Reply
 
Thread Tools Display Modes
  #1  
Old 12-05-2018, 10:32 AM
Frankenstein Monster is offline
Charter Member
 
Join Date: Apr 2004
Location: Europe
Posts: 761

How secure is Windows Remote Desktop?


For as long as I remember, I have used Windows Remote Desktop over my local LAN to operate my computers.

I never connect to any of my computers directly from outside of my LAN. So I have never allowed access to port 3389 from the outside.

MY OS edition is Windows 10 Pro.

I recently got the scare of my life - for the second time - when I noticed that my port 3389 had been visible to the outside and the firewall log was completely filled with hacking attempts to that port. (Windows Firewall log showing "ALLOW TCP ..... RECEIVE" where it should say DROP TCP.)

Turns out, since recent times, Windows during upgrade automatically removes my firewall restrictions (192.168.137.0/24) from this port, making it vulnerable to hacking. (GRRRR!)

AFAICT, the hacking attempts failed.

This time.

BUT, how close was I to disaster?

I initially thought only brute force guessing of my password had saved me from catastrophe.

But then I realized, they would also have to guess my user name. Is this true? Or can you log in to RDP with some generic user name that exists on Windows by default? (e.g. "Administrator" or the like. I haven't made any other accounts myself. I don't see any other accounts listed in the control panel. I don't see any users listed at all under "Select users that can remotely access this PC".)

And then there is "Network Level Authentication", which of course, I have enabled. What does this do, exactly? Any good in preventing strangers from logging in? When I do need to RDP from the outside, I set up an elaborate SSH tunnel on port 3389 and that works. Where does NLA come into the picture?

Is there any trick to force Windows to KEEP MY FIREWALL RULES when it upgrades?
  #2  
Old 12-05-2018, 12:28 PM
arseNal is offline
Guest
 
Join Date: Apr 2005
Posts: 888
No protocol is 100% safe, even webservers on port 80/443 are theoretically vulnerable if there's some exploitable bug in the webserver software. I'm not up on windows security but my gut feeling is that RDP is a fair bit more vulnerable. In fact it's one of the last services I would want to have exposed to the internet.

Which brings us to the next point, which is, why is your windows desktop PC accessible from the internet at all? Aren't you using a router? A router would not forward requests to 3389 unless you explicitly told it to. This would make any firewall settings moot.
  #3  
Old 12-05-2018, 01:04 PM
Frankenstein Monster is offline
Charter Member
 
Join Date: Apr 2004
Location: Europe
Posts: 761
Quote:
Originally Posted by arseNal View Post
In fact it's one of the last services I would want to have exposed to the internet.
Exactly! That's why I consider it a major crisis when it happens accidentally. Literally (almost), heartbeat racing, knees weak, arms are heavy, vomit on my sweater already...



Quote:
Originally Posted by arseNal
Which brings us to the next point, which is, why is your windows desktop PC accessible from the internet at all? Aren't you using a router? A router would not forward requests to 3389 unless you explicitly told it to. This would make any firewall settings moot.
My ISP only provides a bridged connection to the Internet out of the Ethernet port on their customer-premises equipment. I have always used a Windows workstation as a router. I don't think Windows, correctly configured, is/was any less secure than those common cheap (or even professional expensive) easily-hacked separate Internet routers. Quite the opposite in fact.

I have thought about using a separate Linux machine as a router. Perhaps a RaspPi. That used to be not necessarily very secure either, but is much better today.

Still wondering how bad the RDP protocol is.

Apart from brute forcing credentials, anybody how vulnerable RDP would be to security exploits? Are there architectural features mitigating any possible security bugs?
  #4  
Old 12-05-2018, 01:33 PM
Cleophus is offline
Guest
 
Join Date: Jul 2000
Location: Philadelphia, PA
Posts: 1,384
Standard practice in enterprise environments is to require RDP users to connect via VPN or a Terminal Services Gateway. The port is blocked at the border. While I am not aware of any current exploits, it is not considered safe to directly expose RDP to the Internet.

As you have seen, one of the benefits of having a dedicated firewall device is the integrity of the firewall is not reliant on the condition of the protected assets. I think you may have some misconceptions about the security of Linux-based firewalls. They are extremely secure (subject to proper configuration, of course) and the security of it does not rely on the hardware you choose to deploy. The majority, probably all at this point, of consumer routers run Linux and are quite capable of preventing unwanted intrusions into a home network.

Last edited by Cleophus; 12-05-2018 at 01:35 PM.
  #5  
Old 12-05-2018, 01:57 PM
arseNal is offline
Guest
 
Join Date: Apr 2005
Posts: 888
Quote:
Originally Posted by Frankenstein Monster View Post
I don't think Windows, correctly configured, is/was any less secure than those common cheap (or even professional expensive) easily-hacked separate Internet routers. Quite the opposite in fact
Firstly, I think you've found out the hard way that "correctly configuring" (and keeping it that way!) is not necessarily an easy thing to do in Windows. Consider that you are actually using this machine every day for work or entertainment. You are constantly installing/uninstalling software, fiddling with settings to make this or that work properly (oh, Steam wants this permission to access that remote server to play whatever game? Sure, allow! Oh, I want to allow this folder to be accessed by another PC on my network that I trust? Sure, turn on file sharing! Oh, I need to allow this specific traffic to allow my media server to scan my hard drive for pictures and videos so I can watch them on my big screen? Click!). This is not best practices for security, you want a dedicated appliance sitting there mostly unchanged, dedicated to network protection.

Secondly, I somewhat/mostly disagree with your statement anyway. Windows 10 is not a hardened server OS, it is meant for desktop productivity, games, media consumption. While they've come a long way, security is still not the primary focus of such an OS. For exposure to the internet, I would take a cheap home router over Windows 10 any day. Linux is good too of course, which as Cleophus mentioned is already running with iptables or similar on most/all home routers. I simply would never put any Windows desktop OS on the internet. Windows Server might be a different story.

Last edited by arseNal; 12-05-2018 at 01:59 PM.
  #6  
Old 12-05-2018, 02:29 PM
Frankenstein Monster is offline
Charter Member
 
Join Date: Apr 2004
Location: Europe
Posts: 761
Actually, I allow precisely nothing on the machine that is bridged to the Internet. That's why I use a separate router machine in the first place.

Yes, it has grown increasingly problematic that any and all apps today tend to "help themselves" to incoming traffic on the Internet, without asking me anything (the answer would be no if they asked).

Yes, I agree that Linux iptables today is probably better, for the aforementioned reason and others.

So, anybody have info about how bad (vulnerable) a listening RDP port really is in practice? And what attacks is it vulnerable to?
  #7  
Old 12-05-2018, 02:41 PM
si_blakely is offline
Guest
 
Join Date: Jul 2002
Location: not UK anymore
Posts: 4,959
Not a lot:

https://www.cvedetails.com/vulnerabi...onnection.html

As for NLA

https://en.wikipedia.org/wiki/Networ...Authentication
__________________
Simon
  #8  
Old 12-05-2018, 09:00 PM
Melbourne is offline
Guest
 
Join Date: Nov 2009
Posts: 5,322
Quote:
Originally Posted by Frankenstein Monster View Post
I initially thought only brute force guessing of my password had saved me from catastrophe.

But then I realized, they would also have to guess my user name. Is this true? Or can you log in to RDP with some generic user name that exists on Windows by default? (e.g. "Administrator" or the like. I haven't made any other accounts myself. I don't see any other accounts listed in the control panel. I don't see any users listed at all under "Select users that can remotely access this PC".)
The Administrator account has a well known ID: Sometimes the ID number can be used without knowing the login name. This is one reason why it is common to disable the Administrator account when it is not required.

