Microsoft RDP - Remote Desktop Protocol or Routine Darkside Probe?

Filed Under: Featured, Microsoft

An article uploaded to Infosec Island the other day got me thinking about RDP, Microsoft's Remote Desktop Protocol.

In the article, Brett Huston, who sells honeypot software, talks about the prevalence of RDP connection attempts seen in his honeynet.

He suggests that the average computer will experience around 50 RDP probes a day - one every half-an-hour - and that the crooks aren't merely looking. If you accept the connection, the guys at the other end will actively try to make use of it.

→ A honeypot is a monitored system which aims to attract hackers, seducing them into thinking they've hit paydirt, and thus tricking them into showing their hand, without giving them much - or even anything - of any real value.

Of course, a honeypot only tells you how many people are trying to connect to what they think is an RDP server, rather than indicating how many actual RDP servers are out there listening directly on the internet. But it's reasonable to assume that regular and systematic attempts to connect imply that there are enough openly-available RDP servers to make it all worthwhile.

With this in mind, I asked my Sydney-based colleague and network security expert Troy Cunningham - who conveniently for me, if not for him, sits within both sight and sound of my desk - what he thought.

Troy runs our free Sophos UTM Home Edition on his own network chez Cunningham, so he kindly offered me the data from his own logs. He'd experienced an average of just under 20 RDP probes per day over the previous month, for a total of 583 connection attempts from 387 different IP numbers in 42 different countries.

That's the level of RDP attention given by the Bad Guys to an Aussie consumer-grade ADSL connection. I can't prove it, but I have to suspect that these figures are at the low end of the scale. In short, if you have a business network, you should expect things to be even worse.

→ "Others" include Romania, Iran, Saudi Arabia, Ukraine, Kyrgyzstan, Egypt, Australia and more. These are almost certainly hacked computers used indirectly by the real crooks. That's why security matters: even if you don't think you have anything to protect, you may still end up being part of the problem.

RDP, for those who haven't used it, effectively mirrors the screen and keyboard of a remote system on your local device. Move the mouse in the RDP client, and it moves on the remote system. Pop up a software dialog on the remote system and the screen updates are mirrored on your local desktop. It's almost as good as being right there.

Leaving RDP open to the internet is therefore a little bit like giving a visitor a seat in the corner of your server room and saying, "I'll just leave you here while I go for lunch. Don't touch anything, will you?"

Another reason for hackers to look for RDP servers openly on the internet is that any listening service which lets external, untrusted packets into memory on a potential victim's server can be a handy target for exploits. Microsoft's RDP service has been patched against a couple of high-profile vulnerabilities so far this year, and where exploits are found, crooks are sure to follow.

Don't take risks. If you want to give your techies remote desktop access, let them first connect into your network through a secure VPN tunnel, ideally with two-factor authentication. Then let them RDP from there. Two-factor authentication also raises the bar against stolen or weak passwords.


-

Fancy using the free Sophos UTM Home Edition?

You get web and email filtering, web application security, IPS, VPN and more for up to 50 IP addresses.

Turn that spare PC you have sitting in the corner into a full-on network security appliance!

(Note: registration required.)

, , , , , ,

You might like

21 Responses to Microsoft RDP - Remote Desktop Protocol or Routine Darkside Probe?

  1. Lonelygurl · 593 days ago

    he's cute. is he married?

  2. JimboC · 593 days ago

    There are methods available to reduce the chance of exploitation of the RDP protocol. Some recommendations are available from Microsoft at the following link:
    http://blogs.technet.com/b/srd/archive/2012/03/13...

    For Windows XP, RDP can be disabled by following the steps in the knowledge base article linked to below:
    http://support.microsoft.com/kb/306300

    For Windows Vista and Windows 7, the steps to disable RDP completely are:

    1.Right-click My Computer and click Properties.
    2.Click the Remote Settings on the left side of the screen.
    3.In the Remote Desktop section, click to clear Allow users to connect remotely to this computer, and also choose “Don’t allow connections to this computer”.

