Remote Desktop – Are You Meeting Trouble Halfway
Microsoft Remote Desktop (RDP) is a very popular way to access Windows PCs remotely.
It’s easy: after set up you just double-click a shortcut on your desktop and you are logged in and it’s just like you were sitting in front of your remote computer.
It’s fast: it does not require a lot of bandwidth and performance is excellent.
Best of all is that the price is right. RDP is baked right into Windows so all the software you need is there, free for the taking (note: you can only remote into Windows Pro or greater).
Many millions use it to connect to remote PCs. However, if not done correctly (read: securely) the consequences can be disastrous. Brute force RDP attacks are on the rise. How does this work.
The ability to remote into a Windows PC via Remote Desktop is turned off by default. Once turned on it is available for remote access. To access from another PC you need 3 pieces of information (assuming you have the name or IP address of the remote computer):
- The port
- The username
- The password
The Port
This is the easy one. RDP works through a specific port on your Windows machine. It’s port 3389 by default, but it can be easily changed to whatever you like. Port 3389 is automatically open on the firewall of Windows Pro PCs. So, if you are on the same network as the computer you are remoting into then you simply type the IP address of the computer you want to log into and you are connected (you still have to put in a username/password). Of course, if you are accessing the PC from outside the office (and of course we always are) then we have to open the port on your external firewall to allow this traffic in (they call this port forwarding). This is where the trouble begins.
At this time, and at any particular time, there are hundreds, nay thousands, of script kiddies (rookie hackers) scanning the Internet for firewalls with open ports and when they find one and determine that it is for RDP, they attack. With fury.
Myth: Changing the RDP port from the default 3389 to something else makes it more secure. This is false. Whatever port you use on your Windows PC and your firewall can be easily determined with port scanners.
The Username
The username of your computer can be guessed with a little research into the company. Let's face it... most companies use a naming convention so once you have a name, you can deduce the username. 90% use either first name, or first initial\last name as a naming convention.
The Password
Depending on who you are and what your password policies are, this could be very easy or very hard to guess. In either case remember this - Windows operating system has a little known security issue in that there is no default automatic lockout for failed attempts to access the PC. When trying to log in while sitting at the computer, the length of time Windows thinks about it grows with each failed attempt. However, when trying to access via Remote Desktop a hacker can simply keep trying to get in. We have done post-mortems on brute force RDP attacks and found that the hackers have been trying for months to get in. Every few seconds, another attempt. It's just a matter of time before the get in.
Best Practice
Remote access to work computers has never been more important with record numbers of people working from home. Hackers worldwide are exploiting this and looking for the weakest link. So it is crucial that you choose a remote solution that is secure. Here are two options:
Option 1 - Remote Desktop with VPN Solution
Using a VPN, staff can connect to your work network. At that point, they can RDP into their workstation without having to punch holes in the company firewall. Under no circumstances should you open ports on your company firewall for remote access. Further, the VPN solution you choose should be business class, robust with good throughput and well managed. Each staff should have their own VPN account and it should be centrally managed by management or your IT security person. Consider implementing multi-factor authentication on your RDP access.
This solution may cost a bit more upfront (for example to purchase a business class VPN firewall) but ongoing costs are lower.
Option 2 - Remote Connectivity Software
Many businesses prefer to use subscription software such as LogMeIn to access PCs from home. There are many options to choose from. Choose one that supports multi-factor authentication and also provides individual user accounts and the ability to configure permissions to devices accordingly. In this case, Remote Desktop should be disabled on PCs and there should be no firewall rules to allow RDP connections through the firewall.
Reach out to Ethix IT Security for assistance in setting up secure remote connectivity in your organization. Stay safe and here's to keeping the bad guys out!