Unfortunately you are viewing this website on an outdated browser which does not support the necessary features for us to provide an adequate experience.
Please switch to a modern browser such as latest version of Google Chrome, Mozilla Firefox, Apple Safari or Microsoft Edge.
Remote desktop protocol has security vulnerabilities – if you have to use it, you can mitigate the risk by using a virtual private network (VPN) or implementing stronger security controls.
Remote desktop protocol (RDP) is a common way to connect to a Windows computer remotely. Though this can be useful, the protocol has a number of vulnerabilities that can be exposed when connected to the internet.
RDP is a complex protocol that was not designed with modern internet security in mind, and is one of the most common pathways that leads to ransomware attacks.
Internet-exposed services are an easy target for attackers. Two of the most common issues with internet-exposed RDP servers are:
CERT NZ advice on Bluekeep(external link) – CERT NZ
No matter how an attacker gains initial access, once they're in, they have a foothold on your network. This can lead to more damaging attacks, such as stealing or encrypting your business’ data.
In some cases, the RDP server is not even needed.
For example, if you’re using an RDP server to access applications remotely, you could instead:
A way of connecting to the internet that hides where you are when you connect.
These are both more secure alternatives to internet-exposed RDP.
If you need to access a Windows server from another network (for example, staff working from home, or an IT service provider), we recommend using a VPN to create a tunnel between those networks.
Types of remote access software
For staff working from home, using a VPN to create a tunnel between their device and your network will allow the staff member to access the RDP server like they were in the office. This is often referred to as a point-to-site VPN. This VPN should be configured to require
a security setting that needs an extra piece of information, such as a text code or fingerprint, to log in to your account.
(2FA) for an extra layer of security.
Protect your business with two-factor authentication (2FA)
IT service providers could also consider a site-to-site VPN, such as IPsec tunnels. If you’re using a site-to-site VPN, you’ll need to enforce 2FA on each application and system that is accessible over the VPN, as individual users will not need to authenticate to the VPN endpoint.
No matter which VPN technology you use, you need to:
This ensures someone with access to the VPN can only access the systems that they should be able to, and no more.
If you do need to use RDP, whether exposed to the internet or internally, CERT NZ has some more information about how to secure the RDP server and clients.
Hardening RDP if you have to use it – CERT NZ(external link)