back to article Your specialist subject? The bleedin' obvious... Feds warn of RDP woe

The FBI and the US Department of Homeland Security have added their voices to warnings of insecure deployments of Remote Desktop Protocol (RDP) services. RDP servers can be left misconfigured, or poorly secured, allowing scumbags to waltz into networks and cause further damage. Compromised logins are so abundant they fetch a …

  1. doublelayer Silver badge

    Useful advice that won't help

    All of the advice is nice and useful, now all we need is for those people who haven't been following it to pay attention to an advisory about security and practices to do to make things more secure. Except the people who are insecure are lazy about their security, so they won't have paid any attention to the announcement. Anyone know a way to break this loop?

    1. Anonymous Coward
      Anonymous Coward

      'for those people who haven't been following it to pay attention'

      LA LA LA

      Sadly there is no silver bullet, short of real life cyber vampires showing up. No one is listening never mind bringing silver or garlic....

    2. Mark 85 Silver badge

      Re: Useful advice that won't help

      Anyone know a way to break this loop?

      Most users won't read this article or any article warning them and telling them how to fix it. More important to mingle on Farcebook, et al. Then there's the older folks to whom computers, while fun and great for communications, planning vacations, etc. don't have a clue either. So they're not really lazy, just ignorant and/or don't care. There has to be a better way to get info out there.

      It would be nice of all the security items mentioned as to ports, RDP, etc. for this and other infections were turned off by default, but M$ won't do it.

      1. Giovani Tapini
        Stop

        Re: Useful advice that won't help

        You don't want to break the "features" that allow "Microsoft" call centre agents to "optimise" your PC either.

        Agreed, there are many people using their PC as a consumer device with no reason in their mind to understand all the complex moving parts inside.

        This is why operating systems are getting more schizophrenic trying to be consumer, hobbyist and enterprise all at the same time compromising everyone.

      2. Doctor Syntax Silver badge

        Re: Useful advice that won't help

        "Then there's the older folks to whom computers, while fun and great for communications, planning vacations, etc. don't have a clue either."

        If they're sitting behind an ISP supplied router then it ought to have been supplied with RDP and anything else they don't need already blocked. So prime targets for this message are the vendors and ISP techies responsible for specifying requirements to the vendors and checking they've been met.

        A secondary problem here would be visiting children and grandchildren who want to open up a port for some other purpose and think they know what they're doing. Perhaps ISPs should run occasional pro-active scans for open ports.

        1. DCFusor

          Re: Useful advice that won't help

          Dr S - I have the luck of living where there is exactly one (non satellite) choice - the local coop phone company - for internet, and it's very pricey and slow (but not capped except by the skinny pipe).

          This is in the boonies - one house per 1/3 mile on my road...

          They do indeed lock their modem/router down as tight as I've ever seen one, and they have an incentive to do so, other than the obvious.

          Their pay TV goes over the same wires through the same modem. There's pay for and pay per view channels. If you could get past the login page, you could turn all that stuff on, change your DSL speed up to the max the wiring will go (which is a couple of times faster than I get for $80/mo) and so on.

          Obviously, they don't want to give you that stuff free, and they know there are a lot of us out here who might not have the best of morals (unlike myself, who is as pure as the driven snow) and they really went all out to lock those things down. It's amazing what won't work through one of them...

          Which is fine by me. People and companies just do what they are incentivised to do - and if you don't like it, look at who set the incentives. I think in this case that their profit motive works out to a good thing!

      3. stiine Silver badge

        Re: Useful advice that won't help

        I hate to break it to you, but Windows Server 2012 R2 does come with RDP disabled by default.

        1. Giovani Tapini
          Windows

          Re: Useful advice that won't help

          Do you know anyone using server 2012 R2 as their home desktop?

          1. phuzz Silver badge
            Gimp

            Re: Useful advice that won't help

            Windows 10 also disables RDP by default.

            (Same with Server 2016, except the Essentials version)

          2. katrinab Silver badge

            Re: Useful advice that won't help

            The desktop versions of Windows have had rdp disabled since forever, and the Home editions don't support it.

    3. big_D Silver badge

      Re: Useful advice that won't help

      I had one CEO, he decided RDP from outside was dangerous, but he worked from home with a thin client, so VPN was out. Ah, yes, just the thing: move RDP to another port, nobody would be able to work that out! Yes, that will do the job! GAH!

      1. fandom

        Re: Useful advice that won't help

        "he worked from home with a thin client"

        So, you configure the firewall to block the 3389 port for every IP except his home one.

        If that IP isn't fixed you specify a range, but you knew that.

        1. NogginTheNog

          Re: Useful advice that won't help

          Cue “I can’t connect from Starbucks/client site/favourite brothel” *rant*

      2. Anonymous Coward
        Anonymous Coward

        Re: Useful advice that won't help

        I laughed at that story... and then I remembered I have a VM on my home network that is only for emergency remote access when I’m away, which has external RDP access on an obscure port, that’s STILL RUNNING..! GAH!

    4. Doctor Syntax Silver badge

      Re: Useful advice that won't help

      "Anyone know a way to break this loop?"

      Getting hacked.

      Stable doors etc.

    5. GnuTzu
      Childcatcher

      Re: Useful advice that won't help -- Car Keys

      There are places where it's a misdemeanor to leave your keys in the car. That way, felons won't say "oh look; free car." Are we going to end up with fines for those who make it too easy and too profitable for cyber crooks?

      Of course, for IoT and phone apps, the fines have to be for the manufacturers, but we know that fines of those types will never be enough to compensate for the victims of cyber-voyeurs or worse.

  2. Anonymous South African Coward Silver badge

    So wanting to stick a PC with RDP open to the WWW into a DMZ and see what happens :)

    1. Anonymous Coward
      Anonymous Coward

      Test

      I've had a public facing RDP honeypot for a while and it does see thousands of attempts at the administrator account every day, plus occasionally getting slightly weirder connections but no traffic yet hit the next box in the chain which only has SSH on a very high port. Looking forward to the day they break that and see activity on the third box, then I'll know that it's time to revert and patch the VMs before reconnecting. All hosted on someone else's computer (cloud for you young uns)

    2. Doctor Syntax Silver badge

      "open to the WWW"

      A web server?

      1. katrinab Silver badge

        Remote Desktop Gateway

  3. Lee D

    I'm not convinced.

    RDP = "look at this picture of secured and configured internal system that is compliant to all our policies" and if you disable file sharing "no, you can't just suck the network data out of the connection".

    VPN = "send whatever traffic you like down our wires from whatever machine you might want to, which might have anything on it and might pull any traffic or data is sees".

    RDP can also be secured against non-protocol problems (e.g. brute-force password attacks, etc.) using 2FA, and "protocol" vulnerabilities are rare and patched against.

    I still think the attack surface of RDP is not only much lower, but much easier to secure, much less damaging and keeps everything internal - your data is less likely to wander off without a trace. Imagine: A rogue program on someone's machine gets access to their remote access method. There's credit-card info of a million customers there. You discover that. Now you need to make a disclosure.

    With RDP - it's whatever that session accessed, as that user, over whatever programs are available, on what could be a freshly-imaged VM (basic terminal server functionality in Server editions allow you to wipe a bunch of VM back to image and use a new one for each connection that comes in) inside a session, and then - whatever method it used to extract and distribute that data using whatever programs are available on that VM only.

    With VPN - that's a complete traffic trace (if you could even store that amount of data) and a huge amount of potential access to internal systems.

    And both have flaws, need patches and can be badly configured.

    "Show me a picture of a machine like one I use in work" will always seem less damaging than "join me to your entire network" (even if you put in firewall controls, etc., if they are to access a shared drive, you're allowing the CIFS ports and traffic, and bang you've opened up whole new classes of vulnerabilities). If you're using RDP, you need to hope that the remote machine is even *capable* of executing the program you want to use to steal information, and that they haven't whitelisted the software on those machines such that you can't even try to plant a virus or email yourself an executable, etc.

    1. stiine Silver badge
      Unhappy

      re: sucking data

      Yes you can, you may be only able to exfiltrate 1 line per second, but given time, I can extract any text file that I can reach, and if the clipboard is available, I can do it in just a few clicks.

      1. Lee D

        Re: re: sucking data

        But you can do nothing that you couldn't do INSIDE the network, on a machine, as that same user.

        If the software doesn't let you export that data, or copy to clipboard, then you're literally into screenshot territory. Plus all your monitoring, auditing, etc. software is there installed on the machine that's being copied from, not to mention you could in theory be monitoring that session.

        VPN, that's not true. It's just network access.

        RDP to servers, etc. yes you want to limit to administrators only via secured channels. But general users over RDP inside limited VM's? So much safer than a VPN for the same users.

        1. doublelayer Silver badge

          Re: re: sucking data

          The contest isn't between "RDP" and "VPN". It is between "RDP left wide open, with the only security being the password box" and "RDP with security built in". My favorite security built in for RDP is having it accessible on an internal network only, and then giving computers that are already on the network a method by which they can VPN into that network remotely. Your home computer can't get in in any case, and nor can the people just looking for targets. But really, a lot of things that are more basic can still fix this problem. You could use 2FA, or limit the number of password attempts, or block people who try too many times. Those won't fix all the problems created by having an RDP session running publicly, but at least the people running brute force password attacks won't be able to continue. And none of that is hard!

    2. Mystery Machine

      Re "I'm not convinced."

      The term VPN might be better qualified as suitably configured remote access solution that provides 'appropriate user, device and network access control mechanisms' to control access from the internet commensurate to the systems required to be accessed. That may be a wide-open network-layer VPN to anyone with the right password, it might be proxied access from only corporate machines with strong authentication to a single RDP destination or it might be somewhere in between.

      Point is critical assets with exploitable or limited security controls shouldn't be directly connected to the internet. There are more appropriate systems (loosely termed VPNs) that should act as an intermediary.

  4. TonyJ Silver badge

    Hard not to agree...

    ...that the people/outfits not securing their RDP ports/RDS that are accessible are the same ones for whom this advice has been falling on deaf ears for...well forever.

    Even on my home lab, for which I don't expose RDS to the internet, I have a scheduled task that runs at every login - and all it does it fire off a a simple powershell script that emails me to say there's been a login to sever xxx

    It's just one more layer that adds peace of mind. And that's a lab environment that although it'd be tedious to rebuild doesn't actually hold any data that is worth anyone accessing.

    1. Lee D

      Re: Hard not to agree...

      I run RDP through an IPS system, it then goes to a limited machine that's only used for RDP clients, where they are asked to login via a brute-force protected login, using an AD account that would give them credentials enough to log into webmail or other services anyway. That then not only notify logins to a monitored account, but also challenges them for 2FA (using multiOTP) before they can actually proceed with the login.

      Even "in theory" complete compromise of the underlying machine gives you - access to a client machine. It's not a server. It's literally a client image. If you do proper RDP-farm Terminal Server VM's, that machine is nothing more than a clean-imaged client VM every single time you log in with no history / other user's present on that VM.

      People who use RDP for administration - yes, that's different and you want to remove that visibility at all. But TS access to clients, you can log it - it's just like that authenticated client logging into any other machine. No matter WHAT their remote machine has installed and listening on it, or the state of their local network.

      1. Joe Montana

        Re: Hard not to agree...

        A client machine can be dangerous too...

        There are many ways that even a hardened client image can be leveraged to gain further access, especially when that client machine is part of a domain.

  5. DCFusor

    Funny

    Not entirely suitable for work, but hilarious -

    Dan Tentler's 2015 defcon talk about "BS crazy things I found on the internet" via shodan.

    It really is crazy...it's almost as if the reason many aren't attacked is dilution due to even dumber people out there who are more interesting targets than you.

    https://www.youtube.com/watch?v=5xJXJ9pTihM

  6. Anonymous Coward
    Anonymous Coward

    Port 3389?

    Users should NOT be using the standard RDP port.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

  7. MonkeyJuice

    nteworks?

    Is that where you run DRP?

  8. Anonymous Coward
    Anonymous Coward

    Old guy here.....

    ....wondering what's wrong with SSH? No need for a remote desktop....just use X-remote to run the app on the server with the GUI locally. What am I missing?

    *

    ....except that it looks like Wayland might screw this up. Sigh!

  9. ILLQO

    Re: Useful advice that won't help

    Wish there was a way to rip away certifications if you made an obviously over the top security snafu like leaving RDP open to the outside. But then it would probably increase the price or availability of receiving at least higher end certifications.. which is not always a bad thing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022