By Zach DeMeyer Posted January 20, 2020
It’s widely known that leaving Windows® Remote Desktop Protocol (RDP) ports open to the internet is a major risk to cybersecurity in the enterprise. If your organization needs to do so for any reason, however, there are steps you can take to protect yourself. Although we would never condone this practice, we’ve come up with three tips to help prevent brute-force attacks on open RDP ports and Windows virtual machines (VMs).
Why Open RDP Ports are a Security Issue
RDP is a proprietary Microsoft® protocol that allows remote access to a system/server over the internet. Unlike other network connectivity ports that are used for hosting websites or similar purposes, RDP ports provide access to an entire system. If compromised in any way, an exposed RDP port can cripple an organization, especially if the account compromised is the virtual machine’s admin.
That’s why, in general, IT organizations hosting VMs via RDP centralize their machines in a virtual private cloud (VPC). These VPCs are guarded by virtual private network (VPN) connections — authentication “tunnels” that remotely connect authorized users to the VPC.
Some organizations, however, leave their RDP ports open to the internet. A few of these organizations do so unwittingly, unaware of the ticking time bomb they’ve accidentally created. Others leave ports open willingly. An organization that does so is knowingly operating on borrowed time from a security standpoint. Regardless of intent, RDP ports are still being left open to the internet, and subsequently open to attack.
Unguarded VMs on open RDP ports are one of the top points of entry for brute-force attacks. For instance, a botnet, dubbed Goldbrute, recently wreaked havoc on more than a million IP addresses, stuffing credentials into these open VMs and successfully bypassing their simple login windows. Once inside the VM, Goldbrute uses the machine to seek out additional hosts, spreading across more random IP addresses and cataloguing successful credential combinations to resell on the dark web.
In a related-yet-separate instance, a Spanish MSP, Everis, and one of its clients, Spain’s largest radio network, (Read more…)