But that's not to say that there is any well-known current problem with the Administrator ID (or with RDP). You keep this stuff disabled so that if someone does discover a new problem, you aren't the one they demonstrate it on.
  #9  
Old 12-05-2018, 10:20 PM
Projammer's Avatar
Projammer is offline
Member
 
Join Date: Apr 2006
Location: SW Arkansas
Posts: 6,673
One small bit of security would be to change the port that RPD operates on. That way when M$ decides to helpfully open 3389 to the world, there's no one listening to answer the call.
  #10  
Old 12-06-2018, 09:22 AM
md2000 is offline
Guest
 
Join Date: Feb 2009
Posts: 15,079
Quote:
Originally Posted by Projammer View Post
One small bit of security would be to change the port that RPD operates on. That way when M$ decides to helpfully open 3389 to the world, there's no one listening to answer the call.
Yes and no. Firstly, if you open a different port, then you also have to open that port on the firewall. Secondly, hacking attempts come from automated programs. The first thing a scan of your firewall does is check all ports; it also analyzes the responses it gets to determine what program is waiting at the other end - mail relay? Remote desktop? Web service? FTP? etc. etc. It takes a lot of different probes, but a computerized scan program is patient. The information is then tucked away for use with any emerging exploits. (Although you know they try all any current ones)

A good higher end firewall should detect and block an IP that is attempting a scan. But of course, bot networks can marshal hundreds of different compromised PCs to avoid having a single IP identified and blocked. Another helpful hint - don't enable administrator userid if you don't have to. Most commercial (domain) setups will disable a userid for a time 10 minutes to 1/2 hour, usually after a certain number of bad passwords. Administrator cannot be locked out; plus, if enabled, it saves the bot having to guess user as well as password. And if someone you emailed had been hacked, your email is out there - which could be your userid for logging on...

I have seen firewall logs indicating that somewhere in Romania or China had been repeatedly trying user/password combinations for several hours during the night. Higher end firewalls now can ask that you authenticate to them first, then to the RDS server. Until you authenticate with the firewall, there is no response from the RDS login. Alternatively, VPN's are a more secure connection - often requiring preconfigured keys, etc.

Yes, a computer simply exposing Remote Desktop to the world is a bad idea. A computer not protected from the internet by a home router is especially a bad idea, because most exploits are not about RDS. Plus, with the number of devices in the home today, a router using private (NAT) addresses internally is pretty much a necessity.
  #11  
Old 12-06-2018, 03:09 PM
Frankenstein Monster is offline
Charter Member
 
Join Date: Apr 2004
Location: Europe
Posts: 761
Quote:
Originally Posted by Projammer View Post
One small bit of security would be to change the port that RPD operates on. That way when M$ decides to helpfully open 3389 to the world, there's no one listening to answer the call.
Thanks! Just thought of this myself yesterday evening after posting. Yes, this is an old trick that I used to do when I had listening HTTP and SSH servers (already well secured). I simply moved them to random-numbered 5-digit ports. Never any attacks. Note, they wouldn't have been vulnerable even if attacked, this was an extra layer of securlty in addition to many others.

Definitely have to do this with my RDP port.


Quote:
Originally Posted by md2000
Yes and no. Firstly, if you open a different port, then you also have to open that port on the firewall.
No, the port is not open on the firewall. My issue is Windows opening the port against my express instruction.

Note to self: next time, everytime Windows does feature update, unplug public Ethernet for the duration. Fix security settings before reconnecting.

(Also just yesterday, I noticed that port 7680 had also been opened to the public. Windows Delivery Optimization. Never wanted, never enabled, always disabled. But Windows had just turned it on without asking. At least it hadn't been scanned or attacked yet.)


Quote:
The first thing a scan of your firewall does is check all ports
Never ever seen those on my public Internet connection, so far.

