Expose remote desktop directly to the internet

3

1

I have a small server behind my router which runs Windows 10. It's pretty easy to set up remote desktop directly to the internet and expose the required port by changing the configuration of the router.

Question: Do I have to be aware of security issues refering to that? I mean my server is at least accessable by everyone who knows a valid username/password combination.

MS just says

If you want to restrict who can access your PC, choose to allow access only with Network Level Authentication (NLA). When you enable this option, users have to authenticate themselves to the network before they can connect to your PC. Allowing connections only from computers running Remote Desktop with NLA is a more secure authentication method that can help protect your computer from malicious users and software. To learn more about NLA and Remote Desktop, check out Configure NLA for RDS Connections.

Dr. Snail

Posted 2018-12-06T12:12:20.830

Reputation: 247

Read some of this over.... https://security.berkeley.edu/resources/best-practices-how-articles/system-application-security/securing-remote-desktop-rdp-system. The NLA will prompt for username and password without showing the login screen I believe and exposing usernames that may be setup as local user accounts on the machine. I personally prefer not exposing RDP to the Internet but if so I block all public IP addresses and whitelist only the one or range that is allowed to access it. (cont...)

– Pimp Juice IT – 2018-12-12T14:07:44.693

1If those aren't possible, change the port to use something other than 3389, ensure NLA is enabled, be sure to allow only the user account RDP access that needs it and restrict all other accounts, be sure that account has a super long and complex password (e.g. H3llo & welcome to my party@#911), and be sure the account lockout thresholds are setup as well. Don't have time to add an answer right now, but wanted to share the detail in case it helps you so just tag me back and let me know what you think if you want. I'll be freed up more here in a few hours. – Pimp Juice IT – 2018-12-12T14:07:47.543

Mr. Sponge Bob's Snail - Did you go with something specific or what to help with this exposure? – Pimp Juice IT – 2018-12-13T20:47:00.257

Answers

6

No serious network administrator would directly expose an RDP server onto the Internet.

If there are any holes /backdoors in it, not only is it "game over" for part of the system (ie an inflection point/jump box), but it is an opportunity for DoS attacks and fingerprinting desktop(s) on the LAN giving unneccessary information away.

Depending on the RDP server and client, it may also be possible to do a MITM (man in the middle) attack. There are various ways this might be done including forcing a protocol downgrade or relying on insecure cryptography. You might find https://labs.portcullis.co.uk/blog/ssl-man-in-the-middle-attacks-on-rdp/ interesting.

A prudent operator might set up a VPN and only allow remote RDP access over that to provide another layer of security, access management, auditing and control.

davidgo

Posted 2018-12-06T12:12:20.830

Reputation: 49 152

I updated my answer – davidgo – 2018-12-13T13:28:42.167

Is the concern about holes, backdoors, and such for RDP different from any other service exposed directly to the internet - web, FTP, DNS, NTP, etc.? Aren't all services vulnerable if exploited and unpatched? Yet millions are successfully running every day. – Edward Brey – 2019-11-15T20:11:05.670

@EdwardBrey The concern is little different from other services exposed directly to the Internet. Not all services are equally secure- unlike RDP, FTP, DNS and NTP are designed to be used on the wider Internet by unknown people. If I were malicious and I found a network with FTP and DNS exposed, and another with RDP exposed, I'd suspect the RDP network is easier to hack as there are few legitimate reasons for exposing RDP directly to the Internet, meaning the entity doing this is likely incompetent and my chances of succeeding are way higher. – davidgo – 2019-11-15T20:50:03.410

@EdwardBrey - Also google "BlueKeep" (and bear in mind the original post was in Dec 2018) and read https://nakedsecurity.sophos.com/2019/07/17/rdp-exposed-the-wolves-already-at-your-door/ -

– davidgo – 2019-11-15T20:58:34.410

It's a weak argument to say that low deployment implies a security risk. If it were true, no new web server would ever get off the ground. Plus, RDP's million plus deployment on the internet is substantial. Intranet use is of course far larger, but security matters there, too, so the broad deployment is a reason for confidence. Now if you have unpatched exploits, you're in trouble, but that goes for any service.

– Edward Brey – 2019-11-15T21:26:41.090

@EdwardBrey I never said or implied low deployment implies a security risk . That said, broad deployment is not a reason for confidence. Wordpress is one of the most widely deployed web application, but has an attrocious security history. I put to you that security is built up in layers. By exposing RDP to the wider Internet you are stripping many of those layers away. (When exposing a Web client, you are stripping away fewer layers because a compromise is likely to get you less access, and web servers should be untrusted parts of your network) – davidgo – 2019-11-16T02:04:01.570

5

Microsoft’s Remote Desktop uses encryption, so communications are therefore reasonably protected. The weak point is that of brute-force attack against your user-name and password.

With the way hackers are continuously scanning the Internet for weak points, and with the number of currently known (and unknown) exploits, it is much better to set up as many protections as you can (but not to the point of over-complicating the access).

To secure RDP you may do the following :

  1. Change the default port that Remote Desktop listens on

  2. Strong credentials
    Use a non-default user-name and a long and complicated password

  3. Restricted user accounts
    Limit severely the users that can use RDP by running secpol.msc and navigating to Local Policies > User Rights Assignment, double-click on "Allow log on through Remote Desktop Services" and remove all displayed groups, then add your one user.

  4. High security level
    Run gpedit.msc and navigate to Local Computer Policy > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security and set:

    • "Set client connection encryption level" -> Enabled and High Level, for your sessions to be secured with 128-bit encryption
    • "Require use of specific security layer for remote (RDP) connections" -> SSL
    • "Require user authentication for remote connections by using Network Level Authentication" -> Enabled

  5. Set an account lockout policy
    To lock an account for a period of time after a number of incorrect guesses, go to Administrative Tools > Local Security Policy > Account Policies > Account Lockout Policies, and set values for all three options (3 invalid attempts with 3 minute lockout duration is reasonable).

  6. keep track of logging into your PC
    Periodically go to Event Viewer in Applications and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManger > Operational, to see login information.

  7. Keep a high UAC level

  8. Create a VPN server
    You may also go to the length of setting up a VPN server (link), which will add another layer of security.

I have had contact on our website with posters that have implemented all the above points, and that seems like enough protection. With all of these precautions implemented, a brute-force attack becomes basically impossible, so the only remaining threat is some exploit. But as no exploits were ever found in VPN login or in RDP login, I would think that this setup is safe enough.

harrymc

Posted 2018-12-06T12:12:20.830

Reputation: 306 093

I disagree with the above approach [ie exposing RDP directly] , but to facilitate those wishing to pursue it you may want to talk about optionally firewalling based on IP address/range if viable or port knocking as an added layer of security. - both techniques can significantly cut down the attack surface area. – davidgo – 2018-12-13T23:20:37.273

@davidgo: There is a sort of a double-standard here: If the poster would have asked about setting up a VPN server, you would have helped with no hesitation. But here you are against exposing RDP, although both are basically protected by the same mechanism of username and password. What's the difference between VPN+RDP and VPN+Windows login? Remark: I see the protections you have cited above as being for the hardening of firewalls, which is a separate question. – harrymc – 2018-12-14T08:38:14.887

Disagree about double standards- VPNs are typically controlled by private keys or public/private keys where the administrator can control the CA. (I know this to be true for OpenVPN and, I believe, IPSec as well). Also, using a VPN provides an extra layer of security - it is used in addition, not to replace RDP authentication. Further VPN does not indicate what services are exposed once connected. – davidgo – 2018-12-14T08:49:19.833

@davidgo: I have used RDP to access corporate servers behind VPN, in organizations that invest millions in security and consult the best experts, while using passwords and not certificates. In fact certificates can be stolen, but a password can be changed regularly, even every few minutes using the right hardware. VPN+RDP+precautions is quite safe, or as safe as can be while connected to the Internet. – harrymc – 2018-12-14T10:45:03.837

I think we largely agree then - VPN + RDP + precautions is what you want to aim for. I am pretty sure if your experts are as good as you claim the VPN will include shared keys or public private keys as well as username+password, and possibly IDS between the firewall and RDP available boxes. – davidgo – 2018-12-14T11:11:30.860

To mitigate with the MITM certificate attack (unknown certificate prompt), RDP can use Let's Encrypt certificates. I've set up a Windows service with https://certifytheweb.com/ and there is a built-in script to set the RDP certificate.

