Your specialist subject? The bleedin' obvious... Feds warn of RDP woe The FBI and the US Department of Homeland Security have added their voices to warnings of insecure deployments of Remote Desktop Protocol (RDP) services. RDP servers can be left misconfigured, or poorly secured, allowing scumbags to waltz into networks and cause further damage. Compromised logins are so abundant they fetch a …
All of the advice is nice and useful, now all we need is for those people who haven't been following it to pay attention to an advisory about security and practices to do to make things more secure. Except the people who are insecure are lazy about their security, so they won't have paid any attention to the announcement. Anyone know a way to break this loop?
Anyone know a way to break this loop?
Most users won't read this article or any article warning them and telling them how to fix it. More important to mingle on Farcebook, et al. Then there's the older folks to whom computers, while fun and great for communications, planning vacations, etc. don't have a clue either. So they're not really lazy, just ignorant and/or don't care. There has to be a better way to get info out there.
It would be nice of all the security items mentioned as to ports, RDP, etc. for this and other infections were turned off by default, but M$ won't do it.
You don't want to break the "features" that allow "Microsoft" call centre agents to "optimise" your PC either.
Agreed, there are many people using their PC as a consumer device with no reason in their mind to understand all the complex moving parts inside.
This is why operating systems are getting more schizophrenic trying to be consumer, hobbyist and enterprise all at the same time compromising everyone.
"Then there's the older folks to whom computers, while fun and great for communications, planning vacations, etc. don't have a clue either."
If they're sitting behind an ISP supplied router then it ought to have been supplied with RDP and anything else they don't need already blocked. So prime targets for this message are the vendors and ISP techies responsible for specifying requirements to the vendors and checking they've been met.
A secondary problem here would be visiting children and grandchildren who want to open up a port for some other purpose and think they know what they're doing. Perhaps ISPs should run occasional pro-active scans for open ports.
Dr S - I have the luck of living where there is exactly one (non satellite) choice - the local coop phone company - for internet, and it's very pricey and slow (but not capped except by the skinny pipe).
This is in the boonies - one house per 1/3 mile on my road...
They do indeed lock their modem/router down as tight as I've ever seen one, and they have an incentive to do so, other than the obvious.
Their pay TV goes over the same wires through the same modem. There's pay for and pay per view channels. If you could get past the login page, you could turn all that stuff on, change your DSL speed up to the max the wiring will go (which is a couple of times faster than I get for $80/mo) and so on.
Obviously, they don't want to give you that stuff free, and they know there are a lot of us out here who might not have the best of morals (unlike myself, who is as pure as the driven snow) and they really went all out to lock those things down. It's amazing what won't work through one of them...
Which is fine by me. People and companies just do what they are incentivised to do - and if you don't like it, look at who set the incentives. I think in this case that their profit motive works out to a good thing!
There are places where it's a misdemeanor to leave your keys in the car. That way, felons won't say "oh look; free car." Are we going to end up with fines for those who make it too easy and too profitable for cyber crooks?
Of course, for IoT and phone apps, the fines have to be for the manufacturers, but we know that fines of those types will never be enough to compensate for the victims of cyber-voyeurs or worse.
I've had a public facing RDP honeypot for a while and it does see thousands of attempts at the administrator account every day, plus occasionally getting slightly weirder connections but no traffic yet hit the next box in the chain which only has SSH on a very high port. Looking forward to the day they break that and see activity on the third box, then I'll know that it's time to revert and patch the VMs before reconnecting. All hosted on someone else's computer (cloud for you young uns)
I'm not convinced.
RDP = "look at this picture of secured and configured internal system that is compliant to all our policies" and if you disable file sharing "no, you can't just suck the network data out of the connection".
VPN = "send whatever traffic you like down our wires from whatever machine you might want to, which might have anything on it and might pull any traffic or data is sees".
RDP can also be secured against non-protocol problems (e.g. brute-force password attacks, etc.) using 2FA, and "protocol" vulnerabilities are rare and patched against.
I still think the attack surface of RDP is not only much lower, but much easier to secure, much less damaging and keeps everything internal - your data is less likely to wander off without a trace. Imagine: A rogue program on someone's machine gets access to their remote access method. There's credit-card info of a million customers there. You discover that. Now you need to make a disclosure.
