Experience an RDP attack? It’s your fault, not Microsoft’s

I’ve seen blog posts and forum threads bad mouthing Microsoft and Remote Desktop Protocol (RDP). Usually it’s in conjunction with someone complaining that a ransomware or cryptominer variant had successfully compromised their environment through RDP. The rants are often followed by calls for everyone to dump Microsoft Windows and how “Microsoft security sucks!”

It’s not only boring and pedantic. It’s a case of blaming the wrong culprit.

Let me be clear. If you are compromised because of RDP, the problem is you or your organization. It isn’t a problem with Microsoft or RDP. You don’t need to put a VPN around RDP to protect it. You don’t need to change default network ports or some other black magic. Just use the default security settings or implement the myriad other security defenses you should have already been using. If you’re getting hacked because of RDP, you’re not doing a bunch of things that any good computer security defender should be doing.

Ransomware and RDP

There are many ransomware programs, like SamSam, and cryptominers, like CrySis, that attempt brute-force guessing attacks against accessible RDP services. So many companies have had their RDP services compromised that the FBI and Department of Homeland Security (DHS) have issued warnings.

The warning should be, “Your security sucks!” It isn’t like the malware programs are conducting a zero-day attack against some unpatched vulnerability. They are simply making a bare minimum of attempts to find easy-to-guess passwords on remote access accounts, most of which appear to have admin-level access.

If all you did was take the defaults that Microsoft puts in place, you would be very safe. That’s because by default, Microsoft only enables RDP for members of the built-in administrators group (RID 501), which requires a password that would be sufficiently long and complex enough to stop simple password guessing RDP attacks, especially when paired with an account lockout policy that only allows a few wrong guesses before locking the account. When RDP malware breaks into a computer you manage, that means you allowed the RDP-accessible account to have a very weak password and didn’t have account lockout enabled.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *