INSIGHTS FROM ENGINEERS
Secure Networkers
CTO Todd Ellis explains the elements of a secure RDP.
Remote Desktop Services, RDP, RDS, etc…we have all used these types of services to connect to an application, file, or resource. Users love to be able to access their systems from public locations. Utilizing a VPN is a good step to secure their connections, but users complain that the VPN is slow, they get disconnected, or they cannot connect at all. So, what happens? Remote Desktop gets opened to the public. This puts all the other systems at risk as well. If it gets compromised, the infection will move quickly and horizontally throughout the network and all of the resources that are open. Gaining access to the remote desktop services by using default accounts with weak passwords — or stolen credentials from users — still happens today. Removing default accounts and requiring complex passwords has reduced the takeover success rate, but many other exploits still exist.
Currently there are at least thirty-three CVEs (Common Vulnerabilities and Exposures) related to Remote Desktop. Without proper patching, criminals can bypass normal login methods to gain access without knowing any credentials. In some case the attackers can simply take over a user’s session that has not been logged out. Then they jump to other user sessions where they can take over or monitor an active user’s session. This is not the scenario that you want to find happening in your system.
What can we do to mitigate and stop these CVEs?
The first step is to apply updates and patches to all of the systems where the exploits have been discovered. But what about the zero day? What about those vulnerabilities and exploits that haven’t been discovered yet? Attackers are able to use tools like Shodan or nmap and get a picture of the attack vector with very little effort. Once they know the target and its current patch status, it becomes easy prey. So, what can you do? Some have changed the default RDP port from 3389 to something else. This little misdirection may have some small effect, but the reality is it does little to nothing to stop the attack. It is much akin to hiding the key to the front door under the welcome mat. With port scanning, attackers have learned that systems have been modified and know that alternate ports are used. In many cases, this just creates a false sense of security.
Answering complicated RDP security questions.
What is left? What can we do? Using a SIEM (Security Information and Event Management) is a good option, but the difficulty becomes the overhead of resources (CPU, storage, and manhours of monitoring). Multi-factor authentication (MFA) or two factor authentication (TFA) has become a good method of mitigating these attacks. The upside of MFA is that no one can login with just a username and password anymore. Security becomes tied to the user and mitigates weak passwords as a quick compromise. The down side is that the user does have to go through the additional step of typing in an additional code that is generated from a smart phone or trusted device. Additionally, without a smart phone it could be difficult for a user to login. In our experience an MFA, with a 30-day whitelist feature, has worked well for users while still providing sound security. The whitelist feature allows the user to use the same computer or laptop for 30 days without entering in the code or authorizing through a text message or push every time they login. There is a downside to this. The authentication key that allows the whitelist authorization is cached locally and can be exploited. Most MFAs also allow for tracking in order to watch for unauthorized login attempts, so compromised credentials can be flagged and reported.
Multifactor authentication is not the silver bullet for remote desktop attack prevention, but with a layered approach to security it definitely provides a great addition to your security infrastructure.
If you have questions regarding your network and how best to organize and implement the best plan for your switch ports, we are happy to help. Just complete the submission form above, or call us Monday through Friday 8 AM to 5 PM at (281) 651.2254, and it would be our pleasure to help you.
With at least thirty-three CVEs (Common Vulnerabilities and Exposures) related to Remote Desktop, the challenge of keeping up with patches and keeping criminals out can be daunting. What can you do to get ahead of these vulnerabilities?