Products and Services PRODUCTS & SERVICES

Hindsight #2: Block public facing Remote Desktop Protocol (RDP)

Hindsight security: things breach victims wish they had done

This article is part of a series that aims to educate cyber security professionals on the lessons learned by breach victims. Each lesson will include simple recommendations, many of which do not require organizations to purchase any tools.

Remote Desktop Protocol (also known as Terminal Services or Remote Desktop Service) allows someone to remotely connect to another computer, providing the same user experience as if being physically present.

According to our 2021 Active Adversary Playbook, Microsoft’s built-in Remote Desktop Protocol (RDP) was used to access organizations from the Internet in 32% of attacks, rating it the number one method used for initial access.

Unlike some other remote access tools, RDP does not usually require anything more than a username and password and often the username is left exposed (you know, to make it easier to log in the next time). RDP has even suffered from vulnerabilities over time that allow access with no credentials at all.

Misuse of RDP falls into a few different MITRE ATT&CK techniques, but the main one would be T1133 (External Remote Services).  Other MITRE ATT&CK techniques involving RDP include:

  • T1563 – RDP Hijacking
  • T1021 – Lateral Movement using RDP
  • T1572 – Tunneling over RDP
  • T1573 – Command and Control over RDP
  • T1078 – Using Valid Accounts with RDP
  • T1049 – System Network Connections Discovery
  • T1071 – Application Layer Protocol

Once a threat actor has successfully logged on to an RDP session, it is about as close as they can get to literally sitting in front of the keyboard and mouse, and not even the most physically secure data center in the world can help.

Externally exposed RDP has a simple fix – just don’t expose it. Don’t forward port TCP:3389 on your firewall to anything.  And don’t think that using a different port helps… I see you – twelve thousand RDPs on port 3388!

While the cure sounds simple, Shodan.IO (a search engine for the Internet of Things) shows over 3.3 million RDP port 3389 exposed globally and easily found. Why is it so popular? Allowing access to RDP is a quick and easy way to allow someone to provide remote system administration, such as for a Managed Services Provider to manage a customer’s server, or a dentist to access their office system from home.

If remote access to RDP or terminal services is required, it should only be made accessible through a secure Virtual Private Network (VPN) connection (with Multi-Factor Authentication) to the corporate network or through a zero-trust remote access gateway.

Leave a Reply

Your email address will not be published. Required fields are marked *