Is RDP secure? A Chat with Splashtop’s CTO/Co-Founder and Jerry Hsieh, Sr. Director, Security & Compliance for Splashtop
In the past few months, as ransomware and hackers continue to make headlines, we are hearing more and more questions about security protocols for remote access solutions, along with questions about VPN (Virtual Private Network) vulnerabilities and RDP (Remote Desktop Protocol). In some cases, we’ve heard that people may even compare RDP and its inherent risk with Splashtop’s solutions.
Our CMO, Michelle Burrows, sat down with Splashtop Co-Founder and CTO, Phil Sheu, along with Jerry Hsieh, Splashtop’s Sr. Director of Security and Compliance to see if the concerns about RDP are warranted and to compare RDP with Splashtop solutions.
Michelle: I’ve read a lot lately about the risk in using RDP, including this recent article which talked through all the reasons that RDP isn’t secure. Why do you also believe that RDP is not the right choice for security-minded organizations?
Jerry: Before we talk about why RDP poses a threat to companies and businesses who use it, let’s first talk about what it is and why it exists. RDP is an older technology that was originally designed for IT staff to access the servers without having to physically go into the server room. It was created to solve a very specific problem – the server room is usually kept super cold, and it is also noisy as it holds a lot of equipment. It is easy to understand why IT wouldn’t want to go into that room very often and not to mention to work in it. Along comes RDP enabling IT staff the ability to launch RDP sessions to work on servers remotely, no travel to a cold and noisy server room required.
Over time, IT staff became aware that RDP wasn’t particularly secure, so some began to add in other security settings such as ACLs, firewall policies, or putting in a VPN gateway to add another layer of security if the RDP needed to be accessed outside of company network. I’ve spoken with teams who then think this is secure, but misconfiguration of the system often leads to it being compromised.
And, as we talked about a few weeks ago in this interview, VPNs are also not secure for quite a few reasons. What I then see is teams, believing they are adding another piece to their security foundation, are instead combining two technologies that are older and vulnerable. It is like putting a fence up around your house and then leaving the fence and the front door unlocked and open. Neither the fence nor the door will protect the assets in the house if both are left open. Security features in VPN do not compensate for the RDP vulnerabilities.
Michelle: As I’m listening to you and all the reasons not to use RDP or a VPN, I have to wonder, why do teams continue to use these kinds of technology?
Jerry: The biggest reason that IT staff use RDP and RDP plus a VPN is because it is sort of free and it is easy. It is built in Microsoft, and it is just sitting there for you to use as part of Windows utility. This means IT teams don’t need to purchase anything special – it comes with your Microsoft license, although RDS (Remote Desktop Services) requires additional licenses.
Michelle: Phil, anything to add on RDP and its vulnerabilities?
Phil: RDP has indeed been around a long time – even before HTTPS and TLS became the gold standard for securing Internet traffic. RDP was designed to work over a particular port and will respond to anyone who “pings” it over the port. A computer put on the Internet with this port open and RDP active can start seeing attacks in as short as 90 seconds. Attackers are incredibly adept at looking for and finding vulnerable RDP endpoints. By gaining access into a RDP endpoint, attackers can then pivot to access the corporate network which the computer is connected to.
Michelle: Tell me me how Splashtop is different from RDP.
Phil: First, we architected Splashtop to be cloud-native and use industry-standard security protocols like HTTPS and TLS. Data is passed over port 443 just like all standard encrypted web traffic today, and connections are facilitated by our relay servers worldwide. For our customers, all of that means no special ports are needed, and firewalls do not need to allow special exceptions. Computers using Splashtop do not need to be left exposed on the Internet or DMZ for bad actors to easily scan and attack.
Michelle: Does that mean that Splashtop has its own proprietary technology?
Phil: Yes, we have our own proprietary technology. There is very little in common between Splashtop’s and RDP’s architectures for remote access. I can think of companies who have chosen to build on top of RDP, but we decided to build something unique for the sake of security and user experience.
Beyond security, this approach also enables our IT and Help Desk customers to access the large set of devices that do not support RDP (think Macs, iOS, Android, and even some versions of Windows), all with the same consistent high performance and usability.
As a last note on RDP, I’ll take the analogy that Jerry made about leaving your door open to thieves a bit further. Let’s say you have a house on the street and the door is open and all your belongings are basically on display. While the entire surrounding area wouldn’t know that your door is open, anyone walking by can easily tell that no one is home, and your door is open. That is like RDP. Now, take this same house and put it behind a gated community. But, leave the door wide open and the gate open. Now that is like RDP, plus a VPN.
Let’s take this analogy to compare how Splashtop works. Take this same house and put it in a gated community with a guard. Now shut the door and lock the gate. The security guard is checking visitation permissions. No one outside the gate can see your house and its belonging. In fact, the house may not even be visible from behind the gate. And no one can see your house, its belongings, or whether you are home. Now, you can invite a particular person in, but you do not have an open invitation for anyone else to peek in. That is how Splashtop works on a high level.
Michelle: Thank you for the analogies and taking the time to walk through this. Can you direct me to where our blog readers can learn more about Splashtop’s security?
Phil: I would love to share some security resources with our customers and future customers. We’ve created a section on our website that is dedicated to security and the questions that people may have. You can access it here: https://www.splashtop.com/security