Americas

  • United States

Asia

Oceania

sbradley
Contributing Writer

How to protect Windows Remote Desktop deployments

How-To
Mar 03, 20215 mins
Network SecurityRemote Access SecurityWindows Security

Attackers gain access to your Windows network just as work-from-home employees do: remotely. Following these simple steps will send them looking for easier targets.

Attackers often gain entry to your systems via remote access. As a recent example, attackers took control of software at a US water treatment facility and changed the amount of chemicals entering the system. The computers used to control the water system were reportedly unpatched Windows 7 machines and using the TeamViewer desktop sharing software. The change was noticed and reversed quickly, but the incident underscored the potential to do harm remotely in other venues.

In this era of remote working, remote access is mandatory, but so is monitoring for access and ensuring you are protecting remote access. The FBI recommends the following steps to better protect remote access:

  • Use multi-factor authentication (MFA).
  • Use strong passwords to protect Remote Desktop Protocol (RDP) credentials.
  • Ensure antivirus, spam filters and firewalls are up to date and properly configured.
  • Audit network configurations and isolate computer systems that cannot be updated.
  • Audit your network for systems using RDP, close unused RDP ports, apply MFA wherever possible, and log RDP login attempts.
  • Audit logs for all remote connection protocols.
  • Train users to identify and report attempts at social engineering.
  • Identify and suspend access of users exhibiting unusual activity.
  • Keep software updated.

Here’s how to set up your Windows network to better follow this advice.

Enable Remote Desktop auditing

Auditing Window Remote Desktop connections is relatively easy, but it’s buried in a log file on your system. Follow this path in order:

  • “Applications and Services Logs”
  • “Microsoft”
  • “Windows”
  • “Terminal-Services-RemoteConnectionManager”
  • “Operational”

Use tools to better analyze log files

Making correlations across your servers can be time consuming and hard to review. However, some tools can help such as the RDPSoft RDS Log viewer, which allows you to review and poll log files on your systems.

I recommend following guidance provided by Andy Milford in adding Sysmon to your remote desktop deployments so that you can better review and scan for attacks. You can use various configuration files to fine-tune the Sysmon configuration depending on your needs. Recommended guidance found on Github and elsewhere provides you with a solid start for monitoring events. The Sysmon configuration provided by Olafhartong maps the events to MITRE ATT&CK sequences to better target events where attacks will occur.

Be careful about account lockout policies

Andy points out that historically we would recommend that system administrators set up account lockout policies to block attackers attempting to brute-force an account. However, that creates a situation where attackers can trigger a denial-of-service attack. It also frustrates end users and causes problems for administrators. Thus, he does not recommend enabling account lockouts. With attackers harvesting usernames and passwords, attackers can merely log in and not brute-force an account.

Add Remote Desktop Commander to your Remote Desktop server deployments

Remote Desktop Commander allows you to track via geo location where your users and attackers are attempting to log in from. The software automatically collects and correlates key events from event log files on Session Host servers and Remote Desktop Gateway servers and offers a graphical view of who is connecting to your network.

In reviewing my own Remote Desktop connections, you can see that cellular connections are often not shown as accessing from the city the user is located. Rather, it may show a regional location for the vendor. You may have to do additional correlations to determine if users are accessing remotely appropriately.

bradley remote desktop Susan Bradley

Remote Desktop Commander shows locations of people logging in

Understand how attackers find exposed Remote Desktop deployments

Attackers also can use search engines to identify where Remote Desktop web deployments are exposed. Access pages often have the phrase RDWeb in the URL. As Andy points out in “RDPwned: A Guide to Securing Microsoft Remote Desktop Services,” attackers can search on standard error messages that are embedded in the HTML, such as “allintext: Unable to display RD Web Access” and hit many exposed RDWeb servers. The Shodan search engine also allows attackers to search for RDP.

Beware of vulnerabilities in third-party remote access tools

Other vendors’ remote access tools can also expose your system to attacks. Malwarebytes recently posted that attackers are focusing more on remote entry points due to the pandemic-driven work-from-home push. A year ago, Check Point researchers found 16 major vulnerabilities and 25 overall security vulnerabilities in remote access tools.

The Check Point researchers recommend disabling the copy-and-paste feature over an RDP connection as it could lead to malicious actions. As they note “if a client uses the Copy & Paste feature over an RDP connection, a malicious RDP server can transparently drop arbitrary files to arbitrary file locations on the client’s computer, limited only by the permissions of the client. For example, we can drop malicious scripts to the client’s Startup folder, and after a reboot they will be executed on his computer, giving us full control.”

This era of work from home requires a more nuanced approach to the risk. Not everyone needs clipboard access, but those who do would be severely inconvenienced if it were blocked. Counter this risk with end user education to ensure that they are not targeted by phishing attacks.

Enable two-factor authentication

Finally, always add two-factor authentication (2FA) wherever you can. I use Duo to add 2FA to my remote desktop needs. Requiring users have something other than their username and password to access their resources will reduce risk from ransomware and other attacks.

sbradley
Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for Askwoody.com, is a moderator on the PatchManagement.org listserve, and writes a column of Windows security tips for CSOonline.com. In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at https://www.askwoody.com/tag/patch-lady-posts/ and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author