An Overview of RDP Security Layer: How Effective Is It?

Remote desktop protocol (RDP) is a secure network protocol developed by Microsoft that facilitates remote access. The protocol provides three kinds of secure communications for remote desktop connections: RDP security layer, negotiate and secure sockets layer (SSL).

While the RDP security layer uses native encryption mechanisms to secure connections between clients and the server, the negotiate method selects the most secure layer supported by the client. SSL, in contrast, uses the transport layer security version 1.0 (TLS 1.0) to authenticate the server if the client has a valid certificate and supports TLS 1.0.

RDP Vulnerabilities Are a Hot Target for Cybercrimes

RDP became a popular option for organizations that needed to move employees from on-premises to hybrid working environments urgently in the wake of the coronavirus pandemic. According to Business Fortune Insights, the global remote desktop software market size was US $1.53 billion in 2019. The company projects this market share to grow at a compound annual growth rate (CAGR) of 15.1% to reach US $4.69 billion by 2027.

The popularity of RDP caused it to become a target for cybercriminals. Before the pandemic, most employees worked from their offices and used resources that IT administrators monitored closely. The shift to remote working meant enterprises had to allow employees to use their preferred devices under a bring your own device (BYOD) framework to access sensitive corporate resources via RDP.

This shift led to many mistakes and more RDP exposures. According to Kaspersky, worldwide RDP attacks surged from 93.1 million in February 2020 to 277.4 million by March 2020, representing a staggering 197% increase. While this trend went up and down throughout 2020, another significant surge came at the onset of winter lockdowns.

By February 2021, RDP attacks had skyrocketed to 377.5 million, according to Kaspersky. This underscores a massive shift from 91.3 million reported by the same company at the beginning of 2020. According to Maria Namestnikova—a security expert at Kaspersky—hastily implemented and configured remote desktop services (RDS) have played a significant role in driving RDP attacks in many enterprises.

Types of RDP Vulnerabilities

RDP has plenty of known vulnerabilities. Below are a few of them.

Man-in-the-middle attacks

Even though RDP encrypts data between the client and the server in default mode, it does not provide an authentication mechanism to verify the identity of the terminal server. Malicious actors can launch man-in-the-middle attacks to intercept the connection between the client and the server, compromising the communication in the process.

Encryption attacks

RDP supports two forms of encryptions: standard (also called native) and enhanced encryption. With standard encryption, most of the RDP connection sequences (handshakes) occur via a weak encryption mechanism. Malicious actors can decrypt connections at this stage in a reasonable time frame and disclose the enterprise’s sensitive resources.

Denial-of-service attacks

RDP provides two types of authentications: network-level authentication (NLA) and non-NLA. Servers that support NLA but do not have it configured are vulnerable to denial-of-service (DOS) attacks because clients must authenticate themselves before the server can create a session. Hackers can use this vulnerability to create repeated connections to the server, preventing legitimate users from accessing the service.

Keylogging attacks

With keylogging attacks, hackers create sophisticated malware that tracks all the keys users press on their keyboards while accessing RDS. Unlike other malware, these applications do not pose a severe threat to the RDS infrastructure. However, keyloggers can pose a serious threat to users, especially when hackers intercept sensitive passwords and account numbers.

EternalBlue attacks

EternalBlue attacks allow hackers to execute arbitrary codes remotely, giving them access to the network. These attacks exploit a vulnerability in the Windows OS server message block (SMB) protocol, allowing malicious actors to compromise the entire network and connected devices.

RDP Security and Encryption Levels

There are three types of security layers for RDP communications: negotiate, RDP security layer, and SSL. By default, RDS sessions use the negotiate method, where the client and remote desktop session host (RDSH) server agree on the most secure protocol the client supports. For example, if the client supports TLS 1.0, then the RDS infrastructure uses it. Otherwise, the RDS infrastructure uses the RDP security layer.

The SSL method is by far the most robust approach for securing RDS sessions. The SSL method uses the TLS 1.0 protocol to verify the identity of the RDSH server and encrypts all the connections between the client and the server. In contrast, the RDP security layer uses the native remote desktop protocol encryption mechanism to secure connections between the client and the RDSH server. Because the RDP security layer does not authenticate the RDSH server, it is prone to attacks.

When it comes to encryption, RDP supports four levels:

RDP Security Best Practices

Because of the ongoing RDP risks, companies providing remote access must adopt RDP best practices to secure their IT infrastructure. Let us explore some of them.

Parallels RAS Provides a Wide Range of Features to Secure Remote Access

Virtual desktop infrastructure (VDI) has emerged as a top choice for organizations that want to provide flexible working environments. However, VDI can make business sense only if it guarantees the security of corporate resources. Parallels® has spent over two decades researching and refining its premier VDI product: Parallels® Remote Application Server (RAS).

Parallels RAS has plenty of enterprise-grade features that can secure virtual applications and desktops, such as:

Take security to the next level by downloading your free, 30-day Parallels RAS trial today!