MS-ISAC Security Primer - Remote Desktop Protocol (2024)

Table of Contents
Overview Recommendations: FAQs

Overview

Remote Desktop Protocol (RDP) is a Microsoft proprietary protocol that enables remote connections to other computers, typically over TCP port 3389. It provides network access for a remote user over an encrypted channel. Network administrators use RDP to diagnose issues, login to servers, and to perform other remote actions. Remote users use RDP to log into the organization’s network to access email and files.

See Also
How to configure RPC to use certain ports and how to help secure those ports by using IPsec

Cyber threat actors (CTAs) use misconfigured RDP ports that are open to the Internet to gain network access. They are then in a position to potentially move laterally throughout a network, escalate privileges, access and exfiltrate sensitive information, harvest credentials, or deploy a wide variety of malware. This popular attack vector allows CTAs to maintain a low profile since they are utilizing a legitimate network service and provides them with the same functionality as any other remote user. CTAs use tools, such as the Shodan search engine, to scan the Internet for open RDP ports and then use brute force password techniques to access vulnerable networks. Compromised RDP credentials are also widely available for sale on dark web marketplaces.

In 2018, the Multi-State Information Sharing and Analysis Center (MS-ISAC) observed an increase in ransomware variants that strategically target networks through unsecured RDP ports or by brute forcing the password. The ransomware is then manually deployed across the entire compromised network and is associated with higher ransom demands.

Recommendations:

  • Assess the need to have RDP, port 3389, open on systems and, if required:
    • place any system with an open RDP port behind a firewall and require users to VPN in through the firewall;
    • enable strong passwords, multi-factor authentication, and account lockout policies to defend against brute-force attacks;
    • whitelist connections to specific trusted hosts;
    • restrict RDP logins to authorized non-administrator accounts, where possible. Adhere to the Principle of Least Privilege, ensuring that users have the minimum level of access required to accomplish their duties; and
    • log and review RDP login attempts for anomalous activity and retain these logs for a minimum of 90 days. Ensure that only authorized users are accessing this service.
  • If RDP is not required, perform regular checks to ensure RDP ports are secured.
  • Verify cloud environments adhere to best practices, as defined by the cloud service provider. After cloud environment setup is complete, ensure that RDP ports are not enabled unless required for a business purpose.
  • Enable automatic Microsoft Updates to ensure that the latest versions of both the client and server software are running.

The MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s state, local, tribal, and territorial (SLTT) governments. More information about this topic, as well as 24×7 cybersecurity assistance is available at 866-787-4722, [emailprotected]. The MS-ISAC is interested in your comments – an anonymous feedback survey is available.

See Also
How to check open ports for live streamingI am trying to connect a second monitor to a computer with only a 9 point 10101 A portCompTIA Network+ Rapid Review: Network Conceptsconstant outbound SMB port 445( microsoft-ds) traffic - Microsoft Q&A
MS-ISAC Security Primer - Remote Desktop Protocol (2024)

FAQs

What protocol does Microsoft Remote Desktop use? ›

Remote Desktop Protocol (RDP) is a Microsoft proprietary protocol that enables remote connections to other computers, typically over TCP port 3389.

Read On
What is the RFC protocol for remote desktop? ›

The Reliable Data Protocol (RDP) is a network transport protocol defined in RFC 908 and was updated in RFC 1151. It is meant to provide facilities for remote loading, debugging and bulk transfer of images and data. The Reliable Data Protocol is an IP protocol, on the same layer as TCP and UDP.

Discover More Details
Can CrowdStrike block RDP? ›

Connecting to a system via Remote Desktop Protocol that is not secured with CrowdStrike will cause your device to be automatically blocked.

Continue Reading
What is the Remote Desktop Protocol in cybersecurity? ›

Remote Desktop Protocol (RDP) is a protocol that enables users anywhere in the world to access and control a computer through a secure, reliable channel. RDP is a safe, useful tool for increasing productivity in your business and giving your employees the flexibility to accomplish tasks in a changing world.

See Details
Is Microsoft RDP TCP or UDP? ›

Remote Desktop Protocol (RDP) itself can be configured to use both TCP and UDP for different aspects of the connection, such as multimedia and audio streaming. The usage of UDP for RDP is typically called "UDP transport" or "UDP-based transport."

