additional layer of security by requiring multiple forms of authentication.
By following these best practices, organizations can ensure secure remote desktop access and protect their remote computers and data from unauthorized access.
The Future of RDP Security
Remote Desktop Protocol (RDP) has become an essential tool for businesses seeking efficient remote access solutions.
However, as technology continues to advance, the risks and challenges around RDP evolve in parallel.
Staying informed about emerging trends and adapting to future developments in RDP security will be crucial for organizations that rely on remote access to maintain productivity and protect valuable data.
Emerging Trends in Remote Access Security
Cloud-Based RDP Solutions: A growing shift toward cloud-hosted remote desktop services is transforming how organizations manage and secure remote access. By centralizing control and monitoring in the cloud, these solutions often provide more robust authentication, better scalability, and automated updates to address new vulnerabilities.
Zero Trust Architecture: The zero-trust approach assumes that no user or device is inherently trustworthy, even within the organization’s network. Remote desktop connections operating under zero-trust principles require continuous authentication, role-based permissions, and strict resource segmentation, thereby reducing the risk of unauthorized access.
Stronger Encryption Standards: As cyberattacks become more sophisticated, end-to-end encryption and secure tunneling are becoming more important in preventing data interception. Advanced cryptographic methods safeguard user credentials and session data, ensuring that even if attackers can capture traffic, they cannot easily decipher its contents.
Predictions for RDP Security and Improvements
Innovative Authentication Methods
Future RDP implementations may include biometric verification (fingerprint, facial recognition) and advanced multi-factor authentication (MFA) using tokens or mobile devices. These measures provide an extra layer of defense beyond traditional username-password combinations, helping thwart brute-force attacks.
Integration of AI and Machine Learning
Artificial intelligence (AI) and machine learning (ML) technologies are expected to enhance intrusion detection and threat prevention in real time. By analyzing user behaviors and network patterns, AI-driven solutions can flag anomalies—such as abnormal login times or unusual geographic locations—to catch potential intrusions before they cause harm.
Dynamic Policy Enforcement
Future RDP security models may use context-aware policies that adapt based on user activity and risk level. For instance, if a user attempts to access sensitive files from an unknown device or at an odd hour, the system can automatically require additional authentication or temporarily block the session.
Proactive Threat Intelligence
Organizations are likely to incorporate threat intelligence feeds and automated security orchestration into RDP sessions. This approach uses external databases of known attack patterns and malicious IP addresses, enabling the system to proactively block suspicious traffic or quarantine compromised endpoints.
Charting a Secure Path for RDP
While RDP remains a reliable and convenient method for remote access, security cannot be an afterthought.
By tracking emerging trends—from cloud-based services and zero trust frameworks to AI-powered intrusion detection—and embracing future enhancements such as multi-factor authentication and next-generation encryption, organizations can stay one step ahead of cyber threats.
Implementing best practices and proactively updating RDP configurations not only mitigates potential risks but also creates a secure, scalable environment that promotes business continuity and user confidence. As remote access continues to evolve, anticipating and adapting to new security challenges will be essential for maintaining a robust defense against ever-changing threats.