top of page
Writer's pictureechoudhury77

STOP using Remote Desktop Web Access!!



Remote Desktop Web Access (RDweb) is a web based remote desktop client. It was created by Microsoft to allow remote access to programs without a VPN connection.


It is widely considered insecure and inefficient.


There are many publicly published exploits and vulnerabilities for both RDweb and RDP (Remote Desktop Protocol) which is the protocol RDweb uses.


RDweb is inefficient as it makes users authenticate multiple times and download a file each time they want to access a program.


RDweb is accessed through a web browser. Once the user navigates to the site, they will be prompted to login. After authentication the homepage will contain all the software available for use. Using a software requires you to download an RDP file, upon opening that file you will be prompted to reauthenticate using your RDweb login before the program will launch. You will have to complete all of these steps for every program you open a program, which causes significant delays. Different software, like Remote desktop connection, allows you to connect remotely to a computer by the IP through a VPN.


This way allows you to use all required software natively which takes 3 seconds vs. 30 with RDweb.


It will also save space on the computer you’re connecting with, as you won’t have to download an RDP file every time you want to open a program.


RDweb and RDP are considered insecure, as there are a large number of vulnerabilities and exploits. RDweb can be accessed from any computer regardless of security. This means that any user of RDweb could have a compromised machine, and then connect to their organization allowing the hacker in as well. RDP uses port 3389, which is seen as an easy way in to hackers. Exploits include authentication timing attacks, RDP process injection, and shadow attacks. Authentication timing attacks determine valid usernames by comparing response times between authentication attempts.


A shorter response time shows that correct credentials were used (4 or less seconds). RDP process injection allows an attacker to compromise any computer in the current domain and wait for an external user to access it. The attacker can then pivot to that user’s session and abuse its permissions on the external domain. This requires the External Users group to have RDP access to any computer on the current domain.


Metasploit, a common open-source hacking tool, has many payloads that can automate these attacks. Lastly, shadow attacks allow a remote attacker to view a user’s desktop without consent or knowledge of the user, and using tools within the operating system the attacker can gain control over the desktop. This can be done using AutoRDPwn, a framework created in powershell.


Software like Remote Desktop Connection is more secure because it requires a secure encrypted VPN tunnel to be established before users are allowed to connect to their organization.


RDweb is insecure and inefficient as it takes 10x longer to open a program and has many more known exploits than other remote software. Every time a program is opened on RDweb, you must download an RDP file and reauthenticate with the same RDweb login. This does not provide any additional security, only decreases efficiency.


There are many known exploits for RDweb and RDP, with the RDP port 3389 being known for its insecurity. These exploits can be easily used through open-source hacking tools, like Metasploit.


Other remote software, like Remote desktop connection, is considered to be faster and more secure. Using this software requires a secure encrypted VPN to be used before users can connect to their organizations network. Once connected users are placed directly on the remote machines desktop and can use all programs natively, eliminating the need for reauthentication or downloading additional files, which saves time.


171 views0 comments

Comments


bottom of page