For IT service providers, one of the most notable consequences of the global COVID-19 lockdown was our clients’ shift to remote work. That created a large and sudden demand for Windows Remote Desktop Services (RDS).
But as we expected, IT service providers and their clients weren’t the only ones aware of this shift. Remote attacks against RDS servers spiked almost the moment lockdowns went into effect across North America. Providers need to be extra vigilant deploying their remote work solutions.
Do you have clients asking about new RDS service? Do you want to audit the hastily deployed RDS servers your business rolled out earlier this year? No problem. Let’s talk security for Remote Desktop Services.
What is Windows Remote Desktop Services (RDS)?
Formerly named Windows Terminal Server, Windows Remote Desktop Services allows you to give users remote access to either a full desktop environment or just a single application. Unlike with host-based virtual desktop technologies, RDS allows multiple simultaneous connections to the same server.
However, there are both pros and cons to having RDS “desktop” environments and apps run as user interfaces on a Windows Server OS. Since it utilizes shared server infrastructure, RDS is a very resource-efficient platform. Also, since they’re not actually desktop OSes, you can easily limit administrator rights inside RDS sessions to prevent compromises. On the other hand, since RDS sessions aren’t actually running a desktop OS, some specialized applications may not be usable.
Is RDS secure?
Without good security for Remote Desktop Services, out of the box RDS servers can be vulnerable to:
- Man-in-the Middle (MiTM) attacks
- Denial of Service (DOS) attacks
- Password Hash Dumping
- Ransomware attacks
- Brute-Force attacks
So it is vital that you apply good security practices to any RDS server you stand up.
Five best practices for securing RDS
There are many different ways you can provision RDS systems, which can at first make security for Remote Desktop Services appear complicated. But no matter how you’re deploying it, there are a few fundamental precautions you’ll always want to take.
1. Enforce strong password policies
As with user management in any Windows environment it’s important to require strong passwords. Don’t write off RDS sessions as lesser concerns than full server or desktop OSes. RDS servers are still potential entry points for attackers to breach your network. Enforce password length, complexity, age, and history policies on all accounts in your RDS user groups.
2. Require multi-factor authentication (MFA)
Multi-factor authentication is a highly reliable method for preventing brute-force attacks, as well as for reducing the effectiveness of keylogging and password hash dumps. RDS supports MFA via a number of different methods, including SMS text challenge and mobile app authentication.
3. Have strong vulnerability & patch management
RDS servers are high value targets for attackers. Because they need to be available to outside connections, it’s critical that you enforce good vulnerability and patch management to keep them secure.
Keep your clients’ RDS servers on a monthly patching cycle, preferably with planned downtime for rebooting and post-patching log assessment to determine if there were any issues. Make sure you have a reliable patch rollback plan for these servers too. Rollback plans designed to maintain uptime are especially important now that remote desktop service has become much more critical to the work of so many businesses.
4. Use secure connections
RDS runs on the Remote Desktop Protocol (Port 3389). Unfortunately, attackers are very familiar with port 3389. It is one of the most commonly scanned open ports on the internet. We recommend either deploying an SSL-secured remote desktop Gateway or establishing VPN secure tunnels for all connections to your RDS servers. This will help prevent Man-in-the-Middle attacks and ensure good data security.
5. Restrict user access
Adopt the principle of least privilege when provisioning user accounts for RDS. Set an account lockout policy to limit the opportunity for brute force attacks to succeed. If the attacker is stalled by a strong lockout policy they’re likely to go looking for a different, more vulnerable target.
Remove all unnecessary administrator rights and other elevated privileges on RDS user accounts. This helps prevent attackers from moving laterally across your network with elevated privileges if they are able to compromise your RDS server.
Use RDS to manage cloud services for clients
We don’t recommend provisioning administrator access to your client’s end users in RDS without a critical business need. However, if you’ve put proper security for Remote Desktop Services in place, IT service providers can use RDS connections to streamline many of their own administrative tasks.
Connecting via RDS to an Azure or on-premise server is an efficient way to handle tasks best performed through a GUI rather than in PowerShell or through another type of remote connection. Fortunately, Azure offers some useful tools for securing RDS connections in its Azure Security Center, such as Azure Policies and Network Security Groups.
In fact, using Azure to host your RDS servers not only simplifies management, it allows you to easily scale your remote desktop and app services as demand changes. Does one of your clients need to unexpectedly close an office for quarantine and go remote for a month? Is another client bringing all of their remote workers back on site? Scale their RDS service up or down on a moment’s notice.
You can also automatically handle access requests at a moment’s notice too. Azure supports Just in Time (JIT) access authorization, so users can easily receive one-off access to RDS sessions and other servers, access which goes away as soon as the connection closes. You can set your RDS server to block all inbound connections, with only select ports opening when a user successfully makes a JIT request.
Requests are logged for tracking and accountability. You can manage how they’re authorized. The Azure Security Center gives you granular control over how your virtual servers and individual services, like RDS, accept JIT access requests.
Looking for an Azure alternative? Try Performance Cloud powered by VMware
Sherweb’s own Performance Cloud powered by VMware is also available to host your RDS servers, and is an excellent option for SMBs looking to compromise on cost, but not performance. Offering the best price-to-performance ratio for cloud servers out there, Performance Cloud features a 99.999% SLA that ensures maximum uptime for client operations, and fixed-rate plans to facilitate cost predictions for both providers and their customers.
Sherweb is SOC2 Type II certified, meaning we have the procedures and protocols in place to ensure all environments hosted on Performance Cloud are perpetually kept safe. Sherweb also offers NOC Services for service providers looking to have infrastructure managed (including RDS connections) on their behalf.
Enterprise-scale network security on an SMB budget
Remote Desktop Services on Microsoft Azure or Performance Cloud is a powerful tool for your clients, no matter how large or small they are. It gives their remote workers a desktop experience second only to what they’d get on-premise.
But you need to take seriously the security risks that come with deploying such a highly open and available service. The best practices we’ve outlined here are a great starting point for implementing comprehensive security for RDS.
When you need an extra level of security, Sherweb is there, ready to partner with you and act as your clients’ dedicated NOC. We can monitor and respond to threats so you can focus on your client relationships and on growing your business. Become a partner to get started!