How secure is Windows Remote Desktop?

Factual Questions
1

For as long as I remember, I have used Windows Remote Desktop over my local LAN to operate my computers.

I never connect to any of my computers directly from outside of my LAN. So I have never allowed access to port 3389 from the outside.

MY OS edition is Windows 10 Pro.

I recently got the scare of my life - for the second time - when I noticed that my port 3389 had been visible to the outside and the firewall log was completely filled with hacking attempts to that port. (Windows Firewall log showing “ALLOW TCP … RECEIVE” where it should say DROP TCP.)

Turns out, since recent times, Windows during upgrade automatically removes my firewall restrictions (192.168.137.0/24) from this port, making it vulnerable to hacking. (GRRRR!)

AFAICT, the hacking attempts failed.

This time.

BUT, how close was I to disaster?

I initially thought only brute force guessing of my password had saved me from catastrophe.

But then I realized, they would also have to guess my user name. Is this true? Or can you log in to RDP with some generic user name that exists on Windows by default? (e.g. “Administrator” or the like. I haven’t made any other accounts myself. I don’t see any other accounts listed in the control panel. I don’t see any users listed at all under “Select users that can remotely access this PC”.)

And then there is “Network Level Authentication”, which of course, I have enabled. What does this do, exactly? Any good in preventing strangers from logging in? When I do need to RDP from the outside, I set up an elaborate SSH tunnel on port 3389 and that works. Where does NLA come into the picture?

Is there any trick to force Windows to KEEP MY FIREWALL RULES when it upgrades?

2

No protocol is 100% safe, even webservers on port 80/443 are theoretically vulnerable if there’s some exploitable bug in the webserver software. I’m not up on windows security but my gut feeling is that RDP is a fair bit more vulnerable. In fact it’s one of the last services I would want to have exposed to the internet.

Which brings us to the next point, which is, why is your windows desktop PC accessible from the internet at all? Aren’t you using a router? A router would not forward requests to 3389 unless you explicitly told it to. This would make any firewall settings moot.

3

Exactly! That’s why I consider it a major crisis when it happens accidentally. Literally (almost), heartbeat racing, knees weak, arms are heavy, vomit on my sweater already…

My ISP only provides a bridged connection to the Internet out of the Ethernet port on their customer-premises equipment. I have always used a Windows workstation as a router. I don’t think Windows, correctly configured, is/was any less secure than those common cheap (or even professional expensive) easily-hacked separate Internet routers. Quite the opposite in fact.

I have thought about using a separate Linux machine as a router. Perhaps a RaspPi. That used to be not necessarily very secure either, but is much better today.

Still wondering how bad the RDP protocol is.

Apart from brute forcing credentials, anybody how vulnerable RDP would be to security exploits? Are there architectural features mitigating any possible security bugs?

4

Standard practice in enterprise environments is to require RDP users to connect via VPN or a Terminal Services Gateway. The port is blocked at the border. While I am not aware of any current exploits, it is not considered safe to directly expose RDP to the Internet.

As you have seen, one of the benefits of having a dedicated firewall device is the integrity of the firewall is not reliant on the condition of the protected assets. I think you may have some misconceptions about the security of Linux-based firewalls. They are extremely secure (subject to proper configuration, of course) and the security of it does not rely on the hardware you choose to deploy. The majority, probably all at this point, of consumer routers run Linux and are quite capable of preventing unwanted intrusions into a home network.

5

Firstly, I think you’ve found out the hard way that “correctly configuring” (and keeping it that way!) is not necessarily an easy thing to do in Windows. Consider that you are actually using this machine every day for work or entertainment. You are constantly installing/uninstalling software, fiddling with settings to make this or that work properly (oh, Steam wants this permission to access that remote server to play whatever game? Sure, allow! Oh, I want to allow this folder to be accessed by another PC on my network that I trust? Sure, turn on file sharing! Oh, I need to allow this specific traffic to allow my media server to scan my hard drive for pictures and videos so I can watch them on my big screen? Click!). This is not best practices for security, you want a dedicated appliance sitting there mostly unchanged, dedicated to network protection.

Secondly, I somewhat/mostly disagree with your statement anyway. Windows 10 is not a hardened server OS, it is meant for desktop productivity, games, media consumption. While they’ve come a long way, security is still not the primary focus of such an OS. For exposure to the internet, I would take a cheap home router over Windows 10 any day. Linux is good too of course, which as Cleophus mentioned is already running with iptables or similar on most/all home routers. I simply would never put any Windows desktop OS on the internet. Windows Server might be a different story.

