All employees are logging in from home. Your connections are holding up well enough, but you’re likely concerned that it’s not enough to keep your network safe from the attackers. Many organizations have turned to Remote Desktop Protocol (RDP) to enable remote connections. These steps will better lock down those connections.
The basics: Patching, VPNs and strong passwords
Ensure that all remote machines connecting with the network are patched to include those for the most recent RDP vulnerabilities. That should include Windows 7 workstations as well. You can buy Windows 7 Extended Security Updates (ESUs) in any quantity. If you have placed a Windows 7 workstation back into service to give a home user access, you have no excuse to not patch that machine.
Next, allow only RDP combined with a VPN. Never expose port 3389 directly to the web. Ransomware attackers will “sniff” the outbound transmissions of a location and use tools such as TSgrinder to brute force the credentials of an RDP location. Never allow outbound port 3389 connectivity unless it has restrictions set in the inbound firewall rules to restrict access to certain static IPs under your control.
