7 Tips on How Firms can Prevent Successful RDP Backdoor Attacks
Mcafee a few weeks ago has made a shocking expose about Remote Desktop user accounts being sold online at cheap prices, more particularly in the Dark Web. RDP is a remote desktop technology originally created by Citrix and licensed by Microsoft as part of Windows NT 4.0 Terminal Server Edition. From Windows 2000 up to the current Windows 10 operating system, all Windows “Professional” and “Enterprise” SKUs have a bundled Remote Desktop Service. This is a very convenient feature, as it enables system administrators to perform remote desktop connections without downloading a 3rd party program to do the same thing.
Corporations rely heavily on Remote Desktop, to use as a jump station, a remote server designed for running resource heavy applications that cannot be installed in a regular workstation. Access is granted and revoked based-on the corporate onboarding/offboarding policy. However, many corporations do not have an efficient and timely user account management system, hence some former employee RDP access remains active for extended periods of time. Some of those “forgotten” RDP accounts become available for sale in the black market, causing cybercriminals to have cheap access to corporate networks.
Just like the saying goes: “An ounce of prevention is worth a pound of cure,” organizations need to prevent the possibility of their RDP access to servers becoming a victim of “RDP for sale” modus operandi in the black market.
Here are our tips to minimize the chance of rogue access through a backdoor RDP access attempt:
Implement a strict corporate User Account Management.
Employees come and go, onboarding/offboarding is a normal process for any healthy company. The question is how efficient the corporate User Account Management is? UAM should be timely in order to prevent former employees from accessing the corporate systems using their old accounts. The black market is currently flooded with RDP accounts for sale, mostly from still active RDP accounts of former employees.
Enforce a password complexity and password expiration policy.
Password complexity requirement and expiration policy can be defined either through the use of an Active Directory server or a Samba server. Plain dictionary passwords need to be blocked and regular password expiry cycle needs to be implemented. With this implemented, even the old accounts of former employees will no longer work, as it will demand a forced password change.
Block IP addresses of devices after a few failed attempts to connect via RDP
This is a standard security policy, as multiple failed attempts mean a possible brute force attack against a system is currently happening. Blocking the IP of the attacker is a good way to slow down the brute force password attack and eventually the attacker will be demotivated to continue.
Enable remote access logging, to record information of users attempting to connect via RDP.
This security precaution is important, as this enables the organization to be security audit-friendly. An access log is vital to perform an investigation in the event a data or server breach happens.
For mobile users, only connect to the corporate network via a secure VPN connection.
Unencrypted wifi is everywhere and the only way to securely connect is by establishing a VPN connection. Through a VPN, communications are done through a secure pipe, free from snooping and monitoring.
The Sysadmin team needs to maintain an updated network diagram with as many details as possible
Documentation of the servers and the entire corporate network needs to be fully maintained and updated. This enables the environment to become audit friendly, pen testers can start from the documentation before they perform their testing.
Establish a fund for penetration testing.
Penetration testing service is expensive at first glance, but it will pay for itself once the system is hardened due to their advice. Let penetration testing ethical hackers do their jobs, as they simulate a real security breach with 0 damage to the company. This is a great security precaution that prevents future hacking attempts from becoming successful.