– Nathan – 2019-10-17T20:36:55.380

3

Sorry I'm late to the party, but I thought for your and other's future reference, you might find my experiences with a related issue -- let's just go with "interesting".

I setup an OpenVPN on a Linux server a while back. Linux has excellent logging features using IPTables (an amazing piece of networking software, BTW). I opened up the SSH port so I could transmit certificates.

That night, I reviewed the logs and discovered an outside actor started to brute force that port within seconds after exposing it on the router. Then, because they knew the account could be locked out after three failed attempts, their bot farm was using the same password, and rotating through account names, preventing the system from recognizing multiple failed attempts on the same account name. Then, because they must have realized that IPTables could block failed attempts from the same IP address, they only tried about six attempts from the same IP before shifting to another computer.

I say bot farm, because throughout the week (I locked out SSH soon after, but kept the port open so I could watch -- I was utterly fascinated) the number of IP's that the source came from was never repeated, every couple of seconds, every minute, every hour of every day -- six attempts and a new IP address showed up continuing from the same alphabetical list of account names.

Setup a VPN. Use certificates, and not account names. And don't expose things like RDP for more than a few hours, even if you do have an awesome system for creating passwords. Don't do it. (BTW, my account name was on his list, just waiting for him to reach the correct password.)

knockNrod

Posted 2018-12-06T12:12:20.830

Reputation: 141

1

Modeling the threats helps identify defensive measures. It's helpful to compare the threats and defenses to those of web services successfully used on the internet all the time.

Threat: Exploit in the code

  • Defense: Prompt patching. This is the same as for most internet services.

Threat: Brute-force password attacks

  • Defense: Lock-out after too many sign-ins. This is used by some internet services. This is fine for many sites, but for others, denial of service is a problem, with captcha being a solution. Since plain RDS doesn't support captcha, another defense is useful if lock-outs become a problem.

  • Defense: Authenticate client device. Most internet services don't do this because friction-free ubiquitous access is so important, and the defense isn't necessary for a secure system. RDS installations often have few client devices, making client authentication a practical option, which is useful if other defenses are inadequate.

Threat: Weak passwords

  • Defense: Device-assisted sign-in. As with internet services generally, the user-facing devices can store the remote sign-in secrets. The device authenticates the user via a low-friction challenge such as a per-device PIN or face recognition. Without the burden of having to frequently enter a cumbersome password, users are more likely to use choose strong passwords.

  • Defense: Strong password guidance. The benefit is the same for RDS as for internet services, although presenting guidance may not be practical for RDS, depending on the password change UI available.

  • Defense: Multi-factor authentication. The benefit is the same for RDS as for internet services, although for RDS, a complementary service is required.

  • Defense: Limit user access. Grant the user least privilege, similar to how on a website each user has limited access to the site's data.

Threat: Compromised client device

  • Defense: Multi-factor authentication. Same as above. However, as with internet services, if the device is already validated, the multi-factor check won't be performed.

Threat: Weak protocol versions

  • Defense: Configure only support of strong protocols. The web equivalent is disabling old SSL versions.

Securing Remote Desktop (RDP) for System Administrators has techniques for implementing many of these defenses.

Edward Brey

Posted 2018-12-06T12:12:20.830

Reputation: 1 350

Also DoS type threats - particularly significant for TCP. Prompt patching is only a very partial solution as very often exploits are not immediately known about or patched. The gold standard solution is "Defense in depth", which means multiple layers, such that if one layer is compromised the system is not breached. VPNS, firewalls, IDS as well as what you have listed are all layers THAT SHOULD BE COMBINED . Remote desktop is not typically considered a "web service" - ie not expected to be generally reachable. – davidgo – 2020-01-22T19:59:11.413

Asked: 2018-12-06T12:12:20.830

Viewed: 2 253 times

Active: 2019-11-16T15:02:33.207