    Finally, to check if your firewall is monitoring and protecting port 3389 used for RDP, I would recommend using the following link to the popular Shields Up firewall penetration tester:
    https://www.grc.com/x/PortProbe=3389

    The result for me, was a Stealth result on this port.

    I hope the above information is of assistance.

    Thank you.

    • 2072 · 593 days ago

      @JimboC: Thanks you very much for the link ( http://support.microsoft.com/kb/306300 ) I thought it was impossible to enable NLA (Network Authentication Level) on Windows XP system. Now I can secure my RDP a little bit more. I had already changed the default port number from 3389 to something else....

        • JimboC · 593 days ago

          Hi 2072,

          You’re welcome :)

          Unfortunately NLA cannot be enabled on Win XP. If you try to run the Fixit tool on XP, it gives an error message about the wrong operating system.

          The CredSSP update for XP SP3 is simply so that XP can still connect to a system that has NLA enabled. As you say, the CredSSP update adds a little security (in terms of a more secure method of logon).

          Installing all updates for RDP on Win XP (and all other versions of Windows) and ensuring the port that you use for RDP is stealthed will also boost security.

          To test the port that you are using simply, substitute the port number in the link below:
          https://www.grc.com/x/PortProbe=z

          where z is a port number

          I obtained the link that contained Microsoft's advice from the following Sophos blog post:
          http://nakedsecurity.sophos.com/2012/03/14/micros...

          Another useful post is:
          http://nakedsecurity.sophos.com/2011/03/09/micros...

          Thanks.

          • 2072 · 591 days ago

            Yes you're right my post was not clear, my problem was that I couldn't enable NLA on my WIndows7x64 computer because I have to connect to it from WinXP computers... So I was indeed worried especially when one day I noticed connections attempt from China...

            There was hundreds of attempt per days from a few IP addresses, the strange part was that they were able to circumvent Windows built-in login limits by crashing the logon process (don't remember the actual process name) and force it to restart... (I could see the log-in errors in the security event logs).
            This was at least six months ago.

            Thanks for the suggestion about grc.com, I've been using it for years already :)

    • JimboC · 593 days ago

      By the way, my recommendation of disabling RDP should only be carried out if you don’t use RDP. By disabling it, you are reducing your attack surface.

      If you use RDP, enabling NLA and ensuring your firewall is monitoring the RDP port (3389 by default) will make your connection more secure.

      Also, ensure that all security updates for Windows and the Remote Desktop Client/server are installed.

      Thanks.

  3. David Pottage · 593 days ago

    Why pick on RDP.?

    Is there something about it that makes it uniquely vulnerable, or is there only a problem if the admin password is easy to guess?

    I used to have port 22 open on my firewall, and I saw a lot of ssh login attempts, none where successful, but it was annoying. I did not see it as a security risk as such because the volume was low, and I was confident that all accounts had hard to guess passwords.

    More recently I have re-configured my firewall to open a higher numbered port for ssh traffic, and configured sshd on my externally facing machine to listen to that port as well.

    • JimboC · 593 days ago

      Hi David,

      That’s true, why pick on RDP? I suppose that it’s commonly used and lots of people trust it implicitly. From experience, SSH is used even more than RDP, so you are correct; it should also be secured/monitored.

      Thanks.

      • Paul Ducklin · 591 days ago

        My thoughts (admittedly slightly judgmental :-) were that RDP is generally associated with bringing point-and-clicky GUI-style server administration to remote users (in other words, it's just a KVM device with a possibly verrrrry long cable), whereas SSH is generally associated with building secure tunnels for command-line remote access or as a wrapper for other protocols - including RDP, if you wish.

        In other words, I associated RDP (admittedly slightly judgmentally :-) and its use, and thus its likely risk if opened to the world, more with convenience than with security.

        Not that I'm suggesting that those who would set up and enable SSH services for a remote command shell are likely to more clueful than those who would do the same with RDP for remote users to be able to click the shiny icons...that would be judgmental!

    • TravisM · 591 days ago

      RDP has had some ugly vulnerabilities revealed this year, as mentioned in the article. While there have been vulnerabilities in SSH too, not as much and not as recently.

