For many years now, Microsoft has offered a system with Windows that allows you to take control of another machine. This has been invaluable for system admins that need to control servers and other Windows machines, without having to run around from office to office or site to site. Easy takeover of machines does come with risks. The protocol known as Remote Desktop Protocol (RDP) and the Remote Desktop Connection software that relies on it are often victims of simple attacks. These attacks have been on the rise in recent years and are extremely popular at the moment, as they are enticing for cyber criminals that seek to compromise the admins and machines that control whole organizations.
How is Remote Desktop Protocol a security risk?
RDP often uses a particular port that is easy to locate in a scan. And unfortunately, the default account username for an admin is often Administrator. While it’s no secret that having a poor password policy is not ideal for server security, it’s worth reiterating here it can mean that hackers can try huge amounts of passwords before anyone is alerted or an account is locked out.
Once an intruder gets admin access, they can deliver specialized malware or remote access tools that can often be almost impossible for any security solution to detect. With admin privileges and route access to the desktop, maximum damage can be done. This stresses the importance of endpoint protection, as well as policies, monitoring, logging, backups and incident response.
How to protect & secure your organization from Remote Desktop attacks
Preventing such brute force attacks isn’t as complicated as it may seem. You can employ a few easy actions to keep your organization safe:
Prevent scanning for an open port
- Change default RDP port from 3389 to another unused port
- Block RDP (port 3389) via firewall
- Restrict RDP to a whitelisted IP range
Prevent attackers from gaining access if RDP is enabled
- Create a Group Policy Object (GPO) to enforce strong password policy (GPOs are important and should be common practice for your organization)
Optional
- Require two-factor authentication
Getting to the bottom of suspicious activity is vitally important and our team is here to help. Contact us today or learn more about our full suite of business cybersecurity solutions.
Security though obscurity is not a good idea. Just because the port number is changed doesn’t mean it still can’t easily be scanned. If you have to expose RDP to the Internet there are two better situations. VPN+RDP or using a Remote Desktop Gateway (RDP over SSL).
Agree with Justin on this one. Most clients we take on have RDP open and poor security on their passwords. First thing we do is disable RDP and block the port on the router/firewall. Setting up VPN access to RDP is a far better solution.
I partially agree with Justin and James.
I can not believe a reputable company like Webroot would post this on their blog. Changing the port from 3389 to another random port just means that one has to do a TCP port scan first. Yes IPS/IDS systems can detect a simple rapid port scan. But that hurdle is easy to get over by limiting that TCP port scan rate and by using a different IP to get around IP reputation detection.
So once an RDP port is discovered the hacker is now on your network, accessing your pc/server logon screen. The rest is history.. All one has to do is a little Social Hacking, build a bio of the company and go from there.
Solution: Implement VPN that uses LDAP and 2 point authentication… THEN access the RDP on the native port of 3389 ( no need to change the port number ).
The key here is two point Authentication. James and Justin’s idea of VPN+RDP is good but not hardened.. VPN that is only using LDAP for authentication will again only slow down the hacker.. By adding two point authentication to the VPN access ( along with LDAP auth) as long there are no vulnerabilities in the VPN software you have really hardened your edge connection to your RDP port access!
Add internal IDS/IPS solutions and white listing only specific user’s and IP’s you pretty much have an “iron door along with a stainless steel vault and Gorillas” protecting your network from inbound penetration attempts from the bored 16 y/o hacker that has nothing better to do.
Jason
“Ethical Hacking is like chess, always thinking three moves ahead.. ~ Jason Brundage”
I work for a company that provides private hosting of Infrastructure in the cloud… and every one of our clients run terminal servers. That means RDP is a must. Changing the port just makes accessibility more difficult. VPN is an option that some of our more security-conscious clients employ, along with MFA. We use country IP range blocking on the firewall at our datacenter and that blocks a lot of it, but not all of it. We’ve seen some of out terminal servers being hit with 700+ failed login attempts per hour.
For us, we’re not worried about anyone gaining access. Our username/password policies are secure enough that they’ll never be brute-forced. Furthermore, we’ve seen the logs, none of the attackers have even been able to guess the domain name. But… getting hit with 700+ audit failures per hour definitely has an affect on performance.
Forgive the plug. I am not affiliated with this software in any way. We just use it, and it works well for us. RDPGuard (https://rdpguard.com/) uses info from Windows Firewall or from the IPSec service to temporarily block IP addresses for after so many failed attempts. It has a very small footprint and is very effective at mitigating constant attacks to RDP.
Just another potential option.
You can take this a step further, and allow only specific IP addresses from even being given the privilege to attempt access. Set the firewall to only allow specified Groups of IPs access to your RDP servers. Everything else is blocked.
Say for instance you have a group of employees that need remote access, the rest use Google Apps or Office 365 to work remotely; setting up this very limited access is by far easier than taking the risk of leaving the server open to the internet, even if you are country blocking at the same time.