We’ve been at the “everyone working remote” thing for months now, and still there are horror stories of people being attacked via Remote Desktop Protocol (RDP). Early on, it was understandable if not acceptable—but we’re not early on any more.
During the rush of doing whatever it took to help people work from home, exposed RDP was just one of many stories we heard from systems operators, helpdesk and systems admins. Stories of people carrying desktops home, or thinking that tethering to their phone was a “good enough” internet solution predominated. But those issues are clearing up, and they’re specific to a company or a subset of employees. RDP seems to be more persistent.
According to Shodan (article last updated end of March 2020), RDP use has spiked—and unprotected RDP use has spiked. Security by obscuring (exposing RDP on non-standard ports) has also gone up, and is not effective versus a determined attack. If your goal is to be secure, history has shown very well that obscurity does not at all work.
Gil Rapaport wrote a great article about this over on our sister site, Security Boulevard. The only thing I would add is to put it on a Virtual Private Network (VPN) or RD Gateway with 2FA, if you can. Some organizations still don’t have access to VPN services, but if you do, and RDP isn’t running through them, get to cracking.
Some areas of the world are coming out of lockdown, but the amount of remote work will not drop to the levels it once was. Not soon, probably not ever. The only thing that was holding up remote work for a wide selection of office jobs was the belief that present was better. Some organizations, via forced remote, have learned that the work can indeed be done by people not warming a seat at HQ.
So don’t put it off. Make certain you are protected. Sleep soundly at night, knowing that the easy vector for attackers right now is protected for your organization. And keep kicking remote rear. Systems are still running, even with the wild changes that came suddenly, and that’s all you–whether your organization recognizes you or not.