By: Kazi Nazrul Islam, Cyber Security Architect
Remote Desktop Services (RDS), formerly known as Terminal Services, is a service that is used to remotely connect to another system through a network connection. RDP is the protocol that is used for RDS, running over port 3389 (Transmission Control Protocol (TCP)/User Datagram Protocol (UDP)) by default. While RDP is generally associated with Windows-based operating systems, there are similar implementations for other operating systems, such as macOS®, Linux®, and Android™. Microsoft formally defines RDP
According to sources Open-source intelligence research over 3.5 million internet-connected devices have RDP open publicly, that does not mean that all of those devices are actively being exploited; however, it means that the surface area is vast for attackers. Another Reacher’s data of Multi-State Information Security & Analysis Center RDP remains one of the top attacked protocol. Recent year, RDP-based ransomware attacks have been combined with banking Trojans, such as Emotet, TrickBot, QakBot, IcedID, and Dridex. These Trojans are particularly troublesome because they can harvest additional credentials, spread throughout the network automatically, scrape email addresses to send out phishing emails, and download additional malware.
Tricks of RDP attacks:
There are multiple ways that an RDP-based attacks:
- RDP-based ransomware attack
- brute-force
- administrative privileges
- Installing backdoors, setting up fake user accounts
Some of business benefits of RDP services:
- End-users are able to connect to organizational systems from home, or while they are away, using a graphical user interface (GUI).
- For organizations on a limited budget, purchasing expensive software to set up a remote environment may not always be feasible. Therefore, utilizing RDP may be the only available option.
- Another benefit that may not always be visible is an increase in productivity for employees. In the current world where many organizations shifted quickly to a remote environment, it is critical to keep employees happy. If multiple barriers are put in an employee’s way, it will only tempt them more to break security policies in order to “get the job done.” Without providing a secure remote protocol to access organizational assets, employees may send sensitive data to their personal assets, or upload them to unsecure cloud providers.
Move to secure RDP services: some direct migration to secure RDP:
- Place RDP-enabled systems behind a Remote Desktop Gateway (RDG) or virtual private network (VPN).
- Update and patch software that uses RDP.
- Limit access to RDP by internet protocol (IP) and port.
- Use complex, unique passwords for RDP-enabled accounts.
- Implement a session lockout for RDP-enabled accounts.
- Disconnect idle RDP sessions.
- Secure Remote Desktop Session Host
How can this be Implemented?
- Associate Active Ports, Services, and Protocols to Asset Inventory (Identify)
- Protect Dedicated Assessment Accounts (Protect)
- Establish Secure Configurations (Protect)
- Ensure Only Approved Ports, Protocols, and Services Are Running (Protect)
- Run Automated Vulnerability Scanning Tools (Detect)
- Perform Authenticated Vulnerability Scanning (Detect)
- Perform Regular Automated Port Scans (Detect)
Some of supporting function that can be Implemented for protecting against RDP based attacks.
- Implement multi—factor authentication (MFA) with VPN/RDG.
- Delete or disable dormant accounts, and restrict administrative privileges that have RDP enabled.
- Keep inventory and control of hardware and software assets that use RDP.
- Follow the Least Privilege model when granting RDP permissions.
- Protect data from an RDP—based attack.
- Log and monitor for RDP—related events
Overall, these RDP-based attacks can flourish not because their targets lack the most expensive software or application, but rather because they lack basic cyber hygiene. Many of the mitigations and best practices present in this article which is possible to implement with no or low cost to the organization.
Reference and resource:
- https://docs.microsoft.com/en-us/windows/win32/termserv/remote-desktop-protocol#
- https://enterprise.verizon.com/resources/reports/dbir/
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.cisecurity.org/cis-benchmarks/
- https://www.microsoft.com/en-us/security/business/security-intelligence-report