I'm not running any server (anymore) and I am an insignificant nobody on the internet. All I see is routine script kiddie probes of well known ports (445 and 3389 mostly). Not running any services on their well known ports - never responding anything on the well known ports - is a good way to reduce the routine hacking traffic (never the sole security measure).


Quote:
I have seen firewall logs indicating that somewhere in Romania or China had been repeatedly trying user/password combinations for several hours during the night.
Yes I think this is what I got when Windows accidentally opened port 3389. I didn't log the contents of the packets, just the opening of the TCP connection. Tens of thousands at 10 per second or so, for more than 24 hours before I noticed.


Thanks md2000, interesting info. No big disagreement with anything in your post.
  #12  
Old 12-06-2018, 08:52 PM
md2000 is offline
Guest
 
Join Date: Feb 2009
Posts: 15,079
Depends what you want to do -
If you only RDP from inside your home network, set up a router (if you haven't) and be sure it does not port-forward 3389 or any other port to your PC's Remote Desktop.
If you won't use RDP, block it on the Windows firewall; better yet, in control panel - system - system - advanced - remote tab, turn off remote access.
If you RDP from a known address or set of addresses, set the firewall rule to only allow from that IP (or IP range).

At least with Windows 10 or 7 or 8 you will know, because a remote session will bump you off first; or if you are lucky, ask permission first.

If you have phone or cable internet service, odds are the "modem" for your service is also a basic router. You can tell this if your PC's IP is a non-routable address, 192.168.x.x or 10.x.x.x or 172.x.x.x; your ISP's equipment is NAT'ing your internal network. Then the question is - do you have any port forwarding configured? Unless you deliberately set it up - odds are no.

OTOH, check windows firewall - with a laptop it should be on for public networks - so when on a public network like Starbucks, the guy at the next table can't browse your files over WiFi.
  #13  
Old 12-07-2018, 10:28 AM
Projammer's Avatar
Projammer is offline
Member
 
Join Date: Apr 2006
Location: SW Arkansas
Posts: 6,673
Quote:
Originally Posted by md2000 View Post
Yes and no. Firstly, if you open a different port, then you also have to open that port on the firewall. Secondly, hacking attempts come from automated programs. The first thing a scan of your firewall does is check all ports; it also analyzes the responses it gets to determine what program is waiting at the other end - mail relay? Remote desktop? Web service? FTP? etc. etc. It takes a lot of different probes, but a computerized scan program is patient. The information is then tucked away for use with any emerging exploits. (Although you know they try all any current ones)
I did qualify my suggestion as a "small" bit of security.

But attacks that are going to scan all 65k+ ports of an IP are generally targeting a specific business or person. Someone probing all addresses in a range are more likely to just scan a subset of the ports of known protocols in the interest of covering as many potential targets as possible.

Last edited by Projammer; 12-07-2018 at 10:29 AM.
  #14  
Old 09-18-2019, 05:22 AM
Melbourne is offline
Guest
 
Join Date: Nov 2009
Posts: 5,322
Quote:
Originally Posted by Cleophus View Post
Standard practice in enterprise environments is to require RDP users to connect via VPN or a Terminal Services Gateway. The port is blocked at the border. While I am not aware of any current exploits, it is not considered safe to directly expose RDP to the Internet.
Just dropped by to note that last month there is a current exploit! (or last month actually)

And they are reporting that 10's of thousands of RDP connections are exposed to the internet. (Which I must say surprised me.)

Only a Win7/XP/2K exploit apparently. Win10 is implemented differently. (In a way which makes it /much more difficult/ to debug, but that is evidently a good thing in this case.)

Last edited by Melbourne; 09-18-2019 at 05:23 AM.
  #15  
Old 09-18-2019, 06:41 AM
Frankenstein Monster is offline
Charter Member
 
Join Date: Apr 2004
Location: Europe
Posts: 761
Are you referring to CVE-2019-0708 (Bluekeep)?

Here is a very interesting, very technical writeup.

Apparently Windows 10 was not affected and earlier versions have been fixed with Windows Update.

Good to know. I religiously monitor the RDP port to check that it's not listening on the outside. Every Windows feature update makes it listen on the outside but I am now aware of this and unplug all outside networks during feature updates.

Last edited by Frankenstein Monster; 09-18-2019 at 06:41 AM.
  #16  
Old 09-18-2019, 07:06 AM
Jasmine's Avatar
Jasmine is offline
Member
 
Join Date: Jul 1999
Location: Chicagoland
Posts: 2,257
I use remote desktop internally only, and only the tech department (all two of us) have access to it. That's as far as I want to go with it.
__________________
"The greatest obstacle to discovery is not ignorance -- it is the illusion of knowledge."
--Daniel J Boorstin
  #17  
Old 09-18-2019, 08:39 AM
manson1972's Avatar
manson1972 is online now
Member
 
Join Date: Jan 2004
Posts: 12,009
Quote:
Originally Posted by Frankenstein Monster View Post
Are you referring to CVE-2019-0708 (Bluekeep)?

Here is a very interesting, very technical writeup.

Apparently Windows 10 was not affected and earlier versions have been fixed with Windows Update.

Good to know. I religiously monitor the RDP port to check that it's not listening on the outside. Every Windows feature update makes it listen on the outside but I am now aware of this and unplug all outside networks during feature updates.
I don't understand your setup from your original question. Do your internal Windows machines have public IP addresses? If not, is your router and/or firewall set up to forward traffic on that port to your internal machines?
  #18  
Old 09-18-2019, 08:53 AM
Frankenstein Monster is offline
Charter Member
 
Join Date: Apr 2004
Location: Europe
Posts: 761
Quote:
Originally Posted by manson1972 View Post
I don't understand your setup from your original question. Do your internal Windows machines have public IP addresses? If not, is your router and/or firewall set up to forward traffic on that port to your internal machines?
ONE of the machines has a public IP address. It's a Windows 10 machine with multiple network adapters and Windows Connection Sharing to provide (one level of) internal network.

Windows 10 insists on listening on all adapters (0.0.0.0) when Remote Access is enabled. Plus without warning it clears the Firewall settings that block public access.

Just while writing this, it occurred to me I should look for a setting to bind the RDP to the intranet adapter. Probably worth trying, although the real problem is Windows resetting all my security settings when updating to a Feature update.

One day I'll set up a nice little low power Intel NUC (already in my closet) with Linux for the public internet routing. Sure hope I get around to that before I get hacked.
  #19  
Old 09-18-2019, 10:16 AM
manson1972's Avatar
manson1972 is online now
Member
 
Join Date: Jan 2004
Posts: 12,009
Quote:
Originally Posted by Frankenstein Monster View Post
ONE of the machines has a public IP address. It's a Windows 10 machine with multiple network adapters and Windows Connection Sharing to provide (one level of) internal network.
Ah, I see. As has been said, don't do this. No Windows machines should be public facing without being behind a separate firewall. A simple NATing router would be better than what you have now.
  #20  
Old 09-18-2019, 01:43 PM
EdelweissPirate is offline
Guest
 
Join Date: Mar 2015
Location: Portland, OR USA
Posts: 619
Quote:
Originally Posted by Frankenstein Monster View Post
I don't think Windows, correctly configured, is/was any less secure than those common cheap (or even professional expensive) easily-hacked separate Internet routers. Quite the opposite in fact.
There’s your problem. You’re gravely mistaken about this. With apologies to Samuel Johnson, an edge router running Windows is like a dog’s walking on its hind legs. It is not done well; but one is surprised to find it done at all.

Manson1972 and others are exactly right when they say “don’t do this.” Really: don’t. Buy a dedicated router box and install it today. It presents a much, much smaller attack surface than your Windows machine.

I’m not sure why you think “separate internet routers” are easily hacked, but your Windows machine is almost certainly more vulnerable than, say, a fully patched Ubiquiti Edgerouter (which sells for about $50).

You really need to close the public-facing RDP ports and use a dedicated router’s VPN (even cheap routers act as VPN servers these days). Tunneling over SSH would be ok—as long as you’re not using passwords—but right now, you’re SSHing into a publicly-accessible Windows machine. That alone presents a slew of potential vulnerabilities.

Quote:
Originally Posted by Frankenstein Monster View Post
I initially thought only brute force guessing of my password had saved me from catastrophe.

But then I realized, they would also have to guess my user name. Is this true?
I don’t want to be mean, but this highlights the fact that you shouldn’t be running a Windows machine as a router.

Really, no one should. But if you have to ask the question above, you definitely shouldn’t. Respectfully, you don’t know enough about network security to lock down a public-facing Windows machine.

Do not build a router by putting Linux on your NUC. Even if you used a good router distro like Shorewall, you don’t currently know enough about either Linux or network security to configure it properly.

Buy a dedicated router today and put it in place of your Windows router. Then, if you really want to learn how to roll your own router/firewall, do some homework and then install Shorewall on your NUC.

You won’t get the configuration right the first time, but you don’t have to. Your dedicated router will provide much better security than you have now, giving you some breathing room so you can learn.
  #21  
Old 09-18-2019, 02:19 PM
Frankenstein Monster is offline
Charter Member
 
Join Date: Apr 2004
Location: Europe
Posts: 761
Thanks, EdelweissPirate. A bit harsh, but solid advice. Gonna buy a simple little router right now.
  #22  
Old 09-18-2019, 02:31 PM
EdelweissPirate is offline
Guest
 
Join Date: Mar 2015
Location: Portland, OR USA
Posts: 619
Quote:
Originally Posted by Frankenstein Monster View Post
Thanks, EdelweissPirate. A bit harsh, but solid advice. Gonna buy a simple little router right now.
Sorry for the harshness. The main point was to be direct and abundantly clear; harshness was an unfortunate side effect.

I don’t mean to say that you can’t learn this stuff in detail—you just haven’t yet.

You’ve obviously dug into the subject in a nontrivial way, and you seem to know some important things about network security. I’m sure you could build a robust understanding of the subject pretty quickly. Please don’t be discouraged by my post!
  #23  
Old 09-18-2019, 03:19 PM
Mangetout's Avatar
Mangetout is offline
Member
 
Join Date: May 2001
Location: England
Posts: 57,943
Quote:
Originally Posted by Frankenstein Monster View Post
So, anybody have info about how bad (vulnerable) a listening RDP port really is in practice? And what attacks is it vulnerable to?
I am not specifically a security expert, but I do work in IT, and use RDP daily along with other remote access and control methods.

I would say the key risk with RDP is: There is only one layer of challenge, which is the user authentication (local or AD) - if the attacker has valid credentials for the machine or domain, or has an exploit that can somehow circumvent that authentication, they are straight in.
With other remote access/control solutions, there is usually a necessity for the local user to grant permission for the remote user to take control. I imagine those things aren't immune to exploit either, but they are another layer of challenge.

On a non-server OS, however, RDP access will log out the local user in order to create the session for the remote user - so if you were logged in and using the computer, it's a reasonably sure indication that nobody was remotely logged in.
  #24  
Old 09-18-2019, 04:18 PM
Frankenstein Monster is offline
Charter Member
 
Join Date: Apr 2004
Location: Europe
Posts: 761
Quote:
Originally Posted by Mangetout View Post
I would say the key risk with RDP is: There is only one layer of challenge, which is the user authentication (local or AD) - if the attacker has valid credentials for the machine or domain, or has an exploit that can somehow circumvent that authentication, they are straight in.
Yeah that's exactly it.

I think CVE-2019-0708 has the effect of the latter. If that had been known a year earlier AND Windows 10 would have been affected then I could have been hacked that way.

As for the former, I actually found out later that Windows had logged an Audit Failure in the Event Log for every incoming hack connection. That is, I had almost 10,000 Audit Failures in the Event Log within a short time. The event showed the account name that failed. There were thousands of common Windows account names tried - "Administrator" in many languages, "Media", "Accounting", etc. and every person first name you could imagine ("Tom", "Dick", "Harry", etc.etc.etc.) with every account name occurring a few times (perhaps trying a handful passwords for each).

I was somewhat relieved to note that they would have never guessed EITHER my account name OR my password (not long enough for sure, but not guessable in just a few tries) this way. It wasn't close.

So I was lucky there. I know very well the principles of defense in depth and minimal attack surface etc. so I realize it was a major crisis that it came anywhere near this close. I look forward to completely eliminating this risk with the new separate router/firewall. (Just ordered a Ubiquiti EdgeRouter X.)
  #25  
Old 09-18-2019, 04:27 PM
EdelweissPirate is offline
Guest
 
Join Date: Mar 2015
Location: Portland, OR USA
Posts: 619
Quote:
Originally Posted by Mangetout View Post
I would say the key risk with RDP is: There is only one layer of challenge, which is the user authentication (local or AD) - if the attacker has valid credentials for the machine or domain, or has an exploit that can somehow circumvent that authentication, they are straight in.
That’s all valid. But any attacker already has an exploit to circumvent RDP auth: brute force. An attacker can just hammer away with random username/password pairs until they get in. And, given enough time, they’ll succeed.

Of course, that’s true for any service that relies on usernames and passwords for access control. Unix tools like fail2ban address this by blocking IP addresses from which too many failed attempts are made.

ETA: partly ninja’d by the OP!

Last edited by EdelweissPirate; 09-18-2019 at 04:31 PM.
  #26  
Old 09-18-2019, 04:36 PM
dougrb is offline
Guest
 
Join Date: Apr 2003
Posts: 178
Quote:
Originally Posted by Frankenstein Monster View Post
Are you referring to CVE-2019-0708 (Bluekeep)?
Here's Steve Gibson on Security Now discussing Bluekeep (Starting at 1:34:45). He's pretty much in agreement with all the advice given so far.

https://www.youtube.com/watch?v=MoTo0h4bLME
  #27  
Old 09-19-2019, 07:23 AM
ftg's Avatar
ftg is offline
Member
 
Join Date: Feb 2001
Location: Not the PNW :-(
Posts: 20,303
Slashdot in the past day posted a blurb with the headline "Exposed RDP Servers See 150K Brute-Force Attempts Per Week". With some links to click on for more info.

If RDP were "safe", there wouldn't be so much focus on trying to crack into systems using it.
  #28  
Old 09-19-2019, 07:57 AM
Mangetout's Avatar
Mangetout is offline
Member
 
Join Date: May 2001
Location: England
Posts: 57,943
Quote:
Originally Posted by EdelweissPirate View Post
That’s all valid. But any attacker already has an exploit to circumvent RDP auth: brute force. An attacker can just hammer away with random username/password pairs until they get in. And, given enough time, they’ll succeed.

Of course, that’s true for any service that relies on usernames and passwords for access control. Unix tools like fail2ban address this by blocking IP addresses from which too many failed attempts are made.

ETA: partly ninja’d by the OP!
Ah, of course - the other factor is that RDP does not even throttle after failed attempts - other kinds of web-facing login services often implement an incrementing timeout after each failed attempt - effectively limiting brute force attacks.
  #29  
Old 09-20-2019, 12:03 PM
arseNal is offline
Guest
 
Join Date: Apr 2005
Posts: 888
Quote:
Originally Posted by Frankenstein Monster View Post
Thanks, EdelweissPirate. A bit harsh, but solid advice. Gonna buy a simple little router right now.
As one of the participants in this thread who you apparently didn't listen to the first time around, I just wanna say you're only lucky that this new exploit didn't hit you. Often, it's the NEWER versions of windows (your win10 vs win7) where these exploits are found whereas the slightly older ones (say one gen back like win7) have had more exposure and more time to mature and have had patches created.