With RDP - it's whatever that session accessed, as that user, over whatever programs are available, on what could be a freshly-imaged VM (basic terminal server functionality in Server editions allow you to wipe a bunch of VM back to image and use a new one for each connection that comes in) inside a session, and then - whatever method it used to extract and distribute that data using whatever programs are available on that VM only.
With VPN - that's a complete traffic trace (if you could even store that amount of data) and a huge amount of potential access to internal systems.
And both have flaws, need patches and can be badly configured.
"Show me a picture of a machine like one I use in work" will always seem less damaging than "join me to your entire network" (even if you put in firewall controls, etc., if they are to access a shared drive, you're allowing the CIFS ports and traffic, and bang you've opened up whole new classes of vulnerabilities). If you're using RDP, you need to hope that the remote machine is even *capable* of executing the program you want to use to steal information, and that they haven't whitelisted the software on those machines such that you can't even try to plant a virus or email yourself an executable, etc.
But you can do nothing that you couldn't do INSIDE the network, on a machine, as that same user.
If the software doesn't let you export that data, or copy to clipboard, then you're literally into screenshot territory. Plus all your monitoring, auditing, etc. software is there installed on the machine that's being copied from, not to mention you could in theory be monitoring that session.
VPN, that's not true. It's just network access.
RDP to servers, etc. yes you want to limit to administrators only via secured channels. But general users over RDP inside limited VM's? So much safer than a VPN for the same users.
The contest isn't between "RDP" and "VPN". It is between "RDP left wide open, with the only security being the password box" and "RDP with security built in". My favorite security built in for RDP is having it accessible on an internal network only, and then giving computers that are already on the network a method by which they can VPN into that network remotely. Your home computer can't get in in any case, and nor can the people just looking for targets. But really, a lot of things that are more basic can still fix this problem. You could use 2FA, or limit the number of password attempts, or block people who try too many times. Those won't fix all the problems created by having an RDP session running publicly, but at least the people running brute force password attacks won't be able to continue. And none of that is hard!
Re "I'm not convinced."
The term VPN might be better qualified as suitably configured remote access solution that provides 'appropriate user, device and network access control mechanisms' to control access from the internet commensurate to the systems required to be accessed. That may be a wide-open network-layer VPN to anyone with the right password, it might be proxied access from only corporate machines with strong authentication to a single RDP destination or it might be somewhere in between.
Point is critical assets with exploitable or limited security controls shouldn't be directly connected to the internet. There are more appropriate systems (loosely termed VPNs) that should act as an intermediary.
...that the people/outfits not securing their RDP ports/RDS that are accessible are the same ones for whom this advice has been falling on deaf ears for...well forever.
Even on my home lab, for which I don't expose RDS to the internet, I have a scheduled task that runs at every login - and all it does it fire off a a simple powershell script that emails me to say there's been a login to sever xxx
It's just one more layer that adds peace of mind. And that's a lab environment that although it'd be tedious to rebuild doesn't actually hold any data that is worth anyone accessing.
I run RDP through an IPS system, it then goes to a limited machine that's only used for RDP clients, where they are asked to login via a brute-force protected login, using an AD account that would give them credentials enough to log into webmail or other services anyway. That then not only notify logins to a monitored account, but also challenges them for 2FA (using multiOTP) before they can actually proceed with the login.
Even "in theory" complete compromise of the underlying machine gives you - access to a client machine. It's not a server. It's literally a client image. If you do proper RDP-farm Terminal Server VM's, that machine is nothing more than a clean-imaged client VM every single time you log in with no history / other user's present on that VM.
People who use RDP for administration - yes, that's different and you want to remove that visibility at all. But TS access to clients, you can log it - it's just like that authenticated client logging into any other machine. No matter WHAT their remote machine has installed and listening on it, or the state of their local network.
Not entirely suitable for work, but hilarious -
Dan Tentler's 2015 defcon talk about "BS crazy things I found on the internet" via shodan.
It really is crazy...it's almost as if the reason many aren't attacked is dilution due to even dumber people out there who are more interesting targets than you.
https://www.youtube.com/watch?v=5xJXJ9pTihM
Wish there was a way to rip away certifications if you made an obviously over the top security snafu like leaving RDP open to the outside. But then it would probably increase the price or availability of receiving at least higher end certifications.. which is not always a bad thing.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
