The Remote Desktop Protocol (RDP) is one of the most popular communication protocols for remotely controlling systems. RDP comes with all current Windows operating systems, and its graphical user interface makes it an easy-to-use remote access tool. In addition, Microsoft positions it as the default method to manage Azure virtual machines running Windows.
It didn’t take long before attackers realized this is a golden egg. Instead of attempting to abuse a vulnerability with no guaranteed success, they realized it’s far more efficient to use the remote access tools there for the taking. They just need to obtain the correct credentials to gain access. As it happens, according to a recent X-Force report, stolen credentials to access these systems are part of a lucrative market on the dark web.
These directly exposed servers are not the only systems where attackers use (or rather abuse) RDP. One of their objectives is to blend in with regular traffic. Because RDP is such a popular protocol, attackers use it to move to other systems once they gained access.

What Is RDP and Who Uses It?

Before we jump to RDP risks and defenses, it’s good to know how it works. RDP is a two-way communication protocol. It can:
  • Transfer the screen output of the server to the client
  • Transfer the keyboard and mouse input from the client to the server.
This process is asymmetric. While most of the data comes from the server to the client, the client transfers little data back. The client and the server have to go through a number of phases before setting up communication. After a client starts the connection, it agrees with the server on usage settings (for example, screen resolution), supported capabilities and license information. They then agree on the type of RDP security, choosing from two supported modes:
  • Standard, based on RC4
  • Enhanced, where RDP relies on other protocols such as TLS or CredSSP.

Finally, they have to agree on the number of channels required. Channels are individual data streams, each with their own ID, that make up the remote desktop protocol. Such channels can redirect access to the file system or enable clipboard sharing between client and server.

Vulnerabilities in RDP: BlueKeep

Researchers in 2019 found a crucial vulnerability, dubbed BlueKeep, in this concept of channels. Exploiting the vulnerability (CVE-2019-0708) leads to the remote execution of random code, without any user doing anything. On top of that, it did not require valid credentials. These facts combined could have led to a worm, malware that can propagate itself between vulnerable systems. We witnessed something like this earlier with the WannaCry malware.

To exploit the vulnerability, the client had to request a specific channel name, MS_T120, and then bind it to a channel ID other than 31.

What’s notable about BlueKeep is it attached itself to older Windows systems. This forced Microsoft to take the odd step of making new patches for systems it no longer supported.

Other Luring Vulnerabilities

In August 2019, researchers announced DejaBlue. DejaBlue is not one vulnerability but a list of flaws that, similar to BlueKeep, allow attackers to hijack vulnerable systems without any form of authentication. Unlike BlueKeep, the vulnerabilities of DejaBlue were located in more recent versions of Windows.

Sometimes, attackers do not need to abuse vulnerabilities. They can simply abuse misconfigurations. Some of the common pitfalls with RDP security include:

  • Weak user sign-in credentials
  • Servers where you’re not logging or monitoring RDP logins. These systems allow attackers to attempt brute-force or password spraying attacks at will.
  • Publicly exposed systems without any network filtering.

APT Groups Using RDP

We can also look at MITRE ATT&CK to understand the interest of attackers in RDP and how it is used in their operations.

  • Groups such as APT41, FIN6 and FIN7 use RDP to move laterally
  • Groups such as FLIPSIDE use RDP to exfiltrate information. Ngrok, for example, is a legitimate reverse proxy that can tunnel traffic in RDP to exfiltrate victim data.
  • The WannaCry malware could execute malware in existing remote desktop sessions. This ‘stealing‘ of a session is commonly referred to as RDP hijacking. 


Despite these risks and the interest of attackers, RDP still has a lot of value to offer. There are a number of key elements to consider to protect remote desktop servers.

Patch management is a dead give-away. Keeping your systems up-to-date is always good advice, especially for crucial remote access services.

In most cases, you don’t need to expose RDP to the whole world. You can use a firewall, IP restrictions, limit access via a VPN or use just-in-time-access. The latter greatly reduces the risk and still lets you access the service when you need it.

Ensure that you do not use easy-to-guess passwords for RDP-enabled accounts. Don’t allow remote access to all system users if they don’t need it. In addition, it makes sense to implement some form of automatic account lock-out, preventing attackers from guessing the password via brute-forcing.

You may also want to enable Network Level Authentication or NLA, a mitigation measure to prevent unwanted access to the RDP tunnel.

Monitoring and Forensic Artifacts

Regardless of how secure you make the RDP setup, there will always be a time when attackers attempt to abuse it. That’s when you should rely on logging and monitoring to analyze what is going on. Some of the important sources of forensic artifacts for RDP include:

  • The commands quser, qwinsta and qprocess that give information on RDP users, sessions and processes
  • Microsoft-Windows-Terminal-Services-RemoteConnectionManager and Windows-TerminalServices-LocalSessionManager inform you on client network connections and the start and stop of RDP sessions
  • And finally, Microsoft-Windows-Security-Auditing includes the events for successful or failed authentication attempts.

Manage RDP Risks for Safe Use 

Although there are risks that come with RDP and high interest from attackers in remote access tools, it doesn’t mean you cannot deploy them in a safe and controlled manner. If you take into account the preventive measures and set up sufficient logging and monitoring, you should be good to go.

More from Incident Response

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today