Subscribe to receive notifications of new posts:

Cloudflare Access now supports RDP

2019-02-21

2 min read

Last fall, the United States FBI warned organizations of an increase in attacks that exploit vulnerabilities in the Remote Desktop Protocol (RDP). Attackers stole sensitive data and compromised networks by taking advantage of desktops left unprotected. Like legacy VPNs, RDP configurations made work outside of the office corporate network possible by opening a hole in it.

Starting today, you can use Cloudflare Access to connect over RDP without sacrificing security or performance. Access enables your team to lock down remote desktops like you do physical ones while using your SSO credentials to authenticate each connection request.

Stronger passwords with identity provider integration

The FBI cited weak passwords and unrestricted port access to RDP ports as serious risks that led to the rise in RDP-based attacks. Cloudflare Access addresses those vulnerabilities by removing them altogether.

When users connect over RDP, they enter a local password to login to the target machine. However, organizations rarely manage these credentials. Instead, users set and save these passwords on an ad-hoc basis outside of the single sign-on credentials used for other services. That oversight leads to outdated, reused, and ultimately weak passwords.

Cloudflare Access integrates with the identity credentials your team already uses. Whether your organization uses Okta, or Azure AD, or another provider, your users will be prompted to authenticate with those credentials before starting any RDP sessions. Your team can enforce the same password strength and rotation requirements for RDP connections that you do for all of your critical tools. Need to revoke access? You can do it in a single location instead of chasing down who has credentials for every remote desktop.

Closed ports with Argo Tunnel

Another problem is the ubiquity of the RDP port. Most RDP connections listen on port 3389. Attackers can reasonably guess that number and attempt to reach desktops with misconfigured or overlooked firewall rules. Without those complex rules, remote desktops become as dangerous as a laptop left out on the street.

Cloudflare Access secures RDP ports and connections by relying on Argo Tunnel to lock down any attempts to reach the desktop. Argo Tunnel connects your machine to the Cloudflare network without the need for custom firewall or ACL configurations. Instead, Argo Tunnel ensures that all requests to that remote desktop route through Cloudflare. Once on the Cloudflare network, Access enforces the rules you need to lock down remote desktops.

Protecting your remote desktop

To begin, configure Argo Tunnel on the machine you need to secure by using cloudflared. cloudflared serves as an agent on the machine to open a secure connection from the desktop to the Cloudflare network. Once installed, you can run the following command to associate that connection to a hostname in your Cloudflare account:

$ cloudflared tunnel --hostname rdp.example.com --url rdp://localhost:3389

That command will create a proxy to forward traffic to the hostname through port 3389. You can then create rules about who can reach this hostname in the Access tab of the Cloudflare dashboard.

Connecting over RDP

To reach a desktop behind Cloudflare Access, you’ll need the same cloudflared tool. First, install cloudflared on your device with the instructions here. You can then initiate an RDP connection with the following command:

$ cloudflared access rdp --hostname rdp.example.com --url rdp://localhost:3389

Running that command will initiate an RDP connection through a proxy to reach the hostname of the machine you configured with Argo Tunnel. cloudflared will open a browser window where you can login with your team’s identity provider credentials. Once logged in, Access will return a token scoped to your user and the target application and store it on your device. You can then configure your RDP client to point to localhost:3389 and reach the protected desktop.

What’s next?

Starting today, all Access customers can start using RDP over Access by following this guide. Every Cloudflare plan includes five free Access seats; follow the link here to get started.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Cloudflare AccessProduct NewsSecurity

Follow on X

Cloudflare|@cloudflare

Related posts

October 24, 2024 1:00 PM

Durable Objects aren't just durable, they're fast: a 10x speedup for Cloudflare Queues

Learn how we built Cloudflare Queues using our own Developer Platform and how it evolved to a geographically-distributed, horizontally-scalable architecture built on Durable Objects. Our new architecture supports over 10x more throughput and over 3x lower latency compared to the previous version....

October 23, 2024 1:00 PM

Fearless SSH: short-lived certificates bring Zero Trust to infrastructure

Access for Infrastructure, BastionZero’s integration into Cloudflare One, will enable organizations to apply Zero Trust controls to their servers, databases, Kubernetes clusters, and more. Today we’re announcing short-lived SSH access as the first available feature of this integration. ...

October 08, 2024 1:00 PM

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...