How to Mitigate the Risks of Internet-Exposed RDP

Remote Desktop Protocol (RDP) provides Microsoft users a seamless remote access experience. Because it's part of Windows, RDP is the most common and inexpensive remote access solution to configure and deploy.
RDP was a lifeline when businesses faced ceasing operations or transitioning to remote work during the upheaval of a global pandemic. Now, RDP is so ubiquitous and embedded in many business processes that it's hard for organizations to imagine using another remote access solution.
Unfortunately, RDP has also become a common target from to threat actors seeking lower effort breaches for higher payouts. Coalition data shows that businesses with RDP exposed to the internet are the most likely to experience a ransomware event.
Businesses should remove RDP from the public internet to decrease the risk of being targeted by cybercriminals. Let's explore why internet-exposed RDP is risky and how businesses can limit the discoverability of RDP while still providing secure remote access to users.
Why is internet-exposed RDP risky?
The fundamental problem with internet-exposed instances of RDP is the signal it sends to threat actors. Hackers know that RDP is an essential part of many business processes, making it a prime target. In 2022, Coalition security research showed that over 37% of all traffic from threat actors was RDP-related.
RDP provides Windows users a remote access experience that's nearly identical to logging into their physical computer. The underlying program used to communicate between the client (the user) and the server (the system being accessed) is most commonly secured by a username and password, similar to how users normally login to Windows.
Threat actors can exploit internet-exposed RDP in several ways. The riskiest vulnerabilities allow criminals to bypass RDP sign-in credentials or compromise unrestricted port access, gaining the ability to move laterally within a network. Leaked RDP login details can also be used to perform brute force or credential-stuffing attacks.
In 2022, Coalition security research showed that over 37% of all traffic from threat actors was RDP-related.
When Coalition directs organizations to "get RDP off the internet," it isn't an edict to completely re-architect business processes or acquire new tools. Instead, we want to encourage teams to consider the risk behind having a service exposed to the public internet and take the appropriate remediation steps for their organization.
How to remediate internet-exposed RDP
Depending on each organization's use of RDP, technology resources, and budgets, different approaches can limit the discoverability of RDP and mitigate the most common risks.
Shutdown RDP access
- Close TCP port 3389 on the physical firewall. RDP operates on TCP port 3389, and threat actors commonly target this port. Secure tunneling services solve the problem of an insecure transport mechanism (RDP, in this case) by encrypting and rerouting traffic. Firewall rules can also be used to restrict traffic to port 3389. Do not use Windows-based firewall rules to block port 3389, as these can be bypassed. 
Limit discoverability and secure accounts
- Use a virtual private network (VPN). A VPN can prevent unauthorized individuals from seeing that RDP exists within the organization. IT teams should also restrict access to only the IP addresses necessary. This will create additional steps in the login experience, and users will need to be trained appropriately. 
- Use multi-factor authentication (MFA) in conjunction with other controls. All online accounts should have MFA enabled and use strong, unique passwords. In the event of account compromise, MFA adds additional protection to help prevent threat actors from harvesting sensitive information. However, MFA is not a panacea for other methods of compromising RDP. Businesses must layer additional preventative controls to obfuscate RDP from being discovered by threat actors. 
Implement a mature security strategy
- Implement a Secure Access Service Edge (SASE) solution or Zero Trust Network Access (ZTNA). SASE and ZTNA can effectively reduce exposures related to RDP by improving identity and access management and reducing the visible attack surface. SASE solutions provide more scalable and dynamic remote access capabilities than a traditional VPN by implementing security at the endpoint and in the cloud. ZTNA improves identity and access management by validating identity, providing only the minimum level of access needed, and enabling micro-segmentation to prevent lateral movement by authorized and/or unauthorized users. The two security models are complementary and can be layered together. 
- Use attack surface monitoring (ASM) tools. ASM allows teams to view their risk holistically. This is a valuable way to identify risks beyond viruses and malware, such as determining if an employee opened TCP port 3389 because they do not understand the risk. 
Securing RDWeb and RDGateway
RDWeb and RDGateway are server roles that aim at improving encryption and establishing a secure connection. RDWeb simplifies access to remote resources by providing a user-friendly web interface compatible with mobile devices. RDGateway acts as a gateway or proxy server, authenticating users and forwarding their remote desktop requests to internal Remote Desktop Session Host (RDSH) servers or virtual desktop infrastructure (VDI) environments.
Coalition has observed threat actors attempting to bait users into providing access to RDWeb and RDGateway through different attack methods, such as credential harvesting and session hijacking. However, hackers have many options to compromise either service.
While RDWeb and RDGateway have post-authorization controls that can reduce the risk of some attacks, they do not protect from pre-authorization vulnerabilities. Given the criticality of RDWeb and RDGateway and the damage an attacker can do if they compromise either service, we highly recommend adding another layer of security to obfuscate those from public access. Ideally, RDWeb and RDGateway should be secured by ZTNA or SASE solutions to provide enhanced identity-centric access for end users.
Take Control of your cyber risk today
IT professionals often understand the technology associated with RDP, and likely follow the vendor recommendations for setup. They may be surprised that Coalition typically requires RDP and its related services to be removed from the public internet before binding or renewing a policy.
Understandably, some organizations will have legitimate business needs to provide remote access and will have questions about Coalition's RDP findings. When in doubt, brokers and policyholders can schedule a call with Coalition's Security Support Center for assistance.
Coalition Control™, our cyber risk management platform, allows organizations to detect, assess, and mitigate cyber risks. Coalition routinely scans for RDP, RDWeb, and RDGateway to allow businesses to remove these services from the internet before a threat actor discovers them.
Full access to Control is available to all Coalition policyholders, and there are also access tiers available for any business. Coalition policyholders that use Control have the ability to scan up to five domains for free every month. They can also monitor trusted vendors or suppliers for third-party risks.











