Network security
Te whakahaumaru i tō tūmau RDP kua huraina ki te ipurangi

Secure your internet-exposed RDP server

Remote desktop protocol has security vulnerabilities – if you have to use it, you can mitigate the risk by using a virtual private network (VPN) or implementing stronger security controls.

3 min read

What it is

Remote desktop protocol (RDP) is a common way to connect to a Windows computer remotely. Though this can be useful, the protocol has a number of vulnerabilities that can be exposed when connected to the internet.

The risks

RDP is a complex protocol that was not designed with modern internet security in mind, and is one of the most common pathways that leads to ransomware attacks.

Ransomware

Internet-exposed services are an easy target for attackers. Two of the most common issues with internet-exposed RDP servers are:

  • attackers using credentials they have obtained, or
  • attackers exploiting an unpatched vulnerability in RDP itself, such as Bluekeep. 

CERT NZ advice on Bluekeep – CERT NZ

No matter how an attacker gains initial access, once they're in, they have a foothold on your network. This can lead to more damaging attacks, such as stealing or encrypting your business’ data.

How to protect your business

See CERT NZ's critical control for IT specialists:

Securing internet-exposed services – CERT NZ

Decide if you really need an RDP server

In some cases, the RDP server is not even needed.

For example, if you’re using an RDP server to access applications remotely, you could instead:

  • make the applications available directly over a virtual private network (VPN) connection, or
  • use modern virtual desktop products.

These are both more secure alternatives to internet-exposed RDP.

Use RDP over a VPN

If you need to access a Windows server from another network (for example, staff working from home, or an IT service provider), we recommend using a VPN to create a tunnel between those networks.

Types of remote access software

For staff working from home, using a VPN to create a tunnel between their device and your network will allow the staff member to access the RDP server like they were in the office. This is often referred to as a point-to-site VPN. This VPN should be configured to require two-factor authentication (2FA) for an extra layer of security.

Protect your business with two-factor authentication (2FA)

IT service providers could also consider a site-to-site VPN, such as IPsec tunnels. If you’re using a site-to-site VPN, you’ll need to enforce 2FA on each application and system that is accessible over the VPN, as individual users will not need to authenticate to the VPN endpoint.

No matter which VPN technology you use, you need to:

This ensures someone with access to the VPN can only access the systems that they should be able to, and no more.

Secure your RDP server if you do need to use it

If you do need to use RDP, whether exposed to the internet or internally, CERT NZ has some more information about how to secure the RDP server and clients.

Hardening RDP if you have to use it – CERT NZ