Secure Remote Desktop Protocol (RDP) with UserLock RDP MFA and access controls

Remote Desktop Protocol (RDP) was invented in the 1990s by Microsoft as a way for Windows administrators to graphically control and administer remote PCs without needing to visit them in person. RDP MFA ensures only the right people gain access to these vulnerable connections. Learn how to secure RDP with MFA and access controls from UserLock.

What is RDP?

As Windows-based local area networks (LANs) have spread throughout the business world, having the ability to remotely connect to or manage a PC on another floor or a distant building has become essential.

RDP’s importance for remote admin has grown for several reasons. Initially, it was the dominance of the Windows platform. Then, in the early 2000s came the arrival of the Internet and broadband. Suddenly, a Windows computer could be controlled not only across a network but from anywhere in the world.

For a long time, RDP use was mostly dominated by administrators. Admins can connect to a remote PC or server using an RDP client, controlling a mouse and keyboard as if they are sitting in front of it.

But recently, the rapid rise in remote working is fueling more RDP (and VPN) use, since remote workers can connect to work resources remotely via RDP. RDP is also useful for bring-your-own-device (BYOD) workers, allowing them to connect to corporate files, resources, and software.

What are RDP vulnerabilities?

Unfortunately, as we explain below, the ability to remotely connect to a computer from anywhere in the world using RDP expands your attack surface and makes RDP a major security risk.

Today, all organizations using Windows will have RDP running somewhere on their network alongside other non-RDP remote access applications. However, this ubiquity, and the fact that remote access is easy to misconfigure or leave in an insecure state, has made it a prime target for hackers, who often leverage RDP for lateral movement.

RDP can be a client, the computer making the connection, or a server, a computer to which a connection is made. Either can be vulnerable to the other, although a “reverse” attack by a server is by far the most damaging because it has the potential to infect every RDP client that connects to it.

In addition to unpatched security vulnerabilities in RDP software itself, these are the most important vulnerabilities in RDP:

• Unrestricted port access: RDP connections may be left open to the Internet on a default port which hackers can easily find using automated tools. If RDP ports are left open to the Internet, or even exposed within a network in a way that provides a stepping stone for lateral movement, they become hugely risky.

• Weak user sign-in credentials: RDP access is often secured using only weak Windows credentials, which are vulnerable to brute-force attacks or phishing.

• Insecure RDP connections: When RDP connections are left in an insecure state, these tend to accumulate over time. These are forgotten, creating invisible entry points for attackers.

How common are RDP attacks?

Underlining RDP’s popularity for cybercriminals, a 2024 Sophos study estimates that RDP played a role in 90% of attacks against a sample of its customers. And where attackers successfully breached a network, 65% of the time the initial point of entry was an RDP connection.

How attackers exploit RDP connections

One of the most famous RDP vulnerabilities is “BlueKeep” (CVE-2019-0708) in older versions of Microsoft’s Remote Desktop Services (RDS), the software used to implement RDP in Windows. While researchers originally publicized the vulnerability, cybercriminals quickly began exploiting it in real attacks.

Another threat type that regularly targets RDP weaknesses is ransomware. So much so that some security experts dub RDP the “Ransomware Distribution Protocol.”

An example of this was an incident at medical company LabCorp in 2018 when the SamSam ransomware infected a reported 7,000 systems and 1,900 servers in the space of 50 minutes after a brute force attack on RDP credentials.

What are a few ways to secure RDP connections?

The answer is more and better security. Because passwords can be brute-forced or stolen, relying on strong passwords is not sufficient. Here are a few ways to secure RDP connections.

1. Lock down open ports

Avoid exposing RDP to the internet. If you must, make sure to change the default port and implement remote desktop multi factor authentication (MFA).

2. Enable RDP MFA

While stronger password management helps to secure RDP connections, strong passwords alone are still easy for hackers to crack. It’s important to add an extra layer of security with two-factor authentication (2FA) for RDP connections. Often a cyber insurance and compliance requirement, RDP MFA is a best practice to protect the credentials for these vulnerable connections..

Regardless of which MFA method you choose, implementing Remote Desktop MFA makes life difficult for even the most determined attacker. At a stroke, the number one technique for unauthorized RDP access — stolen credentials — no longer works.

Implementing UserLock’s MFA for RDP adds this extra layer of security, greatly reducing the ability of attackers to exploit RDP connections using stolen or brute-forced passwords. UserLock does this while integrating with an organization’s existing on-premise AD. This means you don’t need to onboard any proxy software to integrate with AD or manage synchronizations, so you can get MFA with RDP up and running quickly.

With UserLock, admins have the option to offer two of the following Windows RDP MFA methods: push notifications, authentication apps, or hardware authentication devices. You cannot enroll tokens via RDP, but if the token has already been enrolled, they can be used via RDP.

This flexibility allows admins to adjust the MFA method according to the employees’ circumstances. For example, many of our clients give end users a security key or token, a very secure Remote Desktop MFA method, for authentication to more vulnerable remote connection types like RDP.

It’s also important to prioritize the user experience and implement RDP MFA only where needed so it doesn’t block employee productivity.

Thanks to the ability to apply MFA with RDP granularly and to authenticate the device, UserLock helps admins avoid MFA fatigue. With UserLock you can apply MFA granularly based on:

• Existing AD structures: Apply MFA by user, group, or organizational unit (OU).

• Contextual factors: Apply MFA on all remote sessions, or only on remote sessions that originate outside the network, for example.

• Connection type: Apply Remote Desktop multi factor authentication where you need it most, whether on the RDP connection, the IIS session, for example.

• Frequency: Choose to apply MFA at every logon, on the first logon of the day, or every n days/hours/minutes.

3. Limit RDP access with contextual and role-based restrictions

But implementing MFA is only one part of the story. Access controls, which limit access before and after authentication occurs, are essential to avoid user fatigue and support compliance.

Access controls allow you to limit RDP access based on circumstances or user roles. 

UserLock lets admins implement access controls for RDP with:

• Role-based access controls (RBAC): Limit access based on AD user, group, or OU.

• Contextual factors:  Deny or limit a user’s access to the network based on contextual factors like location, time, and session type. Or, you can limit from which machine you can perform RDPs.

• Concurrent session limits: Limit how many RDP sessions a user has the right to perform.

4. Monitor RDP sessions and block accounts with suspicious activity

Make sure you have clear visibility on how and when RDP is used across all devices in your environment. You’ll also want to be able to lock down RDP sessions in response to suspicious activity, even after users authenticate.

UserLock’s Windows session management helps you keep tabs on who is logging in, when, and on what connection type. Similarly, you can set up real-time alerts in UserLock, and admins can logoff suspicious sessions directly from the UserLock console.

By logging access events, Remote Desktop MFA events, and session history in a centralized, searchable audit, UserLock also helps you quickly spot and react to unusual access patterns or concurrent sessions.

5. Audit and report on RDP activity

Because of the risk, most compliance standards require authentication and access control on remote connections, including RDP.

UserLock helps you meet and prove compliance with major regulations and standards thanks to straightforward, accurate auditing and Windows user logon and session reports on remote connections like RDP.