It is a fact that RDP connection is not secure enough to be exposed over the Internet. Exposing RDP to direct connections is very risky. This type of setup not only gives potential remote attackers the opportunity to guess your login credentials but also shows remotely-exploitable vulnerability in Microsoft’s RDP implementation.
There are a lot of recommendations that can help you reduce the risks associated with using RDP but none of them guarantees a complete reduction of the risks to zero.
Nowadays cyber attackers are becoming more and more innovative and creative in their attack styles. Hence, It will remain risky/dangerous to use RDP-exposed to the Internet in an insecure manner.
The only guaranteed way to be completely bulletproof from these attacks is to remain “closed”. i.e using RDP inside an internal network where all the users are trusted and well authenticated.
But here is a little twist to it.
How do you stay closed when you need to give access to users outside your network? For instance, when your remote employees need access to their work computers.
They are different ways to approach this:
- Recommend a secure VPN for all remote connections.
- Use an encrypted client application such as our V2Client that encrypt all the RDP connections through a secure SSH tunnel.
Although these options are secure allowing you to remain relatively “closed” and reducing the risks to almost zero, they are not that simple to set up. (Except you are using the V2 Cloud’s encrypted client application which is a turnkey software) By installing the piece of software on your machine, you can securely connect and access the resources hosted on your server. This type of solution is applicable in cases where employees work remotely and always on the go (from an internet café or hotel lobby, coffee shops and other public places).
The ideal solution, however, would be to allow the users secure access to a “closed” server from any computer/device, without the need to install any application or use any kind of VPN solution.
This is where HTML5 browsers come in to save the day. By using HTML5 RDP WebConnect such as the one offered by V2 Cloud, the users are enabled to access and work with applications and desktops directly from their web browsers. This solution eliminates, the need to install any software on the device of the user.
By simply authenticating with a username and password, any employee with internet access can enter their virtual workspace and instantly access their applications directly from any web browser.
However, the real question remains: Is it secure enough? The answer is Yes!
OK let’s speak “Geek” a little….
In fact, the actual RDP connection is done internally (in an internal network) between the server and a WebConnect broker. The server can be configured to expose its RDP port only to the internal IP of the broker/gateway. This way, the actual RDP data stay in the internal network between the server and the broker. The broker encodes and sends the display data through an encrypted WebSocket to the browser where it is interpreted and drawn on the user’s screen with Canvas. The browser acts only as a viewer like an interactive video player with mouse and keyboard inputs. This is completely secure.
Bla bla bla and back to English Language….
In summary, there is a bunch of recommendations on the internet to help you reduce the risks of using an RDP exposed on Internet but due to the complexity of RDP implementation and security, it is almost impossible to guarantee a full protection. The best solution remains to stay “closed” inside a secure network controlling all the remote connections using either heavy technologies such as VPN tunnels and SSH tunnels, or simply use V2 Cloud WebConnect.
Let us know what you think is the best way to secure RDP.