Find Out More
What ciphers does remote desktop use? ›

RDP uses RSA Security's RC4 cipher, a stream cipher designed to efficiently encrypt small amounts of data. RC4 is designed for secure communications over networks. Administrators can choose to encrypt data by using a 56- or 128-bit key.

Tell Me More
How do I know if Remote Desktop Protocol is enabled? ›

1. In the windows search box type “Remote Desktop Settings” and hit enter. 2. If “Enable Remote Desktop” is set to “On” and the check box is checked beside “Keep my PC awake for connections when it is plugged in”, your PC ready to go.

Show Me More
How to configure Remote Desktop Protocol? ›

You can configure your PC for remote access with a few easy steps.
  1. On the device you want to connect to, select Start and then click the Settings icon on the left.
  2. Select the System group followed by the Remote Desktop item.
  3. Use the slider to enable Remote Desktop.
Jan 18, 2024

Explore More
Which protocol is used to access a remote computer? ›

The correct answer is Telnet. Telnet: It's used for remote login. It's a network protocol.

Continue Reading
What does CrowdStrike block? ›

Those methods include machine learning, exploit blocking, blacklisting and indicators of attack. This unified combination of methods protects you against known malware, unknown malware, script-based attacks, file-less malware and others.

Show Me More

How do I know if my firewall is blocking RDP? ›

Check whether a firewall is blocking the RDP port

Go to a different computer that isn't affected and download psping. Check the output of the psping command for results such as the following: Connecting to \<computer IP\> : The remote computer is reachable. (0% loss) : All attempts to connect succeeded.

Read The Full Story
Does CrowdStrike allow remote access? ›

Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action. You can also connect to a host from Hosts > Host Management.

See Details
What is the default protocol for remote desktop? ›

By default, the server listens on TCP port 3389 and UDP port 3389. Microsoft currently refers to their official RDP client software as Remote Desktop Connection, formerly "Terminal Services Client". The protocol is an extension of the ITU-T T. 128 application sharing protocol.

Get More Info Here
What are the different remote desktop protocols? ›

The Remote Desktop Protocol (RDP) is a protocol, or technical standard, for using a desktop computer remotely. Remote desktop software can use several different protocols, including RDP, Independent Computing Architecture (ICA), and virtual network computing (VNC), but RDP is the most commonly used protocol.

Continue Reading
What is the difference between Remote Desktop Protocol and Remote Desktop Connection? ›

In contrast, Remote Desktop enables users to connect to virtual desktops from their local machines. Remote Desktop Protocol is a network communication protocol or standard designed to facilitate a remote connection between the RDP client machine and the RDP server.

View More
What protocol is used to access a remote computer? ›

The correct answer is Telnet. Telnet: It's used for remote login. It's a network protocol.

View Details
Does remote desktop use TLS? ›

Remote Desktop can be secured using SSL/TLS in Windows Vista, Windows 7, Windows 8, Windows 10 and Windows Server 2003/2008/2012/2016. *Some systems listed are no longer supported by Microsoft and therefore do not meet Campus security standards.

See More
What protocol does Microsoft use? ›

SMB serves as the basis for Microsoft's Distributed File System implementation. SMB relies on the TCP and IP protocols for transport. This combination allows file sharing over complex, interconnected networks, including the public Internet. The SMB server component uses TCP port 445.

Learn More
What is the RDP gateway protocol? ›

Remote Desktop Protocol (RDP) Gateway provides RDP access to on-campus Windows desktops from external networks without requiring a Virtual Private Network (VPN). Once connected, you will have access to everything your computer has installed or is permitted to access on the network.

Discover More Details
Top Articles
Kratos
How to enable TLS 1.2 or higher
Bank Of America Atm Near Me Right Now
Meg Donnelly Deepfake
Latest Posts
Ping
Deadpool
Article information

Author: Mrs. Angelic Larkin

Last Updated:

Views: 5690

Rating: 4.7 / 5 (47 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Mrs. Angelic Larkin

Birthday: 1992-06-28

Address: Apt. 413 8275 Mueller Overpass, South Magnolia, IA 99527-6023

Phone: +6824704719725

Job: District Real-Estate Facilitator

Hobby: Letterboxing, Vacation, Poi, Homebrewing, Mountain biking, Slacklining, Cabaret

Introduction: My name is Mrs. Angelic Larkin, I am a cute, charming, funny, determined, inexpensive, joyous, cheerful person who loves writing and wants to share my knowledge and understanding with you.