Never expose RDP to the public internet
September 16, 2020 Comments Off on Never expose RDP to the public internet Uncategorized CVS

In 20 years of IT, I’ve seen many services attacked relentlessly. Some services like RDP are a hacker’s dream if they’re left open to the internet.

Of course it’s convenient and inexpensive to leave that port open and have your desktop or server accessible from anywhere in the world, using any RDP client. You might even feel sneaky by modifying the listening port to something far out of the usual 3389 range. But there are veritable armies of automated services scouring the internet 24/7 looking for publicly accessible RDP servers. Once they find one… well….

Coveware’s Incident Response Team noted that 63.5% of the ransomeware attacks they responded to in 2019 used RDP as the initial entry point. The problem has only grown worse in 2020 due to the rush to implement remote services in response to the COVID-19 pandemic.

If you’re still unconvinced let’s walk through a few more variables: are you sure your admin password or one of your user’s passwords isn’t a variant of an English word, possibly ending in a number and an exclamation mark? Considering that a compromised restricted user account on the RDP server could very well, in fact, probably will result in eventual privilege escalation to administrator, will you continue to sleep well at night? I wouldn’t…

Do you have any fail2ban-like lockout after enough bad password attempts? Cyberarms IDS is a good, free software solution for mitigating all kinds of attacks on windows servers.

Did you implement 3rd party two-factor authentication? This should be done no matter how protected your RDP service is. Check out Duo Security and get it rolling immediately.

If your RDP server *is* compromised, what access to the rest of the network does it have? Can it reach all your desktops and other servers? Your router’s configuration page?

Your best bet is to restrict direct access to your RDP service to specific IP addresses. Better yet, put it behind a VPN. Or use secure SSH tunnelling to connect to 3389 on that instance. And in all cases, implement secure two-factor authentication of some type.

Tell your users you don’t care how inconvenienced they might feel. They’ll be a lot more inconvenienced when the company’s entire data-store abruptly transforms into 1000’s of text files requesting payment in Bitcoin.

About The Author
CVS