什么是远程桌面协议?为什么安全性至关重要?
远程桌面协议(RDP)是微软的一项协议,旨在远程连接到另一台计算机。
RDP comes with some very convenient features including screen sharing and the ability to give complete remote control of a device to an IT expert providing technical assistance to a user from far away.
虽然全球已有数百万人使用 RDP,但此项技术容易成为勒索软件的攻击对象,其网络安全问题日益严峻。
According to Kaspersky, in early 2021 alone there were more than 377.5 million brute-force attacks targeting RDP. And last year was not any better. RDP attacks grew from 91.3 million in January to more than 277.4 million by March 2020 alone. That's a 197% increase in 3 months!
Considering such a dangerous increase in ransomware attacks targeting RDP, it's time for businesses - especially those with information technology (IT) environments relying on RDP to reconsider their reliance on this now decades-old remote access protocol.
Why Is RDP So Insecure and Increasingly Targeted by Cybercriminals?
我们向不同行业的网络安全专家进行了咨询。
According to Todd Gifford, CTO at Optimizing IT, "RDP has historically been an insecure method of gaining console access to machines across a network because it is enabled by default and open to all on the internet at a network level." And “in many cases," says Todd, "that default open-to-all approach hasn't ever changed, and as a result, there are no good password controls complexity, and account lockout."
MENTIS 的创始人兼首席执行官 Rajesh Parthasarathy 就 RDP 缺少重要安全功能的原因,做了进一步解释。
"Imagine a city built without planning – houses built as per convenience, roads built to offer the least amount of travel, commercial areas, and industries built as per space availability," says Rajesh. "As time progresses, and more and more people start moving in, the city will collapse as it fails to adapt to these evolving needs - RDP or Remote Desktop Protocol suffers from a similar shortcoming."
In other words, RDP was not built to handle today's security concerns and requirements. Hence, it has become outdated and vulnerable to threats, which cybercriminals have noticed.
"Entire attacker ecosystems exist to find open RDP instances and either steal credentials through phishing or guess commonly used username and password combinations until the right pair is found," says Jason Rebholz, CISO at Corvus Insurance.
To this, Todd adds that after working to continuously guess RDP passwords, cyber criminals eventually get in. And "Once the attackers log in," says Todd, "they disable or remove any anti-malware service as well as any logging or any software that might alert an admin to any problems."
Bram Jansen, Chief Editor of vpnAlert, says that "once your endpoint protection is disabled, no security solution will be able to help you if this happens."
既然 RDP 如此不安全,为什么人们还要继续使用?
近日与 Splashtop 安全与合规高级总监 Jerry Hsieh 的访谈中,我们谈到了这个问题。
According to Jerry, IT staff continue to use RDP because it is often free and easy as it is built-in within Microsoft. "This means IT teams don't need to purchase anything special," explains Jerry. "It comes with your Microsoft license, although RDS (Remote Desktop Services) requires additional licenses."
针对 RDP 的勒索软件攻击越来越多,寻找其替代方案刻不容缓。
替代方案:提高远程桌面协议的安全性
基于 RDP 的虚拟专用网络(VPN)
RDP 一开始并不安全,通常仅可用于访问内部网络。但如果用户想在公司网络之外使用 RDP,就需要在 RDP 的基础上使用 VPN。
虚拟专用网络,又叫 VPN,通过在两个不同地点创建互联网连接,使用户能够远程访问该网络中的计算机和文件。VPN 被视为企业网络的扩展,人们认为通过 VPN 运行 RDP 非常“安全”。但是,十年来许多 VPN 漏洞接连被披露。
VPN 存在的安全问题:
VPN infrastructure updates are primarily manual, not automatic. That is because critical security features like multi-factor authentication and device authentication are not always included. This can expose remote devices and corporate networks to lateral threats, such as ransomware - the same threats that concern RDP.
VPNs are not Zero Trust Network Access ready.
A Zero Trust Network Access (ZTNA) framework is made of a set of technologies that operates on an adaptive trust model. Access to information and networks is granted only according to user permissions. Ultimately, the ZTNA framework gives users seamless connectivity without compromising security or safety for both individuals and their data. Due to the way traditional VPNs work, they cannot support ZTNA. For all these security concerns, a 2019 Gartner report predicted that by 2023, 60% of enterprises would phase out their remote access VPN in favor of more secure solutions.
此外,VPN 具有非常严重的可扩展性和性能缺陷:
VPN 不能同时处理大量流量和多个用户,很难大规模进行部署,以满足完全远程或混合办公环境需求。
扩展 VPN 网络需要升级 VPN CPU 或内存,在 IT 看来,这一过程漫长而复杂。通常,VPN 无法升级,许多用户不得不购买价格更高的高端型号。
Each employee needs a company-issued device for a VPN to work in a remote office setup. As a result, BYOD devices (such as employees' home devices) cannot be leveraged.
远程访问软件:当代 RDP 的替代方案
与 RDP 和 VPN 一样,远程访问软件也具备随时随地从其他设备访问计算机等设备的功能。
Unlike a VPN, remote access software is built to handle high traffic and provides complete access to remote computers' files and applications, regardless of the network. This makes it more suitable than a VPN for a remote or hybrid environment.
Unlike RDP, remote access software is also more prepared to handle today's security concerns. It comes with built-in security features like SSO (Single Sign-On), MFA (Multi-Factor Authentication), device authentication, and automatic infrastructure updates to keep updated with security standards. It’s almost maintenance free.
While there are many remote access software providers in the market, Splashtop offers one of the most secure in the market. Although some remote access software companies build their software on top of the RDP infrastructure, Splashtop took a different approach to create something unique for the sake of security and a better user experience. This positions Splashtop software as a next-generation remote access software built to handle today's security challenges in remote connections.
为什么 Splashtop 下一代远程访问软件优于 RDP?
针对以上问题,近日 Splashtop 联合创始人兼首席技术官 Phil Sheu 在接受 RDP 相关采访中,做出了回答。
"Let's say you have a house on the street, the door is open, and all your belongings are basically on display, "says Phil. "While the entire surrounding area wouldn't know that your door is open, anyone walking by can easily tell that no one is home, and your door is open." That scenario depicts RDP.
"Now take this same house and put it in a gated community with a guard, shut the door, and lock the gate," continues Phil. "The security guard is checking visitation permissions, no one outside the gate can see your house and its belongings, whether or not you are home, and you can invite a particular person in, but you do not have an open invitation for anyone else to peek in."
That's how you should visualize Splashtop next-gen remote access software and how it is fundamentally safer and better than RDP and VPN.
Splashtop 次世代リモートアクセスインフラストラクチャ
Haven’t tried Splashtop yet? Try it for free.
