As of Feb 5, 2019, shodan.io shows a total of 2,430,941 computers connected to the Internet via Remote Desktop. Of these, 507,957 belong to computers in the United States. This huge number of servers and workstations, shown in the figure below, are increasingly being subjected to cyber attacks.
Since 2016, attacks against Remote Desktop Protocol have been on the rise. In 2018, the Internet Crime Complaints Center (IC3) issued a special security warning regarding Windows Remote Desktop Protocol (RDP).
RDP-related attacks included ransomware, corporate theft, backdoor installation, reversals, and additional attacks. Starting in 2016, black market sales of RDP accounts, including credentials and credentials, have also become available for as little as $ 6 per server.
Obviously, the best way to protect your server is to disable RDP. However, sometimes this is not an option. If your server is one of many that requires Remote Desktop to run, it is imperative to know the types of attacks that can be applied to this protocol and the various techniques available to the engineer to prevent these attacks.
RDP attack methodologies
One of the attacks that a hacker can use is brute force RDP credentials. In this attack, an attacker would scan a range of IP addresses, look for open ports used by RDP (for example, 3389), and finally use a brute force method such as a dictionary attack to try to figure out the password.
Unfortunately, in this type of attack, not only can credentials be lost, but in addition, this brute-force attack can serve as a denial of service to memory or operating system storage due to fullness.
Fortunately, RDP is encrypted over TLS by default. However, an attacker could still use a man-in-the-middle attack to obtain RDP credentials. As with any person in a medium attack, the attacker places himself in a broadcast domain shared by the client or RDP server.
One such methodology uses a Python-based tool called Seth to use ARP spoofing to redirect traffic through an RDP proxy. This allows an attacker to lower the encryption of the connection and extract the credentials in clear text.
As with any listening service, attacks can target vulnerable code. RDP is no exception to the rule. One example of an RDP-specific vulnerability was posted as part of CVE-2018-0976
This CVE notified users of a vulnerability in Remote Desktop Service that made the operating system vulnerable to denial of service when specially crafted packets were sent to a listening server running RDP.
An attacker could also use their RDP connection for additional malicious activities, such as deploying ransomware, installing a backdoor, or even turning around in an environment.
In some cases, attackers can tunnel RDP connections over another protocol, such as SSH, to bypass firewalls and other border defenses.
Defend against RDP attacks
An administrator can use several countermeasures to defend against RDP attacks, and most of them are very simple.
Passwords and Locks
Passwords and security operations
First, it is very important to use strong passwords or two-factor authentication to protect against brute force attacks, and implement a blocking policy. To implement the lockout policy as part of your Windows domain, go to the next setting in the Group Policy Editor.
Computer Configuration Policies Windows Settings Security Settings Account Policies Account Lockout
Set the Account Lockout Threshold to the number of invalid attempts you choose.
Use an alternate port for RDP
Use an alternate port for RDP
To change the port used for RDP, modify the following registry key.
HKEY_LOCAL_MACHINE System CurrentControlSet Control Terminal Server WinStations RDP-Tcp PortNumber
Install the latest Windows and security updates
Install the latest Windows updates and security updates
There are several examples of vulnerabilities in the remote desktop software itself. Since 2002, over 20 security updates and 24 separate CVEs have been released. Here are some examples:
- MS01-052: Invalid RDP data can cause terminal service to crash
- MS02-051: A cryptographic flaw in the RDP protocol can lead to information disclosure
- MS05-041: Vulnerability in Remote Desktop Protocol Could Allow Denial of Service
As with any listening service, it is very important to keep the service up to date and updated to avoid these issues. The complete list of RDP-related vulnerabilities has been posted by Rapid7. It is available at the link below.
Limit RDP sessions by IP address with Windows Firewall
Restrict RDP sessions by IP address using Windows Firewall
Windows Firewall can be used to restrict incoming connections to specific IP addresses only. If you create a firewall rule using the Inbound Rules Wizard, you will see a set of predefined rules available for RDP. Use TCP and UDP rules.
Then you will need to change the properties of your rule to restrict incoming traffic. To do this, go to properties and open the scope tab. On this tab, add allowed IPs to remote. Finally, remember to change the destination port to the port of your choice, if possible.
Enable Network Level Authentication
Turn on network level authentication
In Windows Vista / 2008 and later, there is a new technology introduced in RDP 6.0 that helps in securing RDP connections. This technology is known as network level authentication.
Network layer authentication protects the RDP connection by not establishing a full session until the credentials are authorized. In previous versions of Windows, the login screen loaded before being fully authorized.
This used up resources and opened the RDP server for potential DoS. When configuring RDP, enable NLA by selecting the Allow connections only from computers running Network Level Authenticated Remote Desktop. On Windows 7 and later, this option is set by default.
Limit the number of remote desktop users
Limit remote desktop users
Another security mechanism available to Remote Desktop users is the Group Policy option for Terminal Access. From here you can restrict Remote Desktop to specific users.
We recommend that you use a separate user group for Remote Desktop rather than allowing remote access to all administrative users. To block remote users using Group Policy, do the following:
- Click Start ? Programs ? Administrative Tools ? Local Security Policy.
- In the Local Policies section, click User Rights. Assignment, go to Allow Terminal Services Logins. Or, allow logins through Remote Desktop Services.
- Remove the Administrators group and log out of the Remote Desktop Users group.
- Use the System Control Panel to add users to the Remote Desktop Users group.
Use RDP Gateways
Use RDP Gateways
The RDP gateway passes all connections through a single gateway server. This service is built into Windows 2008 and 2012. The gateway will listen for Terminal Services requests over https and then connect the client to the RDP server.
This forces control of all connections through the central node. Instructions for configuring a remote gateway are available at the following link:
https: //dox.microsoft.com/en-us/previus-versions/windovs/it-pro/windovs-server-2008-R2-and-2008/sk770601 (at = sun 11)
Tunnel Remote Desktop Connections over IPSec or SSH
Tunnel remote desktop connections through IPSec or SSH
Additional security measures can be taken by tunneling RDP sessions over IPSec or SSH. One easy way to do this is with putty. First connect to remote ssh server, local to RDP server.
Then set up a putty client ssh session as shown below. Under connection | SSH | Tunnels, you will configure port forwarding from 127.0.0.2:3388 (or a port of your choice) to the IP address and port of the RDP server.
Finally, connect your RDP server to your local address and port. This will redirect the port through the SSH tunnel to the final destination.
The number of attacks against remote desktop grows every year. Today, attackers use several RDP attack methodologies, including brute force, man-in-the-middle, and the use of vulnerable code.
Hackers also use RDP as a deployment mechanism for other attacks such as ransomware. Despite the different attack vectors, if implemented correctly, RDP can be used safely.
RDP security techniques include restricting connections to specific IP addresses and users, updating and patching RDP, using RDP gateways, implementing SSH tunneling, using network-level authentication, and hiding the RDP port.
It is also important to use strong passwords, two-factor authentication, and account lockouts. When used correctly, RDP can be a useful tool. This can be done quite safely if all of the above precautions are followed.