Internet Accessible Remote Desktop Protocol (RDP)
Description
The Remote Desktop Protocol (RDP) was created by Citrix Systems, Inc. in 1995 and subsequently sold as part of an enhanced version of Windows NT 3.51 called WinFrame. In 1998, the Microsoft Corporation included RDP with its Windows NT 4.0 Terminal Server Edition, and the protocol has been included in all versions of its Windows Server operating systems since.
RDP is a proprietary network protocol that allows an individual to control the resources and data of a computer over a Local Area Network (LAN) or the Internet.
RDP listens on port 3389/TCP and 3389/UDP.
Problem
Since 1998, the Microsoft Corporation have released twenty (20) security updates and have disclosed twenty four (24) Common Vulnerabilities and Exposures (CVEs), specifically related to RDP.
The Microsoft Remote Desktop Protocol (RDP) is an extremely useful tool when used by authorised personnel, the ability to view and control a remote desktop session, sharing the input and display graphics between two remote desktop sessions allows IT Technical support personnel, to diagnose and resolve problems remotely, however when abused by unauthorised parties, it can have severe consequences.
The use of remote administration tools, such as RDP, as an attack vector has been on the rise since the mid-late 2016, with an increase in the selling and purchase of login credentials on the dark web by threat actors and cybercriminals. The value of credentials is determined by the location of the compromised computer, software utilised in the session, and any additional attributes that increase the usability of the stolen resources.
ENISA Threat Landscape 2021 Report.
On the 27th Oct 2021, The European Union Agency for Cybersecurity (ENISA) published their Threat Landscape 2021 Report, in which they stated in relation to Ransomware that compromise through phishing e-mails and brute-forcing on Remote Desktop Protocol (RDP) services remain the two most common infection vectors. See link:-
RDP has become a popular attack vector, especially among cybercriminals that specialise in ransomware attacks. These cybercriminals typically brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions, exfiltrate data, encrypt files on the harddrive of the individual computers, and then attempt to extort payment from the victim, with a promise, that they will provide the means by which to decrypt the files that have been encrypted by their ransomware on the individual computers, and that they will return the data they have exfiltrated.
RAPID7 - Remote Desktop Protocol (RDP) Exposure Report.
In July 2017, the Cybersecurity company, Rapid7, which is based in Boston, Massachusetts, in the United States, published a list, from their Project Sonar study, of the top twenty countries, in descending order, in accordance, to the number of reported Exposed RDP Enpoints, of each of the respective countries. Ireland, was listed in the unenviable position of twentieth, with a reported total of 43,307 Exposed RDP Enpoints.
Means by which RDP Compromise can occur:-
| No. | Name | Description |
|---|---|---|
| 1. | Brute forcing credentials with automated tools | A brute force attack involves 'guessing' the username and passwords to gain unauthorised access to a system. Brute force is a simple attack method that can have a high rate of success. Malicious actors can also use applications and scripts as brute force tools. These applications attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols in order to find the correct combination to bypass the authentication processes. |
| 2. | Use of stolen credentials. | Credential based attacks occur when Malicious attackers steal credentials to gain access, bypass an organisations security measures. Credential theft is usually a targeted effort. Malicious actors scour social media sites such as LinkedIn, searching for specific users whose credentials will grant them access to critical data and information. The phishing emails and websites utilised in corporate credential theft are much more sophisticated than those used for consumer credential theft. |
| 3. | Exploitation of known RDP vulnerabilities. | Since the Microsoft Corporation first included RDP with Windows NT 4.0 Terminal Server Edition in 1998, They have released twenty (20) security updates and disclosed twenty four (24) separate Common Vulnerabilities and Exposures (CVEs) specifically related to RDP. If an organisation fails to installed the security updates or apply the relevant software patches released by the Microsoft Corporation in response to the disclosed CVEs., related to RDP., the vulnerabilities may be exploited by a malicious actor. |
An unauthorised user with remote access could do untold damage including but not limited to:-
| No. | Action |
|---|---|
| 1. | Reconnaissance. |
| 2. | Disabling security software. |
| 3. | Download and install unwanted tools and applications. |
| 4. | Lateral movement within a network. |
| 5. | Credential harvesting. |
| 6. | Data exfiltration. |
| 7. | Data destruction. |
| 8. | Data encryption (Ransomware). |
Use of easy-to-guess passwords with no additional layers of authentication or protection makes it easier for a malicious actor to compromise a system.
In addition, a malicious actor, on successfully gaining access to a network, can maintain access for sustained periods without detection with the aid of software and log manipulation.
Cipher Suites & CredSSP User authentication - RDP
The RDP protocol, when invoked, will open a dedicated network channel via TCP/IP port 3389/TCP between the connected computers for the transfer of all data, including mouse movements, keystrokes, desktop graphical display, together with all other necessary data. The alternate port 3389/UDP may be used in the event of the default configuration being changed. RDP supports various mechanisms to reduce the amount of data transmitted over this dedicated network connection. Mechanisms that include data compression, persistent caching of bitmaps, and caching of glyphs and fragments in RAM. All data transmitted over this connection is encrypted by RDP.
