Yes it is but there are several caveats to this. RDP is secure without a VPN as long as you have strong access control, whitelists, and encryption. Doing all of this is not the case with a lot of individuals and organizations that use RDP.
Remote Desktop Protocol or RDP, is a remote access feature of Windows that enables a remote user to control another operating system through an application remotely. The purpose of this is to allow for troubleshooting and administration on servers and workstations without having to physically be in front of that machine.
What type of encryption does RDP use?
RDP uses the RC4 encryption algorithm designed to effectively encrypt small amounts of data sent over networks. You can choose a 56 or 128 bit key for the RC4 encryption. Even better, you can configure RDP to use TLS! Transport Layer Security (TLS) works by using asymmetric and symmetric encryption.
With this communication, a secure handshake is performed to verify that both parties have valid security protocols. This allows for a more robust communication channel that is harder for attackers to break.
Weaknesses in RDP
There are several disadvantages with RDP even if you are implementing strong encryption. That encryption is useless if you are following bad security practices. Here are some bad common practices with RDP and the reasons you should not be doing them.
1. Weak Credentials
Easy to guess passwords that don’t follow the common standard. At least an 8 character password with a combination of numbers, letters (upper and lower case), and special characters. Of course it is a good practice to choose a password with at least 12 characters as this is much stronger than 8.
2. No 2FA/MFA Implemented
Two-factor authentication (2FA) or multi-factor authentication (MFA) requires the user to provide another vector for authentication aside from the user name and password. This can come in many forms such as an authentication code from an mobile application like Authy or LastPass Authenticator.
Additional delivery methods for the authentication code include a phone call, text, or email. You will have to input this code in order to be able to proceed to the access you are trying to get.
3. Weak Security Policy
A weak security policy can allow unsafe permissions to be executed during a remote desktop session. These can include allowing any user to log on remotely, unlimited number of connections, and more.
4. Not Setting an Account Lockout Policy
Enabling unlimited login attempts will encourage the use of brute force password guessing attempts and make it much easier for attackers to login to the RDP session.
Security Best Practice for RDP Users
Just like with any account or device that reaches out to the internet, RDP should most definitely have strong security measures in place to not only protect the users and machines, but the data stored on them. Here are some security best practices to follow for RDP sessions.
1. Strong Credentials
Creating a long and complex password will make your login password very difficult to guess. In addition, making sure your remote desktop password isn’t used on any other accounts will help to mitigate password spraying attacks.
2. Implement 2FA/MFA
Creating an additional layer of login protection will make it extremely difficult for an attacker to capture the authentication code and intrude on the RDP session. The only issues would be if the 2FA/MFA is configured to be sent to an email or via SMS message.
If the attacker has compromised the email of the user or has compromised the SIM of the mobile device (SIM swapping attack) then this additional layer of authentication could be null and void. It is wise to enable 2FA/MFA using an authenticator application only.
3. Strong Security Policy
A strong security policy will allow for a secure configuration when using RDP. The security policy once enabled, is enforced by allowing RDP sessions only when the users have performed all of the required security prerequisites.
An example could be only allowing a certain user such as an administrator to login during certain hours of operation. All other attempted connections outside those hours and a users other than the specified ones will be blocked.
4. Setting an Account Lockout Policy
Locking an account after a certain number of failed login attempts will prevent brute force attacks on the victim’s password therefore protecting the RDP session.
5. Create a Whitelist for RDP Sessions
A whitelist specifies a set of users allowed to perform an action, in this case, RDP sessions. A whitelist will allow these users access and block all other users.
A whitelist can be configured based on IP addresses, user names, physical machine information, and more. A whitelist is very effective as it is extremely hard to bypass unless an authorized user has become compromised.
6. Use a VPN During RDP Sessions
Using a VPN will encrypt all network traffic in a secure tunnel. This tunnel is routed to several other IP addresses before reaching its destination making it very hard to intercept the traffic and exploit it.
You can implement a whitelist for VPN access as well. Using a VPN has been proven to prevent DoS/DDoS attacks, man-in-the-middle (MITM) attacks, and a few more.
It is very important to note that a VPN’s protection is non-existent if the credentials are leaked or the password is stolen via malware or other attack. A VPN also won’t protect from endpoint risks like ransomware, keylogging, and spyware.
If you want to learn more about VPN’s then check this article out
To conclude, an RDP session is secure by nature but it is up to the user ultimately to exercise caution and utilize all available security features that Windows has to offer for RDP. Yes, RDP sessions can still be compromised due to the wide range of exploits available, but using the outlined security controls will greatly reduce the risk of compromise.
If secured properly, RDP is a great service for remote computer management and it is highly effective! We have to remember that even if we follow all of the best practices, there is still a chance that the bad guys could get into our RDP session; we can only do our best.