Can I safely use Microsoft Windows RDP over the Internet?

April 15th, 2020   |     |  product and technology, security & compliance

The Microsoft Windows Remote Desktop Protocol, or RDP, is widely and securely used on private networks to enable users to log into remote computers. Once logged in through RDP, the screen of the remote system is displayed on the local system giving the local user control. RDP is commonly used in enterprise environments to empower system administrators to manage servers and workstations in remote locations, or by the employees, while away from their offices and desks. Increasingly, RDP is used to access virtual desktops. Users can login using single sign-on, for example, Windows Kerberos within a domain, or with user credentials, usually a domain username and password, to access an account on the remote system.

That’s all fine and dandy for private networks, but is RDP safe for remote login to private Windows systems over the Internet?

With ever-increasing numbers of users working from remote offices or home, including game changing shelter-in-place mandates for COVID-19, many are tempted to simply poke a hole in their firewall to open RDP port 3389 and allow direct connections to target systems. Sites that do this will quickly learn that miscreants instantly begin attacking Windows systems with RDP ports open to the Internet.

A Microsoft Study Warns of Dangers

Once an open RDP port is detected on the Internet, hackers begin using brute-force attacks with automated tools that cycle through username and password combinations attempting to guess the target computer’s login credentials. These attacks use combinations of usernames and passwords that have been leaked online from breaches, or are simplistic in nature, and easy to guess. Attacks are metered, often lasting for days to prevent firewall detection that might result in source IP address blockage.

After a months-long study into the impact of RDP brute-force attacks on the enterprise, Microsoft reported that attacks last two to three days on average, with about 90% of cases lasting for one week or less, and less than 5% lasting for two weeks or more. About 0.08% of RDP brute-force attacks are successful. For the study, Microsoft collected data on RDP login-related events from more than 45,000 workstations running Microsoft Defender Advanced Threat Protection, the commercial version of its free Defender antivirus app.

RD Gateway and RD Web Access to the Rescue?

Microsoft Remote Desktop Gateway (RDG) is a Windows Server role that provides virtual desktop services to enable remote users to access private resources using RDP through HTTPS connections. RDG can be thought of as a VPN for RDP, which enhances the security and improves the performance of RDP services for remote access over the Internet. RD Web Access (RD Web) is a complementary Windows Server role that provides a portal where an authenticated user can access applications and remote systems to which they are entitled within a browser.

In short, instead of exposing Windows desktops and servers via RDP directly to the Internet, organizations can proxy, authenticate, and authorize their RDP connections to remote systems and applications using secure and firewall friendly HTTPS connections through RDG and RD Web.

How RD Gateway Works

Clients initialize the connection by establishing a secure channel with RDG using a SSL tunnel through a HTTPS connection. RDG natively uses Windows domain authentication to authenticate the user and then proxies the RDP connection to the target Windows systems on the private network. RDG actually creates two SSL tunnels, one for incoming and another for outgoing traffic from and to the client. Optional authorization controls to restrict access based on group membership, user location, date and time, and more are provided.

How RD Gateway works

How RD Web Access Works

With RD Web Access, users access desktops and applications through a web portal and launch them through the device’s native Microsoft Remote Desktop client application or a browser. You can use the web portal to publish Windows desktops and applications to Windows and non-Windows client devices, and you can also selectively publish desktops or apps to specific users or groups. RD Web can be configured to only allow access to applications and systems through the client devices or a browser and HTML5, or to make .rdp files available for download for use with connections through the Microsoft Terminal Service Client (MTSC).

RD Web needs Internet Information Services (IIS) to work properly. An HTTPS connection provides an encrypted communications channel between the clients and the RD Web server. The RD Web virtual machine must be accessible through a public IP address that allows inbound TCP connections to port 443 to enable users to connect from the internet using the HTTPS communications transport protocol.

Sounds Good, Right?

That’s all great for obscuring the target system, but Windows domain authentication is most commonly username and password only, which isn’t sufficient for authenticating users securely over the Internet.

What can be done about that?

According to Microsoft’s research, the one simple action you can take to prevent 99.9% of the attacks on your accounts is to use multi-factor authentication (MFA).

But can I do that with RDG and RD Web?

Enter OneLogin for RD Gateway and RD Web Access

OneLogin for RD Gateway simply and reliably adds secure, multi-factor authentication when using RDP to access Windows servers and desktops in local or remote data centers or in private clouds (i.e. AWS and Microsoft Azure). No OneLogin client software is required. The solution works seamlessly and securely with single sign-on (SSO) via the OneLogin user portal. Configuring multi-factor authentication is as simple as configuring the user policy at OneLogin, enabling any of the OneLogin supported MFA devices, and having your users register them through guided steps. You can choose to enable any of a variety of authentication factors depending upon your security and user community requirements, for example:

  • OneLogin Protect OTP for Android and iOS including push notifications
  • OneLogin email MFA
  • OneLogin SMS MFA
  • Biometrics, such as Touch ID and Face ID via WebAuthn
  • Google Authenticator
  • Microsoft Authenticator
  • Symantec VIP
  • Yubico Yubikey

As a result, your users enjoy a secure, simple SSO login experience to access Windows servers. Powerfully, administrators can set up configurations using either the OneLogin administrator user interface or automate administration using APIs, scripts, and configuration management tools like Terraform.

How OneLogin for RDG Portal Flow works

RD Web users browse directly to the RD Web server where they are prompted for authentication. The user enters a username, password, and optionally MFA, if required by the OneLogin user policy, which is validated through OneLogin using OpenID Connect (OIDC). Upon successful authentication, the user is presented with authorized applications and target systems made available using HTML5 display in the browser through RD Web.

Adding Contextual and Passwordless RDP Authentication

The OneLogin solutions for RDG and RD Web Access secure access through user policies and context-aware SmartFactor Authentication™, which is powered by Vigilance AI™, OneLogin’s AI/ML risk engine. Depending upon settings at OneLogin and contextual information such as the user location, user browser, date and time, and user network, the user may not be required to always provide a second factor. Or, may be prevented from logging in all together! Also, with OneLogin Smart Flows, authentication can also be configured to be passwordless in seconds.

Bottom line, OneLogin SmartFactor powered by Vigilance AI authentication is super easy to configure and the best way to increase security while improving the user authentication experience.

Putting it all Together

Microsoft RDP is increasingly used for remote users to access private network Windows desktops and servers over the Internet. However, exposing private systems through RDP to the Internet is not secure. The Microsoft Windows Server RDG and RD Web roles increase security and performance for Internet RDP access through HTTPS connections, but lack the single most important security feature to provide secure Internet access, which is multi-factor authentication. OneLogin for RD Gateway and RD Web Access adds simple-to-configure and easy-to-use contextual MFA, as well as enables SSO from the OneLogin Portal and powerful risk-based contextual authentication. The net result is to improve the user experience while increasing security when using RDP over the Internet.

Want to learn more? Check out the OneLogin RD Gateway & RD Web Access datasheet on how to secure remote access to Windows servers.

OneLogin blog author
About the Author

Gary Gwin is Director of Product at OneLogin focusing on enterprise touch points with OneLogin cloud services. Gary joined OneLogin in 2015 with the acquisition of what is now OneLogin WAM. Prior to joining OneLogin, Gary has spent 30 years creating and helping enterprise customers integrate various software solutions deployed on-premises and in the cloud.

View all posts by Gary Gwin

OneLogin blog author
About the Author

Gary Gwin is Director of Product at OneLogin focusing on enterprise touch points with OneLogin cloud services. Gary joined OneLogin in 2015 with the acquisition of what is now OneLogin WAM. Prior to joining OneLogin, Gary has spent 30 years creating and helping enterprise customers integrate various software solutions deployed on-premises and in the cloud.

View all posts by Gary Gwin

Secure all your apps, users, and devices