The pandemic forced many companies to telecommute and throw away their business continuity plan, although it is no secret to many professionals that the vast majority of companies had the plan as a simple check on ISO policies.
Among the activities and quick responses to the management demands that its professionals took, was to publish the company’s internal services to the internet through insecure systems such as RDP (windows’ remote desktop system). But there is still time to take the right path and not risk having company information hijacked with a virus.
It is not RDS itself, since it is understood that the professional who implements a service like this has the knowledge to ensure it and not expose it, indeed, if the company cannot acquire RDS licenses due to costs, there are alternatives cheapest in the market that fulfill the same function in these times.
The best for RDP is a VPN
If the application used by the company, it is not possible to migrate it to the cloud, or failing that you cannot Buy RDP and access RDS services, the best alternative is to make the connections through a secure connection, for this, it is necessary that the company has a firewall or firewall, which has VPN capabilities.
Some commercial firewalls give this service as an added value (add more to the cost of the license), as for the open-source alternatives such as presence or endian community, they provide unlimited connections (the limit is defined by the hardware) for teleworkers, just enough to implement it and clever.
The operation of the VPN will help to greatly reduce a possible attack on the server, but you should always go for more security measures, remember, computer security is always measured by the weakest link, usually the end-user.
If the firewall doesn’t allow VPN, nat to the server with ids / IPS protection with IP segmentation, and isolate the server in a DMZ, all decent firewalls have it.
Another alternative is the tunnels
Although the VPN is a more secure tunnel, there are alternatives to have reverse tunnels with SSH using Linux, but yes, it can get a bit complicated, you can also use alternatives such as mesh-central, which one of its functionalities is to act as a tunnel.
If you cannot implement a firewall for VPN or gateway, then
Actually, the recommendations are very few and do not guarantee much security and defense, but some are:
Change the RDP port
Update, always update, have you updated?
Limits the number of users. The administrator must be prohibited for RDP over the internet, only for the LAN.
Constantly change passwoRDS (once a week), it is preferable to lose a day changing passwoRDS, to a month trying to decrypt the information. But strong passwoRDS, longer than 12 characters, use professional tools.
Speaking of passwoRDS, also activate account lockout when x amount of attempts are exceeded.
Use the host’s firewall and enhance it with the Antivirus’s, restricting access to RDP from the public IPS of remote users, nothing else, not leaving it 100% exposed.
Users should always have the least possible privileges, if they are only going to access one application, why do they have the control panel enabled?
Last but not least, backups, always make backups, if the RDP server is in a virtualizer, a snapshot every 4 hours or less would not be bad.
As you note, actually securing an RDP server is not complex, but it is not very complex to stop using it.