Common Remote Desktop Protocol (RDP) Vulnerabilities
- Terminal Services Encryption Level is set to Medium or Low
- Microsoft Windows Remote Desktop Protocol Server is vulnerable to Man-in-the-Middle attacks
- Terminal Services does not enforce Network Level Authentication (NLA)
Terminal Services Encryption Level is Medium or Low
How to find this vulnerability:
How to check your system for this vulnerability:
How to fix this vulnerability:
Go to Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Set client connection encryption level
Set the client connection encryption level to High.
Important Notes:
- High: This setting uses strong 128-bit encryption for all data sent between the client and the server. Only clients that support 128-bit encryption can connect to the server.
- Client Compatible: This setting encrypts data using the strongest encryption supported by the client. Use this option if you have clients that don’t support 128-bit encryption.
How to verify the fix:
Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness
How to find this vulnerability:
How to check your system for this vulnerability:
How to fix this vulnerability:
Go to Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Require use of specific security layer for remote (RDP) connections
Set the Security Layer option to SSL (TLS 1.0).
Important Notes:
- Negotiate: This option prioritizes the most secure method supported by the client. It will use TLS 1.0 if available, otherwise, it defaults to native RDP encryption without server authentication.
- RDP: This option uses native RDP encryption without server authentication.
- SSL (TLS 1.0): This option mandates the use of TLS 1.0 for server authentication. If TLS is not supported, the connection will fail.
How to verify the fix:
Terminal Services Doesn’t Use Network Level Authentication (NLA) Only
What is Network Level Authentication (NLA)?
Network Level Authentication authenticates the user before a full Remote Desktop connection is established. This enhances security by:
- Reducing resource usage: The remote computer uses minimal resources before user authentication.
- Mitigating denial-of-service attacks: NLA makes it harder for attackers to overload the system with connection requests.
- Protecting against malicious connections: Users are less likely to connect to compromised remote computers.
How to find this vulnerability:
How to check your system for this vulnerability:
How to fix this vulnerability:
- Option 1: In Remote Desktop options, choose “Allow connections only from computer running Remote Desktop with Network Level Authentication (more secure)”.
- Option 2: Enable the following policy in Local Group Policy Editor: Local Computer Policy → Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Security → Set Require user authentication for remote connections by using Network Level Authentication.
How to verify the fix:
Code Execution on RDP Clients
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/
Baseline for RDP
Windows Firewall for RDP
Restricting RDP access using Windows Firewall:
- Open Windows Firewall with Advanced Security.
- Go to Inbound Rules > Remote Desktop (TCP-In) > Scope.
- Under “Remote IP address”, add the IP addresses that are allowed to connect via RDP.
IP addresses not included in this list will be blocked from accessing RDP.
