Putting any server on the internet creates risk. If there is a flaw in the software that was used to build the solution and it’s exploited---BOOM! If there is a weak admin username/password combination and its stolen or guessed—BOOM! These are pretty typical cases, but RDP is a special case. Sure, you are in control of the password policy at your company but when you put an RDP server on the internet all the users of the RDP server are a potential vulnerability.
Let’s review what happens.
Step 1 – Bad actors “scan” the internet for RDP servers (RDP's default port is 3389)
There are numerous scanning tools but the most popular is NMAP. Here is an example of how to scan 250+ IPs in a few seconds:
C:\Program Files (x86)\Nmap>nmap 220.127.116.11/24 -p 3389 -Pn
Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-05 16:55 Eastern Standard Time
Nmap scan report for 209-255-220-0.ip.mcleodusa.net (18.104.22.168)
Host is up.
PORT STATE SERVICE
3389/tcp open ms-wbt-server
Nmap scan report for 209-255-220-1.ip.mcleodusa.net (22.214.171.124)
Host is up.
PORT STATE SERVICE
3389/tcp filtered ms-wbt-server
Nmap done: 256 IP addresses (256 hosts up) scanned in 9.15 seconds
...another place bad actors lurk is on https://www.shodan.io and there they simply search who has RDP port 3389 available...
Step 2 – The bad actor now has all the servers with RDP available so they “brute force” the servers to see who has weak username / password combinations
How this will present itself in NetWatcher is as follows:
Step 3 – Then the bad actor may also “throw an exploit” directly at the servers
Here is an example of a RDP worm exploit called Mal/Morto-A.
The worm attempts to spread to network shares using port 3389 (RDP), and tries to read and write to files in the remote folder \\tsclient\a\.
Morto has a large database of commonly-used passwords. If your network relies upon poorly chosen passwords such as “password”, or sequences of letters or repeated numbers then you could be at risk.
Here is how you might see a Morto exploit in NetWatcher:
Multiple vulnerabilities have been found in RDP over the years that can be exploited. Just review MS12-020, MS15-067 and MS15-082 – All of these can be used by bad actors to create exploits that can be thrown at an RDP Server.
How to defend against these attacks
1. Limit users who can log in using Remote Desktop
Remove all administrative access and only allow user accounts requiring RDP service.
2. Set an account lockout policy
By setting your computer to lock an account for a period of time after a number of incorrect guesses, you will help prevent hackers from using automated password guessing tools from gaining access to your system (this is known as a "brute-force" attack).
3. Change the listening port for Remote Desktop
Changing the listening port will help to "hide" Remote Desktop from hackers who are scanning the network for computers listening on the default Remote Desktop port (TCP 3389). This offers effective protection against the latest RDP worms such, as Morto.
4. Use RDP Gateways
Using a RDP Gateway is strongly recommended. It provides a way to tightly restrict access to Remote Desktop ports while supporting remote connections through a single "Gateway" server.
5. Tunnel Remote Desktop connections through IPSec or SSH
If using an RD Gateway is not feasible, you can add an extra layer of authentication and encryption by tunneling your Remote Desktop sessions through IPSec or SSH.
6. Use Two-factor authentication