Securing Microsoft Remote Desktop Protocol (RDP) in Schools
A guide to using Remote Desktop Protocol (RDP) more securely in schools.
What is RDP?
RDP is a mechanism developed by Microsoft to allow a user to access the ‘desktop’ of another computer over a network.
Microsoft Windows desktop operating systems include a built-in ‘native’ client for this, and Windows Server operating systems include a built-in RDP server.
Usually this access takes place over an internet connection, where the user might be at home and is accessing the desktop of another computer or server inside the school. The user’s device (a laptop, for example) essentially becomes a remote screen, keyboard and mouse controlling the device inside the school.
Is RDP Secure?
RDP does support strong encryption, and by default RDP sessions use encryption.
However, there have been numerous exploits demonstrating vulnerabilities in the encryption method, so additional security controls are important. Some examples include:
- Remote Code Execution vulnerability (CVE-2019-0708): also known as BlueKeep (and likened to EternalBlue), this vulnerability does not require user authentication or interaction to run, and allows an attacker to execute remote code.
- CredSSP (Credential Security Support Provider) vulnerability (CVE-2018-0886): this vulnerability affected all versions of Windows, and allowed an attacker to exploit CredSSP (which is central to RDP authentication using Kerberos or TLS) to execute remote commands.
Compromised RDP sessions have also been used to cause further security incidents, such as spreading ransomware.
RDP Security Steps
If you need to continue to use RDP, or are considering using it, here are eight key security steps you can take.
One of the most common pieces of security advice is entirely applicable to RDP: keep software updated.
The Microsoft patch cycle can benefit schools using RDP by updating components as part of the Microsoft Updates process (as opposed to third-party software that may require separate updating).
The key is to ensure updates are installed regularly.
Check password strength
Use of ‘strong and long’ passwords will help to ensure that brute-force attacks are more difficult for attackers. SWGfL password guidance can be found here.
Schools should consider setting the ‘Password must meet complexity requirements’ within Group Policy for RDP users.
Use Network Level Authentication (NLA)
NLA requires the connecting user to authenticate before an RDP session is completed with the receiving computer (e.g. server), whereas without NLA the login screen is presented, increasing the attack surface for 'denial of service' and 'brute-force' attacks.
NLA should be enabled by default on Windows 8 and newer desktop operating systems, and Windows Server 2012 and newer server operating systems.
Schools should consider checking the ‘Require user authentication for remote connections by using Network Level Authentication’ Group Policy setting.
Enable RDP on an ‘as-needed’ basis
By limiting the number of users that can access computers via RDP the school can reduce the likelihood of exploitation.
By default RDP is enabled for users in the ‘Administrators’ group, however if an alternative remote system administration tool is used, Administrator RDP access should be removed.
Schools should consider setting the ‘Allow log on through Remote Desktop Services’ within Group Policy for RDP users, and adding only required users to the ‘Remote Desktop Users’ group.
Set account lockout
By setting account lockout, a user account will be locked automatically after a certain number of incorrect password attempts have been made. This will help to ensure that brute-force attacks are more difficult for attackers.
Schools should consider setting the ‘Account Lockout Policy’ within Group Policy for RDP users.
Implement multi factor authentication (MFA)
Multi factor authentication involves adding at least one more authentication factor to the normal ‘username and password’ (being ‘something you know’), where the additional factors are either 'something you have' (like a 'one-time-password' sent in an SMS message) or 'something you are' (like a fingerprint).
Adding multi factor authentication typically involves the use of a third party service.
Configure RDP to use TLS for authentication
Implementing TLS can help to reduce the risk of 'man-in-the-middle' attacks.
TLS is enabled by default in Windows Server 2012 and newer server operating systems, and support was added for Windows Server 2008 R2 (see here), though schools should be making plans to migrate away from this version (see here).
To do this, a school will need to obtain a certificate from a Certificate Authority. SWGfL can provide SSL/TLS certificates for schools from Certifcate Authority QuoVadis via Jisc. More information can be found here.
Implement a robust data backup plan
Another common piece of security advice, and like ‘update software’ this too is entirely applicable to RDP: make sure all important data is backed up.
If the security steps above fail, one of the most important elements in recovering from whatever disaster occurs is a reliable backup that can be used to efficiently restore data.
SWGfL backup guidance can be found here.
Your technical support team should be able to assist with these steps. If you’d like some more information or advice, get visit our Security area.
is a means of verifying that a person is who they claim to be.
is a category of authentication, where categories include ‘something you know’ (e.g. a password); ‘something you have’ (e.g. a smartcard); or ‘something you are’ (e.g. a fingerprint).
involves an attacker attempting many passwords with the intention of eventually finding the correct one.
Denial of service attack
or DoS attack is a type of attack in which the attacker overloads a system to disrupt normal operation.
occurs when a vulnerability is taken advantage of by an attacker.
is a set of controls within Windows Server operating systems allowing administrators to define what users can and cannot do.
or MitM attack occurs when an attacker is positioned between one computer and another, secretly intercepting (and possibly altering) the communications between them whilst they believe they are communicating directly with each other.
Ransomware is a form of malware that enables criminals to encrypt or lock data or devices remotely and demand payment (the “ransom”) for their release. More information can be found here.
is a counter-measure (or safeguard) put in place to mitigate the likelihood that a threat agent will exploit a vulnerability.
is an encryption method using a very large cryptographic key. Larger keys take longer to break. 256 bit encryption is considered strong encryption.
is a person (or a process) that exploits a vulnerability. Examples include employees not following procedure, or a hacker.
or Transport Layer Security is a communication protocol allowing communication between a client (e.g. a web browser) and a server (e.g. a web server) to be secured.
is a weakness that allows a threat to compromise it. Examples include a wireless access point with no security, firewall ports open, or no door locks.