6

Actually, I allow precisely nothing on the machine that is bridged to the Internet. That’s why I use a separate router machine in the first place.

Yes, it has grown increasingly problematic that any and all apps today tend to “help themselves” to incoming traffic on the Internet, without asking me anything (the answer would be no if they asked).

Yes, I agree that Linux iptables today is probably better, for the aforementioned reason and others.

So, anybody have info about how bad (vulnerable) a listening RDP port really is in practice? And what attacks is it vulnerable to?

7

Not a lot:

As for NLA

8

The Administrator account has a well known ID: Sometimes the ID number can be used without knowing the login name. This is one reason why it is common to disable the Administrator account when it is not required.

But that’s not to say that there is any well-known current problem with the Administrator ID (or with RDP). You keep this stuff disabled so that if someone does discover a new problem, you aren’t the one they demonstrate it on.

9

One small bit of security would be to change the port that RPD operates on. That way when M$ decides to helpfully open 3389 to the world, there’s no one listening to answer the call.

10

Yes and no. Firstly, if you open a different port, then you also have to open that port on the firewall. Secondly, hacking attempts come from automated programs. The first thing a scan of your firewall does is check all ports; it also analyzes the responses it gets to determine what program is waiting at the other end - mail relay? Remote desktop? Web service? FTP? etc. etc. It takes a lot of different probes, but a computerized scan program is patient. The information is then tucked away for use with any emerging exploits. (Although you know they try all any current ones)

A good higher end firewall should detect and block an IP that is attempting a scan. But of course, bot networks can marshal hundreds of different compromised PCs to avoid having a single IP identified and blocked. Another helpful hint - don’t enable administrator userid if you don’t have to. Most commercial (domain) setups will disable a userid for a time 10 minutes to 1/2 hour, usually after a certain number of bad passwords. Administrator cannot be locked out; plus, if enabled, it saves the bot having to guess user as well as password. And if someone you emailed had been hacked, your email is out there - which could be your userid for logging on…

I have seen firewall logs indicating that somewhere in Romania or China had been repeatedly trying user/password combinations for several hours during the night. Higher end firewalls now can ask that you authenticate to them first, then to the RDS server. Until you authenticate with the firewall, there is no response from the RDS login. Alternatively, VPN’s are a more secure connection - often requiring preconfigured keys, etc.

Yes, a computer simply exposing Remote Desktop to the world is a bad idea. A computer not protected from the internet by a home router is especially a bad idea, because most exploits are not about RDS. Plus, with the number of devices in the home today, a router using private (NAT) addresses internally is pretty much a necessity.

11

Thanks! Just thought of this myself yesterday evening after posting. Yes, this is an old trick that I used to do when I had listening HTTP and SSH servers (already well secured). I simply moved them to random-numbered 5-digit ports. Never any attacks. Note, they wouldn’t have been vulnerable even if attacked, this was an extra layer of securlty in addition to many others.

Definitely have to do this with my RDP port.

No, the port is not open on the firewall. My issue is Windows opening the port against my express instruction.

Note to self: next time, everytime Windows does feature update, unplug public Ethernet for the duration. Fix security settings before reconnecting.

(Also just yesterday, I noticed that port 7680 had also been opened to the public. Windows Delivery Optimization. Never wanted, never enabled, always disabled. But Windows had just turned it on without asking. At least it hadn’t been scanned or attacked yet.)

Never ever seen those on my public Internet connection, so far.

I’m not running any server (anymore) and I am an insignificant nobody on the internet. All I see is routine script kiddie probes of well known ports (445 and 3389 mostly). Not running any services on their well known ports - never responding anything on the well known ports - is a good way to reduce the routine hacking traffic (never the sole security measure).

Yes I think this is what I got when Windows accidentally opened port 3389. I didn’t log the contents of the packets, just the opening of the TCP connection. Tens of thousands at 10 per second or so, for more than 24 hours before I noticed.
Thanks md2000, interesting info. No big disagreement with anything in your post.

12

Depends what you want to do -
If you only RDP from inside your home network, set up a router (if you haven’t) and be sure it does not port-forward 3389 or any other port to your PC’s Remote Desktop.
If you won’t use RDP, block it on the Windows firewall; better yet, in control panel - system - system - advanced - remote tab, turn off remote access.
If you RDP from a known address or set of addresses, set the firewall rule to only allow from that IP (or IP range).

