In a public service announcement, the Federal Bureau of Investigation (FBI) announced that remote administration tools, such as Remote Desktop Protocol (RDP), as an attack vector has been on the rise since mid-late 2016.
What does this mean for you?
Simply put, this means your identity, login credentials and other sensitive information can be compromised.
The FBI and Department of Homeland Security (DHS) recommend businesses and private citizens review and understand what remote accesses their networks allow and take steps to reduce the likelihood of compromise, which may include disabling RDP if it is not needed.
What is Remote Desktop Protocol (RDP)?
RDP is a proprietary network protocol that allows an individual to control the resources and data of a computer over the Internet. Cyber actors can inject malware or ransomware into the remote systems – and they are difficult to detect.
What makes you susceptible to an attack?
- Weak passwords – passwords using dictionary words or do not include a mixture of uppercase/lowercase letters, numbers, and special characters – are vulnerable to brute-force attacks and dictionary attacks.
- Outdated versions of RDP may use flawed CredSSP, the encryption mechanism, thus enabling a potential man-in-the-middle attack.
- Allowing unrestricted access to the default RDP port (TCP 3389).
- Allowing unlimited login attempts to a user account.
How do you protect yourself?
Because RDP can remotely control a system entirely, usage should be closely regulated, monitored, and controlled. The FBI and DHS recommend implementing the following best practices to protect against RDP-based attacks:
- Audit your network for systems using RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
- Verify all cloud-based virtual machine instances with a public IP do not have open RDP ports, specifically port 3389, unless there is a valid business reason to do so. Place any system with an open RDP port behind a firewall and require users to use a Virtual Private Network (VPN) to access it through the firewall.
- Enable strong passwords and account lockout policies to defend against brute-force attacks.
- Apply two-factor authentication, where possible.
- Apply system and software updates regularly.
- Maintain a good back-up strategy.
- Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
- When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
- Ensure third parties that require RDP access are required to follow internal policies on remote access.
- Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
- Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as VPNs, recognizing VPNs are only as secure as the connected devices.
For more information and to view the full public service announcement, click below: