Tech forums and publications are buzzing with news of a tool that enables hackers to attack servers via the Remote Desktop protocol (RDP), a commonly used protocol on remote servers that relies on enabling common ports to access them. These brute force attacks are nothing new, but the frequency of these attacks has sharply increased in recent months and are predicted to continue growing this year.
Understanding the Attacks
A brute force attack on the RDP server allows the attacker to connect. The attacks seem to follow a simple methodology:
- Scan a range of IP addresses.
- Scanner looks for open ports usually used by RDP (e.g. 3389).
- A RDP brute force attack is launched using dictionary terms.
Successful logins by the attacker will give them access to the drives of that server (via the shares \\tsclient\c and \\tsclient\d). This may give the attacker access to the server, potentially including areas usually hidden from the external connection, such as local backups and development areas.
There are no reports of successful breaches yet, so it's unknown what motives are behind the attacks. Similar attacks in the past suggest that infected servers could be used to launch stronger attacks and thus scatter and strengthen itself. However, it could also be used to install other malware or ransomware.
With this type of attack, Windows 2003 servers could also be affected by memory exhaustion which would cause them to reboot. It could also cause Window 2008+ servers to fill their log files. However, this type of attack is not only aimed at Windows servers — it is an IP based attack.
Preventing the Attacks
As with any emerging threat, there are precautions that those running RDP on their servers can take.
- Use strong passwords for your RDP sessions including:
- One or more special characters such as !@#$%^&*()
- At least one number, preferably two or more
- A mix of upper and lower case
- At least 7 characters in length
- A non-dictionary word
- Do not use standard usernames (root, admin, owner, test).
- Implement account lockout policy for a set number of failed logins before locking out the account.
- Use an alternative port instead of leaving RDP port 3389 open for anyone to abuse. To change this automatically, use Microsoft Fix It.
- Consider locking the RDP port to a specific IP address.
- On Windows 2008 (and server 2012), enable Network Level Authentication which means the session can not established until the credentials are authorized.
- Ensure you have all the latest patches installed.
- Have a plan to be proactive and scan for potential attacks.
- Limit RDP access to only the accounts that require it.
- If external access is needed, configure a VPN tunnel.
RDP is a great tool used by administrators and users alike to establish multiple connections to a system, but there's a risk if the connections and software aren't secure. Knowing how RDP works, why it’s being used, and what can be done to secure it will help administrators to get a better grasp on server security.