  4. Trent · 593 days ago

    I disabled RDP long ago. If I need to use it for a legit purpose, it's easy enough to start it up.

  5. Rob · 593 days ago

    There seem to me to be a 'disconnect' between the assumed number of zombie / bots in India when I considered the (a) Sophos 2012 Threat Report showing India has the highest percentage of spam relays (assumed bots) and (b) the RDP hacking numbers in this article (assumed bots again). I do understand that these are completely different data sources and different uses of botnets, however, in the mind of this reader, I feel that India should have still at least shown up somewhere in the RDP list given the leadership position it holds in spam relaying countries. How could both data sets be correct?

    • Paul Ducklin · 592 days ago

      As you say, we're talking about completely different data sources and different uses of bots. We're also talking about a measurement of all source IPs for connections _to a specific server over a single month_, rather than the source IPs for all all spam connections to all our spamtraps worldwide over an extended period.

      If it makes you feel more comfortable with the results, India _did_ show up in the list - just not in the top nine :-)

      (Perhaps I shouldn't have listed the countries with percentages, in case people take too much account of the order. My main purpose was to remind you of the global nature of the problem - I just couldn't resist a 3D chart :-)

  6. @vericonLabs · 592 days ago

    Of course you can/should disable an unused service. But RDP is widely used, especially by companies. It easy to use, reduces network traffic and you can add a strong encryption. So to me this is not really a "solution" to disable something in order to get secure.
    When you think about your PC at home you can disable it. But nowadays you are normally behind a router, and as long there is no port forwarding configured, there is nothing to worry about it. If you are still connected directly to the internet, you should consider changing your hardware and type of connection.
    All in all it’s about the proper configuration for the particular environment. Add strong passwords or consult somebody who is well versed in IT security. The two-factor authentication stated in the article looks good at first glance, but it is hard enough to encourage people to use a strong password. From a practical point of view this results in using the same (or slightly modified) password for VPN and RDP or this “remember password” thing.

    • Paul Ducklin · 592 days ago

      Of course, with two-factor authentication you can enforce at least one aspect of password choice - you have to put in the one on your token, and it's valid exactly once :-)

      Nothing to remember, nothing you can choose....

      • @vericonLabs · 591 days ago

        Right, if vpn is done by a one-time password. But again, it all depends on the proper configuration. RDP itself isn't insecure. There are several other protocols that are insecure by design. eg., WEP (it doesn't matter how long the password is), or even POP, when people aren't aware that they are sending passwords or emails in plain text (over a WEP wifi-net) ;-) and there would be the option to encrypt it.

  7. Marcos Machado · 592 days ago

    Does the Sophos UTM have a two factor authentication for its VPN?

    • Paul Ducklin · 591 days ago

      Can have if you want.

      We don't offer a Sophos-branded 2FA token or 2FA service. But you can bring your own...

  8. Rinusripsus · 535 days ago

    I have no problems putting a visitor seat in my server room. If you are afraid of that, you are in much bigger trouble.
    All accounts get locked out after 10 password attempts. Administrator password is about 80 characters long, can't even remember, it's in a safe, don't need it.
    Real security: Does Sophos UTM 9 detect and automatically protect (after kindly asking) RDP? If so, perfect. But it is not. So now I got hammered with attempts and my UTM does not even warn or asks me if this is normal behaviour.

    • Paul Ducklin · 535 days ago

      You'd leave that visitor unattended in your server room? Hmmm. Reminds me of HHGttG...

      Arthur Dent: I wonder what'll happen if I press this button?
      Ford Prefect: Don't.
      AD: [presses it] Oh.
      FP: What happened?
      AD: A sign lit up saying "Please do not press this button again."

      More seriously, the Sophos UTM does block RDP (and indeed all inbound traffic) in a default setup.

      As mentioned in the article, I'm recommending that you offer RDP from outside as a two-step process. Authenticate to the UTM. Make the RDP connection from there. (We have a cool way of doing that with HTML5 such that there is no client-to-server RDP connection needed. The UTM effectively does the RDP for you, after suitable authentication, and you see the results. So you don't need RDP traffic outside the network at all.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog