Reducing the risk of RDP brute force attacks

Good news for your clients with employees working from home or remotely. Microsoft is now taking steps to prevent Remote Desktop Protocol (RDP) brute-force attacks as part of the latest builds for the Windows 11 operating system. RDP brute force attacks are commonly used by hackers targeting remote working employees, and this new control will make brute forcing much harder.

Working from home is now the norm for many of your clients’ employees and therefore remotely logging in to corporate VPNs and application suites are essential. According to researchers at cybersecurity company ESET, there was a reported 768% growth in Remote Desktop Protocol (RDP) attacks in 2020 and this percentage continues to increase. In total, ESET detected 29 billion attempted RDP attacks in 2020 as cyber criminals try to exploit remote workers.

How do I describe an RDP Attack to my clients? An RDP allows one computer to connect to another or a network without direct contact. A Remote Desktop Protocol Attack is a type of data breach which occurs via a user’s remote desktop protocol (or RDP). Brute-forcing is a method used by attackers to take over accounts. Usually automated with the help of a software tool, brute force attacks involve submitting many passwords in a row until the right one is “guessed”. Why is Microsoft’s action good news? Previously, there was no timeout for multiple failed attempts at logging on. In new builds, accounts automatically lock for 10 minutes after 10 invalid sign-in attempts. This feature was present in previous versions but was not enabled by default. This is a step in the right direction.

Points to emphasize with your clients.

1. The easiest method to prevent RDP attacks is to not expose the port to the internet. If external connections are required then they should be done through a virtual private network (VPN).

2. If an RDP port must be exposed to the internet, it should be protected with multi-factor authentication (MFA).

Additionally, an organization could use just-in-time tokens. These are temporarily-generated tokens that will provide access to a resource at a specific point in time. After they expire, they're useless so if they’re compromised it's only a risk until the token expires.

Please let our team know if you’d like to help your clients boost their digital risk management and I can connect you with our Hackbusters advisory team.