Email Twitter LinkedIn Google Plus Hamburger
Commissum is exhibiting at Infosec Europe 2019.
Incident Response
Get in touch

Remote Desktop Gateways - A forgotten Security Feature

In this fast-changing world, not everyone works in the office all of the time. With recent advances in technology, many organisations have started to allow their workforce to work remotely and provide flexibility for the roles that require employees to travel. Keeping business data locked down to employees within the office network is no longer possible as organisation’s need to make these resources available to the employees that are located outside the corporate network as well. It becomes a challenge for the IT department to fulfil business requirements for data accessibility while maintaining the security.

To cater for such requirements, solutions such as Virtual Private Networks (VPNs) and Remote Desktop Protocol (RDP) were introduced. These protocols serve a common goal; to provide a way for remote users to access data in the corporate network. Despite offering the same service, VPN is the most common solution amongst organisations due to the enhanced security features it has to offer. Exposing RDP to external users is thought to put corporate networks at risk due to known vulnerabilities related to this protocol that make it a less than ideal option.

But what if there was a secure way to make use of RDP?

As VPN dominates the market, most have never heard of something called a Remote Desktop Gateway. To understand RD Gateways, first we need to understand RDP.

The Remote Desktop Protocol is a proprietary protocol developed by Microsoft that is used to provide graphical means of connecting to a network-connected computer, remotely. RDP is essentially a protocol for making your computer available for others to use. Sadly, this protocol was found some time ago to be vulnerable and insecure, thus making it an obvious protocol to be exploited by malicious threat sources. Exposing the protocol externally would put the corporate network at risk and create opportunity for an attack. 

So, how can we use the RDP protocol securely?

Enter stage left the RD Gateway! A feature that was first introduced in Windows Server 2008 R2, in essence, this gateway enables users to connect to remote computers on a corporate network by utilising the Remote Desktop, and crucially, the HTTPS protocol, to create a secure encrypted connection. It acts as the middleman, passing the traffic to and from the client over port 443, and to and from the internal resources over port 3389. All communications between the RD Gateway and the external client are encrypted and therefore mitigate the vulnerable protocol argument.

undefined

So, functionally what differentiates an RD Gateway from a VPN? And why bother?

One major benefit between using the RD gateway and a typical VPN is that VPNs provide full network access to anyone who is able to connect, while an RD Gateway uses authorisation policies that determine who can use the gateway and the specific resources to which they are allowed to access.

The RD gateway controls access to itself and internal RDS (Remote Desktop Services) resources separately, with two different types of access policies: RD Resource Access Policies, (RD RAPs) which controls the access to the resources, and, RD Connection Access Policies (RD CAPs), which determine whether a user is allowed to connect to an RD Gateway.
To put it simply, users must be explicitly allowed to use an RD Gateway and they must also have explicit permission to access the resources in the remote computer. A secure tunnel between the client and the RD gateway server will be created only if these two conditions are met. The remote user will be denied access if they are authorised to access the RD Gateway, but have no permission to access the resources and vice versa.

These two conditions mean that a fundamental principle of security can be enforced, that of “least privilege” or “need to know”. This also means the RD Gateway method of secure remote access provides an enormous benefit over a full network access VPN.

Aside from providing a far more secure way to access remote resources, the RD gateway has undergone a lot of improvements since it was first introduced. Some of the changes in Microsoft Windows Server 2012 RD Gateway are so it can accommodate more simultaneous connections on the same hardware, UDP (User Datagram Protocol) ports can be used as transport protocols, and the ability to change transport port numbers.

With the security features it provided and new improvements it introduces, RD Gateway should be in the list when deciding solutions to be used when it comes to remote access.

For expert advice on how to strengthen your information security posture, get in touch - we're ready to help!

In order for this site to work properly, and in order to evaluate and improve the site, we have placed cookies on your computer.

That's fine!