To lessen the threat of becoming BianLian's next victim when using remote ...
... avoid Windows.
The FBI and friends have warned organizations to "strictly limit the use of RDP and other remote desktop services" to avoid BianLian infections and the ransomware gang's extortion attempts that follow the data encryption. In a 19-page joint alert [PDF] issued Tuesday, the FBI, along with the US government's Cybersecurity and …
Ooooh, that's a good one! Never heard that before. Amazingly original.
If we do that though, how do staff access the applications they need to do their job, which only run on Windows. Which is the only reason a remote desktop was being used in the first place?
If the sort of idiot who runs unsecured RDP with zero 2FA (and probably last patched in 1990) was running *nix then they'd be running everything as root, and in their hands any OS would be just as easy to wreck.
"adding time-based locks to accounts, so that someone can't hijack an admin user out of hours;"
Brilliant. So if there is a breach you can only handle it 9 - 5, M - F? Written by some genius with a university IT diploma.
Lock out all admin accounts, all day long, Problem solved. FFS.
I suspect there is an expectation that companies can turn off Remote Desktop, so the baddies have to use a machine on the office network. Naturally, this won’t cause any day-to-day problems as users will all be back in the office and not working from home, plus no one will be accessing cloud services via Remote Desktop…
I shake my head when I find servers with RDP directly exposed to the internet where tools like TSGrinder can be used to attack them.
If you need access to remote desktop:
* Don't put them directly on the internet. Put them behind a gateway (RD Gateway, Netscaler, etc).
* Use MFA
* Implement something like Lithnet password protection to help avoid shitty passwords: https://github.com/lithnet/ad-password-protection
* Implement as much of the Essential 8 as possible: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
I manage the IT for a small group and we do have RDP straight on the internet. I do what I can in enforcing complex passwords and keeping the system patched but what else can I do? We have no money and limited time to implement whatever it is, the people using it are completely non-technical and the system is on an only-just-better-than-home network.
VPN every time.
Doesn't need to be that complex or expensive a solution but the main thing is always have a firewall between the internet and corporate resources.
I think one of the big hacks a couple of years ago was RDP exposed to the internet as a gateway.
p.s. putting services on random ports is not being secure.....
Trouble is… Microsoft…
Remember we are talking about systems being used by real users, not IT.
For a vpn such as OpenVpn to work reliably with Microsoft’s Remote Desktop (which many small organisations use as its free) the tools need to permit a user to click on a single desktop icon which establishes the vpn connection and starts the RDP client, close the RDS connection and the VPN connection also needs to be automatically dropped.
I remember having this functionality in third-party connectio managers that were around in the late 1990s for W95 and W2K, but it isn’t part of Windows unless you want to write a custom script which Windows will raise a security flag everytime it is run because it isn’t signed…
It is things like this that really show how little real development has happened with Windows these past 20 plus years…
We had direct access imposed by a company I used to work for, I used to be on call and it could take up to 15 minutes to establish the vpn when you had a middle of the night call out.
This might have been an early version but we all hated it - since leaving that company most of the remote access vpns have been using anyconnect with an authenticator plugin.
DirectAccess is a marvellous invention, but unfortunately the fact it requires a /29 WAN subnet catches a fair few out and is a major stumbling block. Thankfully OpenVPN with split tunnelling is extremely simple (And free!) to set up, so we usually go with that - or a 'BOVPN/Branch Office VPN' where a /29 isn't possible. The BOVPN doesn't require any software and is completely seamless, which works great for thin clients.
If you don't have time to do the job properly then highlight the risks of not doing it properly in writing to whomever your most senior management is (as in the business owner) including the likely costs to their business of getting hit by an extortion racket and the time to recover should you have to reformat every PC, do a new windows installation and then recover data from backups and ask for sufficient time (and money) to prevent the issues from occurring as it would be considerably cheaper than clearing up afterwards. If that's even possible, which I suspect may not be the case for you.
You might want to simply ask that person to read this comment and get them to read this link which shows what happens when you take a shortcut too far.
You should have backups. (Veeam backup & replication is a good option, although obviously it needs telling where your data is) You should test that those backups actually work by doing a full restore from them to spare hardware.
You should not have your server allowing remote desktop directly on the internet; you should have a small firewall (you can buy the cheapest Watchguard firewall for about five hundred quid) which could then run a VPN to the firewall which is secured with 2FA (Two factor authentication; such as Watchguard's Authpoint app) so that even if somebody has a username and password they also need to press an "allow" button on a mobile phone app to allow the login.
In terms of free options to protect your desktops a bit more, you could google "software restriction policies" or look at this:-
https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies
It's a free (built into windows) method of preventing the users from running unauthorised applications (ie, viruses) on your computers.
I'm sorry to hear you are put in that position. There are free VPN tools out there for small groups/home use, better than nothing if its legit.
Best to consider how much it could cost the 'small group' to be down for a day/week possibly recovering systems and data too, and use that as the cost incentive for a supported product, if possible.
At minimum, implement RD gateway. This will tunnel RDP traffic through SSL to the gateway, which then makes the RDP connection to the session host. It means there is one more step malicious actors have to bypass to get to the RD session host. It prevents attacks like TSGrinder. We have had too many clients come to us after being compromised through RD servers on the internet. It will cost you a certificate (unless you want the admin overhead of pushing out self signed) but they are peanuts nowadays. As a bonus you can use HTML5 on the gateway, so clients don't even need an RDP client, just a modern web browser.
Ideally, put the RD gateway on a server in a DMZ. If you are really stuck for resources you can put it on the same server as the session host, but this isn't great. If the RD gateway is compromised, they are directly on the RD session host, and probably have access to other servers unless you have a well segmented network.
Implementing Lithnet password protection is free and will help prevent shitty passwords. All it needs is about 20GB of disk space to host the HaveIBeenPwned password datastore.
https://lithnet.io/products/password-protection
https://github.com/lithnet/ad-password-protection
You can use the DSInternals module to audit your existing AD passwords. Guarantee you will be shocked at the results.
https://github.com/MichaelGrafnetter/DSInternals
Every system administrator should look at the Essential 8 and try to get at least to maturity level 1 for each of the 8, which will prevent or mitigate many attacks. Getting to maturity level 2 or 3 will dramatically increase your security posture, but may be beyond small companies that don't have the budget or admin resources.
https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
Above all, implement multi factor. A cheap way to do this on RD servers is Duo. Its free for up to 10 users or $3 per user per month for the cheapest non free plan.
https://duo.com/editions-and-pricing
Step 1: bar remote admin login to the Windows server and RDS server. If needed remote admin access is probably best achieved via tools such as TeamViewer, or VPN(*2) since only IT literate people should be using this.
Step 2: make sure you are running a server security suite (eg. Panda AD360 (*1)) which has RDS connection protections enabled.
Step 3: Disable legacy RDS logins, which will mean only W10/W11 clients will be able to connect.
Step 4: on the router block all internet traffic fromRussia and satellites and from China et al.
(*1) my complaint with Panda is that whilst it will detect and block many styles of attack on the RDS, it gives very little information that will enable you to put mitigations in place, such as blocking countries and specific ISPs. This can be problematic from a resolution perspective, as for a while it decided Virgin Media (UK) was a source of attacks, so home users with Virgin internet were unable to connect…
(*2) vpn terminated on the router also permits remote admin to access the router’s admin port, without having to expose this to the public internet.
I have a lot of sympathy for you - you’ve likely got a million jobs to do and no resources to get them done. RDP or RDWeb facing the Internet is *super* risky though. It’s really easy to differentiate between valid user names and invalid ones, so first of all attackers will enumerate a bunch of user names. It takes 1x request per user name, so no lockouts (well, very low risk).
Now they have a list of valid user names, and can try a noddy password against each one once every 45 mins or so. Slower if they want to be more stealthy. This is all automated so there’s no opportunity cost to the attacker - they can do this vs dozens of orgs at the same time.
If they hit pay dirt you’re stuffed. And *someone* will have a bad pass. If you really must have RD on the Internet at the very least mandate MFA!
To reduce the impact of leaky sandboxes, and poorly-thought-out HTML features, you need an air gap between the PC with your web browser, and the PC with access to your corporate network. Data transfer between the two PCs has to be via not-USB-media, such as CDs and DVDs -- the old SneakerNet. Very inconvenient, but there it is.
Executives and marketers, the people least-likely to tolerate "working in gloves", tend to have access to the most-valuable corporate data.
I am sorry but this infuriates me!
"Executives and marketers, the people least-likely to tolerate "working in gloves", tend to have access to the most-valuable corporate data."
Why would executives have full on access to things like your finance system, same with marketers? This is what good reporting/Business Intelligence in for?
Principal of Least Access is your most effective defense against ransonware!
Depends on definition of “valuable data”. If you take it to mean do the most reputational and financial damage then that’s the C-suite eg. Gerald Ratner…
When I was in sales we avoided allowing our C-suite doing any more than shake hands; too many projects where c-suite involvement lost us revenue and/or margin, which meant we missed out on awards and bonuses…
You are right! I upvoted you.
To answer your question: because executives make access a status/ego thing. It's just like who has the biggest office, the spiffiest company car, etc. In well-run companies, they would not have unneeded access. There are far-more poorly-run companies than there are well-run companies.
If an attacker can get read access to your box, it doesn't matter which operating system you run. Linux, Unix, MacOS, Windows, whatever, they'll grab your ${HOME}/.ssh/id_ed25519, id_ed25519.pub, and known_hosts files, and off they'll go, accessing your servers as if they were "you".
(I run OpenBSD, but that doesn't make me feel invulnerable to computer compromise.)
Make Microsoft (and other software companies) legally and financially responsible for any breaches that can be tied back to a vulnerability in their software regardless of what the licensing says. Give them a little leeway, like 30 days from notification of a vulnerability, and make that notification be logged from a government website so there's no "we were never notified" claims. If the vulnerability isn't fixed and patched within the 30 day window, then people can make claims for damages against them. It would cost next to nothing for the government to host such a site, but the time and money savings would be enormous, so well worth expending a few tax dollars for.
Going at it this way will either force Microsoft (and all other OS makers) to stop releasing crap software, or force them out of business. Where Microsoft is concerned, I'd be happy to see the latter. We would also see the rise of insurance companies creating teams whose whole job is to find and report vulnerabilities, to both reduce the chance of crims finding it first and to put the software companies on the hook for damages sooner.
And, in the event the vulnerability is caused by an interoperability problem, make BOTH companies liable for it, with the percentage determines by the previous year's gross income. If one earned 80 percent and the other 20 percent of the total gross between the two, then one company pays 80 percent of damages and the other 20 percent, regardless of who actually has the problem. Rhis will force the companies to work to correct the problem rather than finger pointing.