What’s The Remote Access Protocol And Why Should I Worry About It?
The Remote Desktop Protocol (RDP) is a means that Microsoft provides for Windows (and Mac) users to access another computer remotely. Remote computer access is often used by IT people to diagnose and repair a problem with a computer. If you’ve ever worked with a company’s Help Desk, then the technician may have asked for remote access to check out your computer. The help desk tech has all the powers and abilities that the user has.
If that user is an administrator (if only one user is authorized on the computer, that user is set up as an administrator by default), they have total control over the remote computer. They may well have total control over the network as well, depending on how the network administrator’s permissions are set up.
So How Does RDP Work?
RDP works by connecting the computer remotely, then controlling it over a local network or the internet. The internet port used for this is 3389. If that port is open in the remote computer’s settings, anyone can potentially connect to it and control it.
The FBI recently warned that hackers are constantly scanning the internet for open RDP ports and selling the access information that they find on the Dark Web. Several types of ransomware and other exploit tools rely on finding open 3389 ports. One security company, Rapid7, found 11 million open 3389 ports on the internet in 2017. There are over 1,000 attempts to find open RDP ports per day.
Obviously, if you don’t know your ports are open, you are not going to be able to protect them. The first step is to make sure that only machines that need remote access are set up for it. Your system administrators can use several methods to make sure that only computers that need remote access have it.
But We’re Covered…Or Are We?
Ah, you say, but we are protected against this kind of attack because we have all our RDP-enabled computers protected by a password. Guess again. If you look, you may well find RDP servers (and servers in general) that are not password protected. Sloppy system administrators (sysadmins) all too often leave the machines they manage unprotected, so they don’t have to remember the passwords to them.
Even if both the servers and the remote machines are protected by usernames with strong passwords, there are two ways that hackers can still access them. One, called a brute-force attack, keeps trying usernames and passwords until it scores a hit. This is known as a dictionary attack.
The other way is to use lists of username/password combinations that are automatically created, bought on the Dark Web, stolen, or some combination of this. The only defenses against this are two-factor authentication or the use of security keys (dongles).
In two-factor authentication, users have to enter a second password, sent by SMS to a smartphone or by email, to log on. When dongles are used, a physical device, such as Google’s Titan security key is used.
Use of biometric identifiers (fingerprints, face scans, retinal scans) is another way of either single-or two-factor authentication (i.e., the user is required to use a password and scan a fingerprint.)
How Bad Is This Problem Really?
Remember, once a hacker gets into your system via RDP, you are probably vulnerable if you do not have two-factor authentication and/or biometric identifiers enabled on all your machines, both Mac and Windows. In any other condition, you are vulnerable. The lists of RDP endpoints being sold on the Dark Web include those stolen from airports, hospitals, nursing homes, and government agencies.
How Bad Could This Get?
So far, the use of RDP as a means of network penetration has been limited to attempts to install ransomware or steal banking, credit card information, and online shopping information.
There is little evidence (remember, we don’t find it unless we look for it or the hackers make a mistake) of any state actors or terrorists using it. But RDP access is really low-hanging fruit for them.
Practically everything runs on computers today, and the vast majority of them communicate over the internet with unencrypted data. Imagine terrorist hackers shutting down first-responder communications systems. They also have the potential to shut down hospital EHR systems or disrupt air traffic control at the airport.
Once we begin to think of the vulnerabilities in our systems, this problem of open RDP ports gets worrisome very quickly. Small wonder that the FBI is warning everyone about it.
In 2017, just one Dark Web site had 85,000 RDP endpoints for sale. It has dozens or hundreds of imitators. We just do not know until the FBI or some other agency finds the Dark Web site and tries to take it down. If you work with a managed IT services company, then it can be worth your while to ask them to check your computers and networks to see whether you have RDP ports open and susceptible.
Author: Aaron White, Date: 26th October 2018