Microsoft RDP – Remote Desktop Protocol or Routine Darkside Probe?

An article uploaded to Infosec Island the other day got me thinking about RDP, Microsoft’s Remote Desktop Protocol.

In the article, Brett Huston, who sells honeypot software, talks about the prevalence of RDP connection attempts seen in his honeynet.

He suggests that the average computer will experience around 50 RDP probes a day – one every half-an-hour – and that the crooks aren’t merely looking. If you accept the connection, the guys at the other end will actively try to make use of it.

→ A honeypot is a monitored system which aims to attract hackers, seducing them into thinking they’ve hit paydirt, and thus tricking them into showing their hand, without giving them much – or even anything – of any real value.

Of course, a honeypot only tells you how many people are trying to connect to what they think is an RDP server, rather than indicating how many actual RDP servers are out there listening directly on the internet. But it’s reasonable to assume that regular and systematic attempts to connect imply that there are enough openly-available RDP servers to make it all worthwhile.

With this in mind, I asked my Sydney-based colleague and network security expert Troy Cunningham – who conveniently for me, if not for him, sits within both sight and sound of my desk – what he thought.

Troy runs our free Sophos UTM Home Edition on his own network chez Cunningham, so he kindly offered me the data from his own logs. He’d experienced an average of just under 20 RDP probes per day over the previous month, for a total of 583 connection attempts from 387 different IP numbers in 42 different countries.

That’s the level of RDP attention given by the Bad Guys to an Aussie consumer-grade ADSL connection. I can’t prove it, but I have to suspect that these figures are at the low end of the scale. In short, if you have a business network, you should expect things to be even worse.

→ “Others” include Romania, Iran, Saudi Arabia, Ukraine, Kyrgyzstan, Egypt, Australia and more. These are almost certainly hacked computers used indirectly by the real crooks. That’s why security matters: even if you don’t think you have anything to protect, you may still end up being part of the problem.

RDP, for those who haven’t used it, effectively mirrors the screen and keyboard of a remote system on your local device. Move the mouse in the RDP client, and it moves on the remote system. Pop up a software dialog on the remote system and the screen updates are mirrored on your local desktop. It’s almost as good as being right there.

Leaving RDP open to the internet is therefore a little bit like giving a visitor a seat in the corner of your server room and saying, “I’ll just leave you here while I go for lunch. Don’t touch anything, will you?”

Another reason for hackers to look for RDP servers openly on the internet is that any listening service which lets external, untrusted packets into memory on a potential victim’s server can be a handy target for exploits. Microsoft’s RDP service has been patched against a couple of high-profile vulnerabilities so far this year, and where exploits are found, crooks are sure to follow.

Don’t take risks. If you want to give your techies remote desktop access, let them first connect into your network through a secure VPN tunnel, ideally with two-factor authentication. Then let them RDP from there. Two-factor authentication also raises the bar against stolen or weak passwords.

Fancy using the free Sophos UTM Home Edition?

You get web and email filtering, web application security, IPS, VPN and more for up to 50 IP addresses.

Turn that spare PC you have sitting in the corner into a full-on network security appliance!

(Note: registration required.)