RDP security risks are unjustifiable for many organizations. Even the slightest incompliance, whether internally or externally when using RDP, is unacceptable. Such organizations require a strategic solution for remote access that is not dependent on native operating system functionality. This leaves a few choices for modern Microsoft Windows devices and other operating systems that support RDP as a client or server:
1. VNC (Virtual Network Computing): VNC is an alternative remote access protocol that competes with RDP. It is a graphical desktop sharing solution that uses the remote frame buffer protocol to control the screen, keyboard, and mouse of another computer by relaying screen updates. The primary advantage of VNC over RDP is that it is platform-independent and has multiple server and client implementations from various sources on the same platform. With VNC, you can basically pick your vendor, open source, or style and implement it.
Unfortunately, VNC suffers many of the same security and hardening shortcomings as RDP, including potentially weak encryption, clear text transmissions, and limitations for hardening authentication. While some proprietary solutions have been built upon VNC to solve these issues, they are paid solutions just like any other proprietary implementation. And like RDP, assets using VNC should never be exposed directly to the Internet, and internal assets should be managed accordingly.
2. SSH (secure Shell): Modern versions of Microsoft Windows allow almost every function to be executed via the command line. In 2018, Microsoft formally added native Secure Shell (SSH) to the operating system to facilitate this functionality remotely.
While not graphically-based, SSH allows a secure method to log in remotely to a Windows host and execute commands and scripts. Hardening of SSH entails similar steps to RDP. SSH needs to be properly configured for account access, encryption, and access control lists. To that end, it should only be used internally—never exposed directly on the Internet, if possible.
3. Third-Party Solutions: Proprietary implementations of remote access technology are typically architected in a vastly different manner than RDP, VNC, and SSH. In lieu of opening a listening TCP/IP port on a host, these technologies tend to use agent-based technology to call out to a manager or gateway technology and await an inbound connection request. Such implementations are ideal for placing on the Internet, since the exposure has been mitigated and authentication is performed at the remote access manager versus at the target itself. In addition, traffic is routed through the manager and gateway to secure the network path as opposed to point-to-point communication that may be blocked by firewalls.
Some vendors that supply proprietary implementations for remote access have solved all the challenges and deficiencies associated with RDP. However, these are enterprise solutions and not free. The underlying protocols used for these solutions are proprietary to the vendors.
The most advanced of these third-party secure remote access solutions may offer features like screen recording, multiscreen sharing, safe mode booting, and even remote registry access—without the need for a full session. However, account management can remain a challenge since every solution needs to grant authentication privileges based on a directory service or through a local role-based access model to each potential target. This needs to be set up regardless of whether the users and assets are grouped in Active Directory, LDAP, or Azure AD. Administrators need to set up who access to what, and when, in lieu of wide-open access that poses a huge risk to the business.
If you have any questions on RDP Powder, Redispersible Polymer Powder. We will give the professional answers to your questions.