Learn more about RD Web, its risks, and how to properly secure your infrastructure.
RD Web Overview
Microsoft Remote Desktop Web Access (RD Web) is a component of Microsoft Remote Desktop Services that allows users to remotely access desktops and applications through a Web browser. More simply, RD Web allows someone on remote computer A to log in to Windows computer B as if they were physically sitting at that machine. Historically businesses have exposed RD Web to the Internet as a common remote access method to enable users to remotely access company systems and data.
RD Web Security Risks
Threat actors commonly target externally-facing RD Web as a method of gaining access to an organization’s network. This is done through the use of stolen credentials or brute-forcing weak user credentials. Once an initial foothold is accomplished using RD Web, threat actors can move undetected in the environment and deploy malware. This often leads to ransomware infections.
Organizations that continue to use RD Web expose themselves to an increased likelihood of attack as a large number of threat actors focus efforts on breaking in through this mechanism.
Alternatives to RD Web
Travelers recommends that organizations using Internet-accessible Microsoft RD Web adopt alternative methods of remote access.
The following are some alternatives you can consider for remote access. Remember to always require multifactor authentication (MFA) for any remote access method.
- Migrate to cloud-based services
- Microsoft Office 365
- Google Worksuite
- Zero Trust Network Access (ZTNA)
- Cisco
- Illumio
- Palo Alto
- Perimeter81
- ZScaler
- VPN solution
- Where cloud-based services or zero trust network access are not possible, consider, Remote Access and Remote Control Computer Software, such as:
- LogMeIn
- TeamViewer
- AnyDesk
How to Secure RD Web and follow the Exception process
In limited situations, RD Web is required for business functionality and implementing an alternative remote access method is not technically feasible. In this case, continued use of the product must follow a formal “Exception” process.
- Create a formal process (if one does not already exist) to Acknowledge, Document and Manage the use of a product that deviates from best practices.
- Justify the use, with clear business rationale and technical considerations.
- Ensure the use is time-bound – no exception is considered a long term or permanent solution. It must be limited to as short a timeframe as possible until an acceptable strategic solution is implemented.
- Explicitly document risk acceptance with approvals by stakeholders including management.
- List mitigations and compensation controls implemented.
- In addition to the exception process, organizations should implement, at minimum, the following compensating controls to harden and secure RD Web access:
- Enforce multi-factor authentication for all users
- Only allow authentication for users who require remote access.
- Enable and enforce strong RD Web configurations including:
- Complex passwords
- Account lockouts policies
- Network Level Authentication (NLA)
- Restricted Admin Mode
- Configuring Session Duration Limits
- Deny administrative / domain admin logins over RDP
- Only allow connections from trusted sources:
- Implement an IP address allow list
- Leverage client-side certificates for trusted devices
- Limit the systems users can connect to over RDP in your internal network
- Implement internal network segmentation
- Users should not have unfettered/direct access to everything on the internal network
- Routinely update your Operating System and immediately patch critical severity vulnerabilities.