At least with Windows 10 or 7 or 8 you will know, because a remote session will bump you off first; or if you are lucky, ask permission first.

If you have phone or cable internet service, odds are the “modem” for your service is also a basic router. You can tell this if your PC’s IP is a non-routable address, 192.168.x.x or 10.x.x.x or 172.x.x.x; your ISP’s equipment is NAT’ing your internal network. Then the question is - do you have any port forwarding configured? Unless you deliberately set it up - odds are no.

OTOH, check windows firewall - with a laptop it should be on for public networks - so when on a public network like Starbucks, the guy at the next table can’t browse your files over WiFi.

13

I did qualify my suggestion as a “small” bit of security. :slight_smile:

But attacks that are going to scan all 65k+ ports of an IP are generally targeting a specific business or person. Someone probing all addresses in a range are more likely to just scan a subset of the ports of known protocols in the interest of covering as many potential targets as possible.

14

Just dropped by to note that last month there is a current exploit! (or last month actually)

And they are reporting that 10’s of thousands of RDP connections are exposed to the internet. (Which I must say surprised me.)

Only a Win7/XP/2K exploit apparently. Win10 is implemented differently. (In a way which makes it /much more difficult/ to debug, but that is evidently a good thing in this case.)

15

Are you referring to CVE-2019-0708 (Bluekeep)?

Here is a very interesting, very technical writeup.

Apparently Windows 10 was not affected and earlier versions have been fixed with Windows Update.

Good to know. I religiously monitor the RDP port to check that it’s not listening on the outside. Every Windows feature update makes it listen on the outside but I am now aware of this and unplug all outside networks during feature updates.

16

I use remote desktop internally only, and only the tech department (all two of us) have access to it. That’s as far as I want to go with it.

17

I don’t understand your setup from your original question. Do your internal Windows machines have public IP addresses? If not, is your router and/or firewall set up to forward traffic on that port to your internal machines?

18

ONE of the machines has a public IP address. It’s a Windows 10 machine with multiple network adapters and Windows Connection Sharing to provide (one level of) internal network.

Windows 10 insists on listening on all adapters (0.0.0.0) when Remote Access is enabled. Plus without warning it clears the Firewall settings that block public access.

Just while writing this, it occurred to me I should look for a setting to bind the RDP to the intranet adapter. Probably worth trying, although the real problem is Windows resetting all my security settings when updating to a Feature update.

One day I’ll set up a nice little low power Intel NUC (already in my closet) with Linux for the public internet routing. Sure hope I get around to that before I get hacked.

19

Ah, I see. As has been said, don’t do this. No Windows machines should be public facing without being behind a separate firewall. A simple NATing router would be better than what you have now.

20

There’s your problem. You’re gravely mistaken about this. With apologies to Samuel Johnson, an edge router running Windows is like a dog’s walking on its hind legs. It is not done well; but one is surprised to find it done at all.

Manson1972 and others are exactly right when they say “don’t do this.” Really: don’t. Buy a dedicated router box and install it today. It presents a much, much smaller attack surface than your Windows machine.

I’m not sure why you think “separate internet routers” are easily hacked, but your Windows machine is almost certainly more vulnerable than, say, a fully patched Ubiquiti Edgerouter (which sells for about $50).

You really need to close the public-facing RDP ports and use a dedicated router’s VPN (even cheap routers act as VPN servers these days). Tunneling over SSH would be ok—as long as you’re not using passwords—but right now, you’re SSHing into a publicly-accessible Windows machine. That alone presents a slew of potential vulnerabilities.

I don’t want to be mean, but this highlights the fact that you shouldn’t be running a Windows machine as a router.

Really, no one should. But if you have to ask the question above, you definitely shouldn’t. Respectfully, you don’t know enough about network security to lock down a public-facing Windows machine.

Do not build a router by putting Linux on your NUC. Even if you used a good router distro like Shorewall, you don’t currently know enough about either Linux or network security to configure it properly.

Buy a dedicated router today and put it in place of your Windows router. Then, if you really want to learn how to roll your own router/firewall, do some homework and then install Shorewall on your NUC.

You won’t get the configuration right the first time, but you don’t have to. Your dedicated router will provide much better security than you have now, giving you some breathing room so you can learn.