For many years now, Microsoft has offered a system with Windows that allows you to take control of another machine. This has been invaluable for system admins that need to control servers and other Windows machines, without having to run around from office to office or site to site. Easy takeover of machines does come with risks. The protocol known as Remote Desktop Protocol (RDP) and the Remote Desktop Connection software that relies on it are often victims of simple attacks. These attacks have been on the rise in recent years and are extremely popular at the moment, as they are enticing for cyber criminals that seek to compromise the admins and machines that control whole organizations.

How is Remote Desktop Protocol a security risk?

RDP often uses a particular port that is easy to locate in a scan. And unfortunately, the default account username for an admin is often Administrator. While it’s no secret that having a poor password policy is not ideal for server security, it’s worth reiterating here it can mean that hackers can try huge amounts of passwords before anyone is alerted or an account is locked out.

Once an intruder gets admin access, they can deliver specialized malware or remote access tools that can often be almost impossible for any security solution to detect. With admin privileges and route access to the desktop, maximum damage can be done. This stresses the importance of endpoint protection, as well as policies, monitoring, logging, backups and incident response.

How to protect & secure your organization from Remote Desktop attacks

Preventing such brute force attacks isn’t as complicated as it may seem. You can employ a few easy actions to keep your organization safe:

Prevent scanning for an open port

  • Change default RDP port from 3389 to another unused port
  • Block RDP (port 3389) via firewall
  • Restrict RDP to a whitelisted IP range

Prevent attackers from gaining access if RDP is enabled

  • Create a Group Policy Object (GPO) to enforce strong password policy (GPOs are important and should be common practice for your organization)

Optional

  • Require two-factor authentication

Getting to the bottom of suspicious activity is vitally important and our team is here to help. Contact us today or learn more about our full suite of business cybersecurity solutions.

Kelvin Murray

About the Author

Kelvin Murray

Sr. Threat Research Analyst

Kelvin is a Senior Threat researcher with Webroot and specialises in P.E. files, stat analysis and security news. Kelvin is based in Webroot’s international office in Dublin where he mostly writes, presents and teaches.

Share This