When I speak with security architects who are active segmenters, they often look for guidance on how they can restrict access to their servers via Remote Desktop Services – formerly known as Terminal Services. Throughout my career I have seen environments where RDP was allowed directly from the internet, other instances where the port for RDP was changed from 3389 to another random port and lastly where it was not accessible from the internet. If you imagine these three scenarios, the first gets you hundreds of failed login attempts on your servers every day, the second buys you time until you are in the first scenario and the last buys you more time until an adversary gains access to the internal network via a low value asset.
The recommendation always comes down to how restrictive they went their environment to be. Leveraging a jump host is always a good start. Writing a white list segmentation rule that says only allow inbound 3389 from one or two workloads in side the data center (a jump host). This reduces a substantial amount of attack surface for RDP for the Windows environment. The second method is applying user based segmentation where a security architect can control which users based on their Active Directory group membership can have access to the jump host. This reduces the possibility of an RDP attack to almost nothing.
Applying these two practices will dramatically reduce the exploitation of RDP and can also prevent ransomware where the infection point would have been via RDP.
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker must already have compromised a system running Remote Desktop Services, and then wait for a victim system to connect to Remote Desktop Services.