Think about it, you were not too far from losing everything. Like, everything. Here you are trying to cover all bases like a madman to somehow shield your frankly fragile windows machine ("unplug all outside networks during feature updates"? ) when everyone was giving you simple advice to use a router.

I don't even remember what your reason was for not wanting to use a router in the first place but it can't be a good enough reason IMO.
  #30  
Old 09-20-2019, 12:21 PM
Frankenstein Monster is offline
Charter Member
 
Join Date: Apr 2004
Location: Europe
Posts: 761
Thanks for the link, ftg that's exactly the stuff I wanted to hear when I asked the OP.

In case it's not clear, I know very well, and always knew that RDP should not be exposed on the public internet. I never knowingly exposed RDP to the internet. In fact I was always careful to specifically block RDP from the internet. (Though not in the best way.) Except just that one time last year, for a few hours, by accident. So yes, I now know from direct experience about those"Exposed RDP Servers See 150K Brute-Force Attempts Per Week", that's all true.

arseNal I disagree with nothing in your post (well I remember the reason but other than that).
  #31  
Old 09-20-2019, 03:25 PM
md2000 is offline
Guest
 
Join Date: Feb 2009
Posts: 15,079
Most RDP setups are to Windows servers, usually implementing domain policies. one default policy is that an account is locked after X bad tries - usually 5 bad tries, 10 minutes locked. (Hence attempts that try maybe a few passwords then move on to a different ID). Again, the actual administrator account is immune to locking, and it's AFAIK impossible to make it only allowed to login on the console, not remote. As others mention, standard practice (and what you find on new non-server Windows) is that the Administrator is by default disabled, like Guest.

A box router is better than using Linux or Windows as the internet-facing interface, because a full version of Windows has far too many attack points, some of which we may not know. It's a huge and complex pile of steaming software. A router box has one job, much simpler programming, and a much smaller possibility of holes in the system. (However, do check for firmware updates from time to time...)

My problem with Windows Firewall is the opposite. Updates occasionally turn it back on, whereas managing a decent sized network you want to be able to control and manage PC's remotely - and this will fail for some applications when the firewall goes back on. I forget how many times I've had "why can't I connect to that workstation???" only to find the firewall has turned back on. Within a well-protected domain network, local firewalls are usually off by policy.

Good higher-end firewalls like WatchGuard or Sonicwall have the feature to enable authentication logins. You cannot use, say, RDP unless you login to the firewall's web page and authenticate. you can even set this up to be a different user/password than the RDP connection, so a hacker has to find 2 sets of ID's.
  #32  
Old 09-20-2019, 03:33 PM
md2000 is offline
Guest
 
Join Date: Feb 2009
Posts: 15,079
Quote:
Originally Posted by ftg View Post
Slashdot in the past day posted a blurb with the headline "Exposed RDP Servers See 150K Brute-Force Attempts Per Week". With some links to click on for more info.

If RDP were "safe", there wouldn't be so much focus on trying to crack into systems using it.
If RDP were so easy to crack, you'd see less attempts too. It's a tribute to the fact that it is immune to (almost) everything but brute force.

Hackers try because the rewards are so high. If you can get logged onto a server in an enterprise, you would have access to a huge amount of data to move to the next step of any attack.

(getting into a system can give you amazing opportunities - download the SAM for dictionary attack on all users/passwords; enumerate all other machines on the network, any shares, can you plant malicious software in assorted other systems; enumerate all users in the domain if anonymous SID enumeration is not off; read email perhaps; etc. etc. etc. And this does not even include being able to figure out the business organization for those famous emails "Hi it's the boss; Urgent - can you wire $200K to one of our customers?")
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 01:58 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@straightdope.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Copyright © 2019 STM Reader, LLC.

 
Copyright © 2017