Microsoft has warned of the risks associated with allowing remote access to desktop services while working from home, It said there has been an increase in the number of systems accessible via the traditional Remote Desktop Protocol (RDP) port and a well-known “alternative” port used for RDP.

Although Remote Desktop Services (RDS) can be a fast way to enable remote access for employees, there are a number of security challenges that need to be considered said James Ringold, Enterprise Security Advisor for Microsoft’s Cybersecurity Solutions Group:

“Attackers continue to target the RDP and service, putting corporate networks, systems, and data at risk (e.g., cybercriminals could exploit the protocol to establish a foothold on the network, install ransomware on systems, or take other malicious actions).”

The rapid outbreak of COVID-19 and the resulting lockdowns meant many businesses were unable to prepare for the demands remote working would place on IT teams and technical resources. Ringold said that companies that were forced to quickly find means of allowing employees to access work networks may have relied on the default RDP, potentially leaving corporate networks and applications vulnerable.

Research from IoT search engine Shodan suggests that this has resulted in an increase in the number of systems accessible via both the standard RDP as well as the ‘alternate’ 3388 port in March, both of which can be exploited fairly easily by hackers if exposed. The risk is even higher when providing administrators with access to on-premises systems, owing to the fact they have much higher access privileges that can go to network and operating system-level.

According to Microsoft, various considerations should be made when offering remote desktop access to employees, including reviewing firewall policies to access whether any systems are directly exposed to public internet; controlling and logging remote access by employees; implementing multi-factor authentication and assessing whether a it would be possible for a hacker to move laterally through a corporate network once they gained access.

Ultimately, considerations for remote access should be weighed against businesses’ own cybersecurity resilience and risk appetite:

“Leveraging remote desktop services offers great flexibility by enabling remote workers to have an experience like that of working in the office, while offering some separation from threats on the endpoints. At the same time, those benefits should be weighed against the potential threats to the corporate infrastructure. Regardless of the remote access implementation your organization uses, it is imperative that you implement best practices around protecting identities and minimizing attack surface to ensure new risks are not introduced.”

Comparing Microsoft’s free RDP access (with the correct port forwarding and possible VPN access configured in a business’s public facing router) to a paid remote access service (RemotePC. TeamViewer, GoToMyPC, etc) exemplifies the superiority, both in security and services, of a paid service.

While RDP allows for remote printing and desktop use (including drag and drop), many more features are available through a paid service – chat, multi-to-multi monitor, screen collaboration, session recording, remote sound, and platform independence (RDP is available only for Windows operating systems, while a paid service can utilize Mac, Linux, and in some cases IOS). Both options are encrypted, though a paid service utilizes a higher level of encryption and is available without firewall configuration.

Recommendation:

Frankenstein Computers and Networking recommends a paid service for security, functionality, and ease of use. Our current favorite is RemotePC – we are also available and practiced in assisting with installation and setup.

Adapted in part from an article on techrepublic.com

Frankenstein Computers has been taking care of our happy clients since 1999. We specialize in IT Support,
IT Service, MAC repair, PC Repair, Virus Removal, and much more. Give us a call for remote support or drop in to drop off.