National Cyber Security Awareness Month 2017 has dedicated this week to creating a culture of shared responsibility for addressing the most common threats to organizations. Let’s explore shared responsibility with respect to Remote Desktop and hijacking threats.
Sidebar: A recent paper from Kevin Beaumont (@GossiTheDog) is an excellent refresher on RDP hijacking. The bottom line is that RDP is a powerful operating system feature that can be used for good or abused by evil. Unfortunately, RDP hijacking is all too easy.
Most organizations have prior experience with intruders attempting to access Remote Desktop endpoints. Password guessing attacks over RDP are very common and automated. In the best case, attacks manifest in account lockout due to failed logon attempts. Nonetheless, it’s easy to see a shared responsibility in this example. Corporate security policy is as important as user behavior related to safeguarding organizational passwords.
Chronic account lockouts have been enough of a nuisance that many companies no longer expose RDP at the corporate perimeter. Malware like “EsteemAudit” from the Shadow Brokers dumps earlier this year also gave pause to organizations with open RDP endpoints on the internet (especially for those behind on security updates). As Beaumont recommends, implement multi-factor authentication if you must expose RDP to the internet.
Within corporate networks, RDP is still a productivity mainstay as desktops frequently allow help desk access as well as virtualized server and use from home scenarios. RDP is also popular for administrative access to PI Servers. Microsoft’s “Mitigating Pass-the-Hash and Other Credential Theft, version 2” white paper and related presentations outline a starting point in lateral movement defenses. More advanced protection for accessing remote desktops is available with Windows 10/Server 2016 Remote Credential Guard.
A shared responsibility for those using BYOD devices is to block peer to peer RDP using the Windows Firewall. I recommend “Demystifying the Windows Firewall” by Microsoft’s Jessica Payne (@jepayneMSFT) for a deep dive refresher on configuring this barrier. A simple trick is to scope the Remote Desktop (TCP-In) rule to only allow specific hosts.
We observe many customers using jump hosts or restricted out of band device management paths to protect important servers. Again multi-factor authentication for privileged access to critical assets is recommended.
RDP exposure to servers hosted in public cloud infrastructure is a growing concern. Cloud is another use case where a shared responsibility makes sense. Individuals managing VMs can configure port mapping to hide RDP endpoints; at least miscreants will have to scan to find the port before launching an attack. But this isn’t strong enough and you’ll need a subscription administrator to deploy protections like multi-factor authentication, network security groups (NSG), and a feature introduced this month called ‘Just In Time’ VM access. At a minimum, we recommend NSG whitelists for allowed inbound and outbound connections.
As a credit to the NERC CIP standard, strong requirements for interactive remote access are designed to protect digital assets important to bulk electric system operations from threats like RDP hijacking. The standard requires multi-factor authentication and other technical defenses. Shared responsibilities between companies are important including coordination with OSIsoft on identity management, personnel surety, management of change, and logging such as providing Bomgar session recordings.
In summary, wise and safe use of RDP is a shared responsibility. Avoid RDP endpoints naked on the internet. Think twice about RDP on interior networks from machines that flirt with the internet, open email attachments, or struggle with software updates including the operating system and applications. As a good practice, stake out dedicated management workstations and enable multi-factor authentication where available.