By Zach DeMeyer Posted January 20, 2020
It’s widely known that leaving Windows® Remote Desktop Protocol (RDP) ports open to the internet is a major risk to cybersecurity in the enterprise. If your organization needs to do so for any reason, however, there are steps you can take to protect yourself. Although we would never condone this practice, we’ve come up with three tips to help prevent brute-force attacks on open RDP ports and Windows virtual machines (VMs).
Why Open RDP Ports are a Security Issue
RDP is a proprietary Microsoft® protocol that allows remote access to a system/server over the internet. Unlike other network connectivity ports that are used for hosting websites or similar purposes, RDP ports provide access to an entire system. If compromised in any way, an exposed RDP port can cripple an organization, especially if the account compromised is the virtual machine’s admin.
That’s why, in general, IT organizations hosting VMs via RDP centralize their machines in a virtual private cloud (VPC). These VPCs are guarded by virtual private network (VPN) connections — authentication “tunnels” that remotely connect authorized users to the VPC.
Some organizations, however, leave their RDP ports open to the internet. A few of these organizations do so unwittingly, unaware of the ticking time bomb they’ve accidentally created. Others leave ports open willingly. An organization that does so is knowingly operating on borrowed time from a security standpoint. Regardless of intent, RDP ports are still being left open to the internet, and subsequently open to attack.
Unguarded VMs on open RDP ports are one of the top points of entry for brute-force attacks. For instance, a botnet, dubbed Goldbrute, recently wreaked havoc on more than a million IP addresses, stuffing credentials into these open VMs and successfully bypassing their simple login windows. Once inside the VM, Goldbrute uses the machine to seek out additional hosts, spreading across more random IP addresses and cataloguing successful credential combinations to resell on the dark web.
In a related-yet-separate instance, a Spanish MSP, Everis, and one of its clients, Spain’s largest radio network, were recently hit by ransomware. The source of the breach? Thousands of exploitable RDP servers, left open to the whims of the internet. Although some are attributing the attack to a now-patched vulnerability called BlueKeep, the thousands of exposed RDP servers were critical to the breach.
3 Tips to Prevent Brute-Force Attacks on RDP Ports
Organizations need to safeguard their RDP ports from brute-force attack, so we’ve compiled three straightforward tips to help prevent these types of attacks.
1. Stronger Passwords
It should already be an organization-wide security practice, but strong passwords are a must for any business. Goldbrute used weak/reused passwords to crack unprotected RDP servers with relative ease. So, IT organizations need to enforce password length, complexity, and even potentially rotation policies to ensure their VMs and other critical enterprise systems are ready for a brute-force attack.
Of course, some end users struggle to remember long, complex passwords, resorting to the even worse security “practice” of writing their passwords on a sticky note affixed to their monitor. As such, sysadmins should invest in some sort of password manager or even centralize their passwords to assist end users while maintaining security.
As we mentioned earlier, a VPN is a common way of gating RDP port access. By setting up a VPN, organizations can add an additional layer of authentication to keep the bad guys out.
Of course, VPNs have their own potential drawbacks. Some organizations find that setting up a VPN is too technical for their already swamped IT teams. Additionally, while a VPN will help to protect a VM, if the VPN is secured with a weak, reused password, then it too can be brute forced by bot attacks.
Multi-factor authentication (MFA) is arguably the best method for securing authentication. MFA adds an extra layer of security to the standard username/password login process. Many forms of MFA use a randomly generated, six-digit code to reassure a user’s identity.
In their study of MFA, Google’s Security Blog found that device-based MFA is 100% effective at preventing account takeovers due to bot attacks. Obviously, having some form of device-based MFA to safeguard RDP-connected servers is crucial. Armed with the proper solution, IT organizations can enforce MFA on both their Windows VM and VPNs, almost completely barring brute-force attacks against them.
How to Enforce These Practices
If your organization needs to safeguard exposed RDP ports and enforce these tips, there’s a solution that can help. A cloud directory service unifies a user’s identity with one strong password, which applies to virtually all their resources, including Windows VMs and VPNs, and backs them with multi-factor authentication.