遠端桌面協議 – 它是什麼及其安全疑慮
遠端桌面協議 (RDP) 是一種 Microsoft 協議,設計用來進行遠端連接其他電腦。
RDP comes with some very convenient features including screen sharing and the ability to give complete remote control of a device to an IT expert providing technical assistance to a user from far away.
雖然這項技術發展至今已有全球數百萬人使用,但日益嚴重的網路安全問題 – 已讓它成為勒索軟體的攻擊媒介。
According to Kaspersky, in early 2021 alone there were more than 377.5 million brute-force attacks targeting RDP. And last year was not any better. RDP attacks grew from 91.3 million in January to more than 277.4 million by March 2020 alone. That's a 197% increase in 3 months!
Considering such a dangerous increase in ransomware attacks targeting RDP, it's time for businesses - especially those with information technology (IT) environments relying on RDP to reconsider their reliance on this now decades-old remote access protocol.
Why Is RDP So Insecure and Increasingly Targeted by Cybercriminals?
我們諮詢了來自不同行業的網路安全專家。
According to Todd Gifford, CTO at Optimizing IT, "RDP has historically been an insecure method of gaining console access to machines across a network because it is enabled by default and open to all on the internet at a network level." And “in many cases," says Todd, "that default open-to-all approach hasn't ever changed, and as a result, there are no good password controls complexity, and account lockout."
MENTIS 創辦人兼執行長 Rajesh Parthasarathy 解釋了為什麼 RDP 缺乏如此重要的安全功能。
"Imagine a city built without planning – houses built as per convenience, roads built to offer the least amount of travel, commercial areas, and industries built as per space availability," says Rajesh. "As time progresses, and more and more people start moving in, the city will collapse as it fails to adapt to these evolving needs - RDP or Remote Desktop Protocol suffers from a similar shortcoming."
In other words, RDP was not built to handle today's security concerns and requirements. Hence, it has become outdated and vulnerable to threats, which cybercriminals have noticed.
"Entire attacker ecosystems exist to find open RDP instances and either steal credentials through phishing or guess commonly used username and password combinations until the right pair is found," says Jason Rebholz, CISO at Corvus Insurance.
To this, Todd adds that after working to continuously guess RDP passwords, cyber criminals eventually get in. And "Once the attackers log in," says Todd, "they disable or remove any anti-malware service as well as any logging or any software that might alert an admin to any problems."
Bram Jansen, Chief Editor of vpnAlert, says that "once your endpoint protection is disabled, no security solution will be able to help you if this happens."
如果 RDP 如此不安全,為什麼還要繼續使用它?
在 Splashtop 安全規範資深總監 Jerry Hsieh 的近期訪談中,我們探討了這個問題。
According to Jerry, IT staff continue to use RDP because it is often free and easy as it is built-in within Microsoft. "This means IT teams don't need to purchase anything special," explains Jerry. "It comes with your Microsoft license, although RDS (Remote Desktop Services) requires additional licenses."
面對越來越多針對 RDP 的勒索軟體攻擊,是探索替代方案的時候了。
解決遠端桌面協議缺乏安全的替代方案
RDP 虛擬專用網路 (VPN)
由於 RDP 一開始並不安全,因此 RDP 通常僅用於存取內部網路。但是如果使用者想在公司網路之外使用 RDP 怎麼辦?這時候便會考慮使用 VPN 。
虛擬專用網路或 VPN 在兩個位置之間建立 Internet 連接,讓使用者遠端存取該網路中的電腦和檔案。由於一般認為 VPN 是企業網路的延伸,故透過 VPN 通道進行 RDP 也是「安全的」。但事實上近 10 年來所披露的 VPN 漏洞事件有增無減。
VPN 的安全問題包括:
VPN infrastructure updates are primarily manual, not automatic. That is because critical security features like multi-factor authentication and device authentication are not always included. This can expose remote devices and corporate networks to lateral threats, such as ransomware - the same threats that concern RDP.
VPNs are not Zero Trust Network Access ready.
A Zero Trust Network Access (ZTNA) framework is made of a set of technologies that operates on an adaptive trust model. Access to information and networks is granted only according to user permissions. Ultimately, the ZTNA framework gives users seamless connectivity without compromising security or safety for both individuals and their data. Due to the way traditional VPNs work, they cannot support ZTNA. For all these security concerns, a 2019 Gartner report predicted that by 2023, 60% of enterprises would phase out their remote access VPN in favor of more secure solutions.
此外,VPN 還有一些擴充性和效能方面的缺陷:
由於 VPN 的設計架構不是合用於同時處理大量流量和多使用者,故難以大規模部署來滿足完全遠端或混合模式工作的需求
擴充 VPN 網路需要升級 VPN CPU/記憶體,這表示對 IT 來說是一個漫長而復雜的過程。VPN 通常不提供升級選項,也迫使許多使用者必須採購價格更高的高階型號。
Each employee needs a company-issued device for a VPN to work in a remote office setup. As a result, BYOD devices (such as employees' home devices) cannot be leveraged.
遠端存取軟體 – 嶄新的 RDP 替代選擇?
如同 RDP 和 VPN,遠端存取軟體具備隨時隨地從其他裝置存取電腦或裝置的能力。
Unlike a VPN, remote access software is built to handle high traffic and provides complete access to remote computers' files and applications, regardless of the network. This makes it more suitable than a VPN for a remote or hybrid environment.
Unlike RDP, remote access software is also more prepared to handle today's security concerns. It comes with built-in security features like SSO (Single Sign-On), MFA (Multi-Factor Authentication), device authentication, and automatic infrastructure updates to keep updated with security standards. It’s almost maintenance free.
While there are many remote access software providers in the market, Splashtop offers one of the most secure in the market. Although some remote access software companies build their software on top of the RDP infrastructure, Splashtop took a different approach to create something unique for the sake of security and a better user experience. This positions Splashtop software as a next-generation remote access software built to handle today's security challenges in remote connections.
Splashtop 新一代遠端存取軟體與 RDP 有何不同?
Splashtop 共同創辦人兼技術長 Phil Sheu 在最近的 RDP Splashtop 之 RDP 訪談中回答了這個問題。
"Let's say you have a house on the street, the door is open, and all your belongings are basically on display, "says Phil. "While the entire surrounding area wouldn't know that your door is open, anyone walking by can easily tell that no one is home, and your door is open." That scenario depicts RDP.
"Now take this same house and put it in a gated community with a guard, shut the door, and lock the gate," continues Phil. "The security guard is checking visitation permissions, no one outside the gate can see your house and its belongings, whether or not you are home, and you can invite a particular person in, but you do not have an open invitation for anyone else to peek in."
That's how you should visualize Splashtop next-gen remote access software and how it is fundamentally safer and better than RDP and VPN.
Splashtop 次世代リモートアクセスインフラストラクチャ
Haven’t tried Splashtop yet? Try it for free.
