Securing Microsoft Remote Desktop Protocol (RDP) in Schools

A guide to using Remote Desktop Protocol (RDP) more securely in schools.

What is RDP?

RDP is a mechanism developed by Microsoft to allow a user to access the ‘desktop’ of another computer over a network.

Microsoft Windows desktop operating systems include a built-in ‘native’ client for this, and Windows Server operating systems include a built-in RDP server.

Usually this access takes place over an internet connection, where the user might be at home and is accessing the desktop of another computer or server inside the school. The user’s device (a laptop, for example) essentially becomes a remote screen, keyboard and mouse controlling the device inside the school.

Is RDP Secure?

RDP does support strong encryption, and by default RDP sessions use encryption.

However, there have been numerous exploits demonstrating vulnerabilities in the encryption method, so additional security controls are important.

Some examples of RDP vulnerabilities that have been exploited include:

Remote Code Execution vulnerability (CVE-2019-0708): also known as BlueKeep (and likened to EternalBlue), this vulnerability does not require user authentication or interaction to run, and allows an attacker to execute remote code.
CredSSP (Credential Security Support Provider) vulnerability (CVE-2018-0886): this vulnerability affected all versions of Windows, and allowed an attacker to exploit CredSSP (which is central to RDP authentication using Kerberos or TLS) to execute remote commands.

Compromised RDP sessions have also been used to cause further security incidents, such as spreading ransomware.

RDP Security Steps

If you need to continue to use RDP, or are considering using it, here are eight key security steps you can take.

1	Update software	Things to check: One of the most common pieces of security advice is entirely applicable to RDP: keep software updated. The Microsoft patch cycle can benefit schools using RDP by updating components as part of the Microsoft Updates process (as opposed to third-party software that may require separate updating). The key is to ensure updates are installed regularly. We'd recommend running Windows Update as often as possible - a weekly check process is a good idea.
2	Check password strength	Things to check: Use of ‘strong and long’ passwords will help to ensure that brute-force attacks are more difficult for attackers. SWGfL password guidance can be found here. Schools should consider setting the ‘Password must meet complexity requirements’ within Group Policy for RDP users.
3	Use Network Level Authentication (NLA)	Things to check: NLA requires the connecting user to authenticate before an RDP session is completed with the receiving computer (e.g. server), whereas without NLA the login screen is presented, increasing the attack surface for 'denial of service' and 'brute-force' attacks. NLA should be enabled by default on Windows 8 and newer desktop operating systems, and Windows Server 2012 and newer server operating systems. Schools should consider checking the ‘Require user authentication for remote connections by using Network Level Authentication’ Group Policy setting.
4	Enable RDP on an ‘as-needed’ basis	Things to check: By limiting the number of users that can access computers via RDP the school can reduce the likelihood of exploitation. By default RDP is enabled for users in the ‘Administrators’ group, however if an alternative remote system administration tool is used, Administrator RDP access should be removed. Schools should consider setting the ‘Allow log on through Remote Desktop Services’ within Group Policy for RDP users, and adding only required users to the ‘Remote Desktop Users’ group.
5	Set account lockout	Things to check: By setting account lockout, a user account will be locked automatically after a certain number of incorrect password attempts have been made. This will help to ensure that brute-force attacks are more difficult for attackers. Schools should consider setting the ‘Account Lockout Policy’ within Group Policy for RDP users.
6	Implement multi factor authentication (MFA)	Things to check: Multi factor authentication involves adding at least one more authentication factor to the normal ‘username and password’ (being ‘something you know’), where the additional factors are either 'something you have' (like a 'one-time-password' sent in an SMS message) or 'something you are' (like a fingerprint). Adding multi factor authentication typically involves the use of a third party service, so this step may require more planning.
7	Configure RDP to use TLS for authentication	Things to check: Implementing TLS can help to reduce the risk of 'man-in-the-middle' attacks. TLS support is enabled by default in Windows Server 2012 and newer server operating systems. Though support was added for Windows Server 2008 R2 (see here), schools should no longer be using this version (see here). To complete TLS implementation, a school will need to obtain a certificate from a Certificate Authority. SWGfL can provide SSL/TLS certificates for schools from Certifcate Authority QuoVadis via Jisc.
8	Implement a robust data backup plan	Things to check: Another common piece of security advice, and like ‘update software’ this too is entirely applicable to RDP: make sure all important data is backed up. If the security steps above fail, one of the most important elements in recovering from whatever disaster occurs is a reliable backup that can be used to efficiently restore data. The SWGfL backup guidance will help you establish a good backup procedure.

Your technical support team should be able to assist with these steps. If you’d like some more information or advice, visit our Security area.

Glossary

Authentication	is a means of verifying that a person is who they claim to be.
Authentication factor	is a category of authentication, where categories include ‘something you know’ (e.g. a password); ‘something you have’ (e.g. a smartcard); or ‘something you are’ (e.g. a fingerprint).
Brute-force attack	involves an attacker attempting many passwords with the intention of eventually finding the correct one.
Denial of service attack	or DoS attack is a type of attack in which the attacker overloads a system to disrupt normal operation.
Exploit	occurs when a vulnerability is taken advantage of by an attacker.
Group Policy	is a set of controls within Windows Server operating systems allowing administrators to define what users can and cannot do.
Man-in-the-Middle attack	or MitM attack occurs when an attacker is positioned between one computer and another, secretly intercepting (and possibly altering) the communications between them whilst they believe they are communicating directly with each other.
Ransomware	Ransomware is a form of malware that enables criminals to encrypt or lock data or devices remotely and demand payment (the “ransom”) for their release. More information can be found here.
Security control	is a counter-measure (or safeguard) put in place to mitigate the likelihood that a threat agent will exploit a vulnerability.
Strong encryption	is an encryption method using a very large cryptographic key. Larger keys take longer to break. 256 bit encryption is considered strong encryption.
Threat agent	is a person (or a process) that exploits a vulnerability. Examples include employees not following procedure, or a hacker.
TLS	or Transport Layer Security is a communication protocol allowing communication between a client (e.g. a web browser) and a server (e.g. a web server) to be secured.
Vulnerability	is a weakness that allows a threat to compromise it. Examples include a wireless access point with no security, firewall ports open, or no door locks.