myDRE and Remote Desktop Protocol (RDP)
What is RDP?
RDP, or the Remote Desktop Protocol, is one of the main protocols used for remote desktop sessions, which is when users access desktop computers or virtual machines from another device. RDP is included with most Windows operating systems and can be used with Macs as well. Many companies rely on RDP to allow their users to work from other locations.
myDRE uses RDP as a means to access the Windows Virtual Machines (VMs) in a Workspace. Linux VMs can only be accessed using a Windows VMs due to security and audit requirements.
Why RDP and not another solution
- Microsoft Bastion: currently it requires access and interaction with the Azure portal: usability too low
- Definitely a solution anDREa keeps its eyes on, once it provides APIs that can be deployed in the mydre.org portal this will be an option
- Drawback: does not support multi-monitors: requirement for (semi) advanced users
- Remote Desktop Services: users cannot install and maintain their own software: usability too low
- Microsoft Azure ExpressRoute: realistically only for those spending tens of thousands of dollars in the public cloud it is proportionate to requirements and budget: too expensive
- Site-to-site VPN: users must be able to access the VM from any location: usability too low
- Public Load Balancer with NAT: The load-balancing rules and inbound NAT rules do not support IP protocols like ICMP. The load balancer doesn’t terminate, respond or interact with the payload of a UDP or TCP flow. usability too low
- Jumphost VM: jumphost still involves opening one VM to public internet and it is a costly solution: does not solve the problem
These are the most important vulnerabilities in RDP:
- There is a vulnerability in the encryption method in earlier versions of RDP. Microsoft issued a legacy patch for its outdated platforms, including Windows XP, Windows Server 2008, Windows 2003, and Windows 2007. Windows 8, 10, and newer operating systems aren’t vulnerable in this way.
- Weak user sign-in credentials. Most desktop computers are protected by a password, and users can typically make this password whatever they want. The problem is that the same password is often used for RDP remote logins as well. Companies do not typically manage these passwords to ensure their strength, and they often leave these remote connections open to brute force or credential stuffing attacks.
- Unrestricted port access. RDP connections almost always take place at port 3389*. Attackers can assume that this is the port in use and target it to carry out on-path attacks, among others.
Recommended risk mitigation
- Lock down RDP to a source IP or IP Range: IMPLEMENTED
- on-prem is whitelisted, off-prem the IP of the user is whitelisted after 2FA action on mydre.org
- Just-in-time VM access: IMPLEMENTED
- by default VMs are deallocated (saves costs)
- by default VMs shutdown at 19:00 CET (saves costs), though this can be overruled by Privileged User for longer calculation sessions
- by default VMs do not have a dedicated public IP
- time-out with too many unsuccessful attempts
- Strong sign-in credentials: IMPLEMENTED
- Password is the same as for logging into mydre.org and follows Microsoft recommended password requirements.
On the Roadmap
- anDREa is working on a RDP-over-HTML solution
- Though Bastion is preferred, it is still not suitable for myDRE due to missing APIs / ability for users to directly start the VM from mydre.org
- Once Bastion meets the requirements, this solution will be embraced due to the thigh and supported integration in the Azure ecosystem
- Guacomole is now at the core of the solution that is being developed
- Once in place, also Linux VMs can be directly approached (no longer requiring a Windows VM as a stepping stone), both SSH and Desktop over HTML
Related Articles
20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report
In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...
20220713 Report Azure White Box Security Audit
Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...
A.13 Communications security
Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Sarang Kulkarni Initiation document 2022-07-07 1.1 Edward Robinson Additions/changes as part of ...
20220607 Security Management Report
As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.
20220714 Security Management Report Addendum
As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...