That’s what hackers muse about when taking advantage of the hundreds of thousands of Remote Desktop Protocol (RDP) machines that are sitting on the Internet, just waiting to be taken over.

What is RDP, and why are we seeing an uptick in cyber insurance claims related to RDP breaches? These answers and more follow.

Remote Desktop Protocol is a way to connect to other computers remotely. Though there are versions for many different operating systems, it is commonly used in Windows as an alternative to text-based connection methods.

When the correct username and password are entered, a remote computer can take control of certain desktop functions. Depending on the permissions of the RDP-enabled account, the remote user could be able to observe the screen, move the mouse cursor, execute apps, or even install new programs.

By default, the RTP port sits on 3389. But this can be changed as the administrator of the machine desires.

Generally speaking, it isn’t the protocol itself that presents a weakness. When everything is properly configured, and all of the assigned users have appropriately strong passwords, there’s no problem.

The issue mainly comes from weak and predictable passwords on a service that is perpetually running.

The weak password component comes from a lack of proper configuration and the use of company-wide passwords.Local machine passwords (or RDP specific passwords on some operating systems) need to be just as strong as typical network passwords. That means either long phrases with spaces and punctuation, or non-dictionary mixed case passwords with numbers and special characters, at least 12 characters long.

The ‘perpetually running’ component is because tons of third party services use RDP for their support and maintenance. This can lead to issues if the accounts that these services establish have weak or universal passwords. Bad actors within the support team of large companies might also be a vulnerability risk, particularly if client RDP passwords aren’t changed frequently.

Finding machines with active RDP ports can be achieved in a few different ways. Services like Shodan can be used to detect RDP running on both standards and nonstandard ports. It can also be used to find IoT devices that are running specific services and protocols, opening up an entirely different attack vector.

Insider knowledge of corporate policy and tools is an easy way to gain information about which support systems are running RDP. Oftentimes, servers and IoT devices that are used as industrial control tools have RDP running for years without ever changing a single password.

Once an open RDP port is found, gaining access is a matter of leveraging inside information, or making use of publicly available crack lists. As one can see on sites like Have I Been Pwned, all it takes is a single shared password between a third party account and a user on the RDP-enabled system.

Finally, common pentesting tools are available for free if the hacker wants to do a little hard work.

What cyber insurance brokers need to know is that systems with open RDP ports need to be treated as potential vulnerabilities if they aren’t properly monitored, maintained, and addressed within the firewall rules.

When giving clients best practices advice (or when doing underwriting), machines running RDP need to be treated as small business servers rather than simple desktop machines. They’re quite literally hosting a service that can be logged into remotely by multiple users of different permission levels.

That means strict password policies must be adhered to including a failed attempt limit, minimum length and/or complexity requirements, and third party compliance with said policies. It also means strict update and version control, and spot pen testing from time to time. Otherwise these are machines that can essentially be taken over remotely with a single misconfiguration.

As far as configuring other network appliances around the existence of RDP machines, Berkeley has a good primer that they use in-house to set sane policies for a locked-down implementation.

Of course, if the machines need to be accessed by third party vendors, a vastly different technique must be undertaken. Some specific firewall rules need to be implemented that limit RDP access to the networks of trusted support partners only. Frankly, without a look at who has access to the RDP login credentials within the third party organisation, there’s always more risk at play than a surface glance would unveil.

Ultimately, one of the best protections for companies using RDP is using two factor authentication (2FA) or multi-factor authentication (MFA). That way a stolen password isn’t enough, the hacker also needs access to the victim’s phone or another authentication device or service that should be under the control of the user.

An example of this is found within the Windows Network Policy Server configuration. A detailed guide can be found on the Microsoft website.

Multiple Linux implementations also have ways to secure RDP using MFA. For example, the Suse Linux Guide to 2FA for RDP explains how the service can be integrated with Google Authenticator. Similar guides are available for over a dozen operating systems.

Brokers can take advantage of OSR’s cyber insurance experience in a couple of different ways: By making use of broker training and providing clients with access to a risk management suite.

Aspects of successfully analysing the dangers of a client’s RDP implementation are covered in OSR’s broker training for assessing cyber risk. By treating the normally client oriented machines more like small servers, a broker will have the right mindset to assess the kind of coverage a client needs.

OSR’s client training programs will help end users to realise that open RDP ports mean more responsibility is required. It will also help the client’s internal IT department or external IT support to understand the risks that they’re taking on when using remote desktops.

OSR’s risk management suite provides the tools that prepare clients for the increased security awareness that they must have when using RDP. Additionally, the breach defence portal provides essential client network monitoring, and access to phishing simulations that will test the client’s ability to resist social engineering.

Questions? Simply contact us and let us know how we can be of service.