What is RDP?
RDP, or the Remote Desktop Protocol, is one of the main protocols used for remote desktop sessions, which is when employees access their office desktop computers from another device. RDP is included with most Windows operating systems and can be used with Macs as well. Many companies rely on RDP to allow their employees to work from home.
What are the main RDP security vulnerabilities?
A vulnerability is a gap or an error in the way a piece of software is constructed that allows attackers to gain unauthorized access. Think of an improperly installed deadbolt on the front door of a house that allows criminals to break in.
These are the most important vulnerabilities in RDP:
Weak user sign-in credentials. Most desktop computers are protected by a password, and users can typically make this password whatever they want. The problem is that the same password is often used for RDP remote logins as well. Companies do not typically manage these passwords to ensure their strength, and they often leave these remote connections open to brute force or credential stuffing attacks.
Unrestricted port access. RDP connections almost always take place at port 3389*. Attackers can assume that this is the port in use and target it to carry out on-path attacks, among others.
*In networking, a port is a logical, software-based location that is designated for certain types of connections. Assigning different processes to different ports helps computers keep track of those processes. As an example, HTTP traffic always goes to port 80, while HTTPS traffic goes to port 443.
What are a few ways to address these RDP vulnerabilities?
To reduce the prevalence of weak sign-in credentials:
Single sign-on (SSO): Many companies already use SSO services to manage user logins for various applications. SSO gives companies an easier way to enforce strong password usage, as well as implementing even more secure measures like two-factor authentication (2FA). It is possible to move RDP remote access behind SSO in order to shore up the user login vulnerability described above. (Cloudflare Zero Trust, for instance, allows companies to do this.)
Password management and enforcement: For some companies, moving RDP behind SSO may not be an option. At the bare minimum, they should require employees to reset their desktop passwords to something stronger.
To protect against port-based attacks:
Lock down port 3389: Secure tunneling software can help stop attackers from sending requests that reach port 3389. With a secure tunnel (e.g. Cloudflare Tunnel) in place, any requests that do not pass through the tunnel will be blocked.
Firewall rules: It may be possible to manually configure a corporate firewall so that no traffic to port 3389 can come through, except traffic from allowlisted IP address ranges (e.g. the devices known to belong to employees). However, this method takes a lot of manual effort, and is still vulnerable to attack if attackers hijack an allowlisted IP address or employee devices are compromised. In addition, it is typically very difficult to identify and allowlist all employee devices in advance, resulting in continual IT requests from blocked employees.
What other vulnerabilities does RDP have?
RDP has other vulnerabilities that have technically been patched, but which are still severe if left unchecked.
One of the most severe vulnerabilities in RDP is called "BlueKeep." BlueKeep (officially classified as CVE-2019-0708) is a vulnerability that allows attackers to execute any code they want on a computer if they send a specially crafted request to the right port (usually 3389). BlueKeep is wormable, which means it can spread to all computers within a network without any actions from users.
The best defense against this vulnerability is to disable RDP unless it is needed. Blocking port 3389 using a firewall can also help. Finally, Microsoft issued a patch that corrects this vulnerability in 2019, and it is essential that system administrators install this patch.
Like any other program or protocol, RDP has several other vulnerabilities as well, and most of these can be eliminated by always using the very latest version of the protocol. Vendors typically patch vulnerabilities in each new version of software they release.
How does Cloudflare help secure RDP access?
To simplify and secure RDP access, Cloudflare built a fast-performing RDP proxy that incorporates the Zero Trust security controls of our SASE platform. Cloudflare now offers clientless, browser-based RDP access: no additional infrastructure and no extra configuring on the client device are needed. Learn more about Cloudflare's SASE platform and RDP access.
FAQs
What is the Remote Desktop Protocol (RDP)?
RDP is a common technical standard that allows individuals to use a computer from a different location. Companies frequently use this protocol to help employees access their office computers while working from home.
What are the primary security vulnerabilities associated with RDP?
The two most significant risks are weak login credentials and unrestricted access to port 3389. Because many organizations do not manage RDP passwords through centralized systems, users often use simple or reused passwords that are easy for attackers to guess. Additionally, since RDP uses port 3389, attackers can target this specific port to launch attacks or gain unauthorized entry.
What is the BlueKeep vulnerability?
BlueKeep is a critical security flaw, officially labeled CVE-2019-0708, that allows attackers to run unauthorized code on a computer by sending a specific type of request to its RDP port. This vulnerability is "wormable," meaning it can automatically spread across an entire network to other computers without any help from a user.
How does single sign-on (SSO) help protect remote desktop sessions?
Integrating RDP with an SSO service allows organizations to move remote access behind a more secure login process. This enables companies to enforce stronger password requirements and implement additional security layers, such as two-factor authentication (2FA), to verify a user's identity more effectively.
How can organizations secure port 3389 from attackers?
Organizations can protect this port by using secure tunneling software that blocks any requests that do not travel through a designated, secure path. Another option is to set up firewall rules that only allow traffic from specific, trusted IP addresses, though this method can be difficult to manage manually for large teams.
How does Cloudflare assist in securing RDP connections?
Cloudflare provides a fast RDP proxy that applies Zero Trust security controls to every connection. By using tools like Cloudflare Access and secure tunnels, companies can hide their RDP resources from the public Internet and ensure that only authenticated users with the correct permissions can gain entry.