Day 15

Introduction to Remote Desktop Protocol

Introduction

On Day 15 of the ‘MyDFIR 30-Day SOC Challenge,’ I delved into one of the most commonly exploited protocols—Remote Desktop Protocol (RDP). Widely used for remote connections, RDP is often targeted by attackers. According to a 2023 report from Sophos, RDP abuse was present in 90% of ransomware breaches, emphasizing the importance of securing this protocol. In today’s task, I learned how attackers abuse RDP, how to identify exposed endpoints, and the steps needed to secure RDP environments.

What is RDP?

RDP (Remote Desktop Protocol) is used for communication between a terminal server and a terminal server client. It allows authorized users to connect remotely to other machines. The default port for RDP is 3389, and it operates on the TCP protocol. While convenient, its accessibility makes it vulnerable to exploitation if not properly secured.

How RDP is Abused

Attackers often target exposed RDP services. Here’s how they abuse it:

  • Brute Force Attacks: Using automated tools, attackers attempt multiple username and password combinations to gain unauthorized access.
  • Credential Dumping: Once inside a system via RDP, attackers dump credentials and use them for lateral movement within the network, escalating their privileges to gain access to sensitive data or deploy ransomware.

Finding Exposed RDP Servers

I used two platforms to locate RDP-exposed endpoints on the internet—Shodan and Censys.

  • Shodan:
    • I navigated to Shodan.io and created an account.
    • In the search bar, I typed port:3389 and hit enter. This revealed over 4.3 million assets with open RDP ports.
    • It’s crucial to determine whether a server should have RDP exposed. If not, it’s recommended that the port should be disabled or that the server is put behind a VPN.

Censys:

  • I logged in to Censys.io and clicked “Search Now.”
  • Entering 3389 in the search bar yielded 3.43 million entries.
  • I filtered results by selecting RDP as the service name, narrowing it down to specific servers running RDP.

5 Ways to Securing RDP Services

1: Turn Off RDP

If RDP is not needed, the safest option is to disable the service entirely. In many cases, RDP is left enabled after development, making systems vulnerable.

Command to use to disable RDP:

				
					systemctl stop xrdp
systemctl disable xrdp

2: Enable Multi-Factor Authentication (MFA)

Always enable MFA to add an extra layer of security in case credentials are compromised.

3: Restrict Access:

Implement firewall rules to restrict RDP access to specific IP ranges or place the server behind a VPN.

Firewall rules to restrict access:

				
					sudo ufw allow from <Your-IP-Range> to any port 3389

4: Use Strong Passwords

Create passwords with a minimum of 15 characters, combining upper and lowercase letters, numbers, and special characters. Using a privileged access management tool (PAM) for one-time passwords also improves security.

5. Disable Default Accounts

Default accounts like ‘Administrator’ should be renamed or disabled to prevent their use in credential stuffing attacks.

Conclusion

Understanding and mitigating the risks associated with RDP is crucial in today’s security landscape, given its widespread use and exploitation in cyberattacks. Throughout this task, I explored how attackers abuse RDP to gain unauthorized access, learned to identify exposed RDP services using tools like Shodan and Censys, and reviewed essential practices to secure these services. Implementing strategies such as turning off RDP when not in use, enabling multi-factor authentication, restricting access, and enforcing strong passwords significantly reduces the attack surface. This hands-on experience enhanced my ability to identify vulnerabilities and strengthened my understanding of securing remote desktop environments.

Contact