| No. | Name | Description |
|---|---|---|
| 1. | RC4 | The RC4 Cipher Suite, from Rivest-Shamir-Adleman (RSA) is the default Cipher Suite used by RDP to encrypt all data transmitted to and from the local and remote desktop during a remote desktop session. The RC4 Cipher Suite is a stream cipher designed to efficiently encrypt small amounts of data. System administrators can choose between a 56-bit key or a 128-bit length key, with which to encrypt the data. Clients that do not support this encryption level cannot connect to the RDP Session Host Servers. There existed a vulnerability in the method used to encrypt sessions in earlier versions of RDP, this vulnerability could allow unauthorised access to the session through the use of a man-in-the-middle-attack (MITM). |
| 2. | SSL/TLS | The Secure Sockets Layer (SSL) Version 1.0., was developed in 1994 by the Netscape Communications Corporation to facilitate secure communications over the Internet. The SSL protocol was designed to run over TCP/IP and below higher-level protocols such as HTTP, FTP, SMTP and IMAP. It used TCP/IP on behalf of the higher-level protocols, and in the process, allowed an SSL-enabled server to authenticate itself to an SSL-enabled client, and for the SSL-enabled client to authenticate itself to the SSL-enabled server, enabling both machines to establish an encrypted connection. In 1999, SSL was superseded by the Transport Layer Security (TLS) after the Internet Engineering Task Force (IETF) officially took over and began to standardised the SSL protocol. 'SSL' was renamed to 'TLS'. TLS is a more secure and efficient protocol supporting newer and more secure algorithms as it seeks to provide authentication, privacy and data integrity between two (2) communicating computer applications. TLS uses a combination of symmetric and asymmetric cryptography. Symmetric cryptography, uses a secret key, between 128 bits and 256 bits in length, known to both sender and recipient, to encrypt and decrypt the data. Asymmetric cryptography uses key pairs – a public key, and a private key. The public key is mathematically related to the private key, but given sufficient key length, it is computationally impractical to derive the private key from the public key. This allows the public key of the recipient to be used by the sender to encrypt the data they wish to send to them, but that data can only be decrypted with the private key of the recipient. |
| 3. | CredSSP | The Credential Security Support Provider protocol (CredSSP) is the amalgamation of TLS with Kerberos and NT LAN Manager (NTLM). Besides enabling authentication of the remote computer's identity, the CredSSP Protocol also facilitates user authentication and the transfer of user credentials from client to server, hence enabling single-sign-on scenarios. When the CredSSP Protocol begins execution, the TLS handshake will always be executed. Once a TLS channel has been successfully established, Kerberos or NTLM will be used within the TLS channel to authenticate the user. Once Kerberos or NTLM has completed successfully, the user's credentials are sent to the server. Traffic on the wire remains encrypted with TLS and is wrapped by TLS headers. There is no double-encryption of traffic because the Kerberos (or NTLM) session is securely bound to the TLS session. On the 13 March 2018, the Microsoft Corporation disclosed CVE-2018-0886 which details a vulnerability in CredSSP which would allow Remote Code Execution. CVE-2018-0886 has a CVSS 3.x Base Score of 7.0. |
Solution
The Remote Desktop Protocol (RDP) is a very useful tool however it can be compromised through a brute-force attack.
Recommendations
It is recommended that RDP., if implemented and utilised, that it be done so in a safe and secure manner.
| No. | Recommendation |
|---|---|
| 1. | Ideally internet-facing RDP should be disabled either on the servers themselves or/and via appropriate perimeter firewall controls i.e. disallow external connections to local machines on port 3389/TCP and 3389/UDP or any other port. |
| 2. | It is recommended that RDP be configured to use SSL/TLS., as it is a more secure and efficient protocol supporting newer and more secure algorithms as it seeks to provide authentication, privacy and data integrity between two (2) communicating computer applications, in preference to RDP default RC4 Cipher Suite. |
| 3. | It is recommended that all security updates and software patches released by the Microsoft Corporation, specifically relating to RDP., be applied. |
| 4. | Mandate strong and complex passwords for all accounts that can be logged into via RDP. |
| 5. | Use Multi Factor Authentication rather than relying on a single password. |
| 6. | Provide RDP access to required resources via a Virtual Private Network (VPN) solution. |
| 7. | Use the least privilege model for providing remote access - use low privilege accounts to authenticate, and provide an audited process to allow a user to escalate their privileges within the remote session where necessary. |
| 8. | Implement an account lockout policy for consecutive failed login attempts with appropriate logging and alerting i.e. Implement a Security Information and Event Management System. |
| 9. | Ensure your endpoint security software is correctly configured to protect against tampering or uninstallation. |
| 10. | Ensure all accessible servers are patched and maintained at vendor supported software levels. Legacy servers which have not been or cannot be patched and updated should not be accessible from outside the network and should be segregated from the rest of the network where possible. |
Additional Information
Microsoft - Remote Desktop Protocol.Microsoft - Security guidance for remote desktop adoption.
Microsoft - 5.4.5.2 CredSSP.
Shadowserver Foundation - Accessible RDP Report.
Shadowserver Foundation - Accessible Remote Desktop Protocol Scanning Project.
ENISA - ENISA Threat Landscape 2021.
Cyphere - RDP Security Risks and Encryption Explained.
Cyphere - SSL/TLS Protocols: Definition, Differences, Versions & Vulnerabilities.
ESET - Researcher Aryeh Goretsky - It's time to disconnect RDP from the Internet.
DISPEL - Forcing RDP to use TLS Encryption.
IETF - RFC6101 - The Secure Sockets Layer (SSL) Protocol Version 3.0.
IETF - RFC2246 - The TLS Protocol Version 1.0
IETF - RFC8446 - The Transport Layer Security (TLS) Protocol Version 1.3.
FBI - Cyber Actors Increasingly Exploit The Remote Desktop Protocol to Conduct Malicious Activity.
Mitre: ATT&CK - Remote Services: Remote Desktop Protocol.
Cloudflare - What is the Remote Desktop Protocol (RDP).
RAPID7 - Remote Desktop Protocol (RDP) Exposure.