topic Re: Rdp windows in General Topics

Rdp windows

simsim — Fri, 01 May 2020 21:17:19 GMT

Hi,

is it a good idea giving access to public windowd rdp ?.

Folks says do not publish outside

Any good reason for this ?

Thanks

Re: Rdp windows

nextgenhappines — Fri, 01 May 2020 22:14:27 GMT

Let me understand your question,

Allow anyone from Internet able to connect to a system listen on Remote Desktop protocol on your network? Is that what you are asking?

1. How update is the system patch level?

2. There could be a chance of non-publicly disclosure bugs on RDP can use a backdoor (also known as 0 days attack, which I disagree with that term).

3. How is the password complexity and length? Does it require multi factor authentication? Is it a client cert based login authentication?

4. If I am able to login to that host, is that system part of Corp Active Directory? How secured is the AD admin accounts?

and more and more...

Re: Rdp windows

simsim — Sat, 02 May 2020 01:19:06 GMT

Allow anyone from Internet able to connect to a system listen on Remote Desktop protocol on your network? Is that what you are asking?

yes and ofcourse we will give them credentials

3 . How is the password complexity and length? Does it require multi factor authentication? Is it a client cert based login authentication?

No mfa

no cert based auth

4 . If I am able to login to that host, is that system part of Corp Active Directory? How secured is the AD admin accounts?

What is the relations Ad admin accounts security with that

Thanks

Re: Rdp windows

nextgenhappines — Sat, 02 May 2020 03:08:34 GMT

Let's see, once I am able to RDP login to a host which is part of the AD. The opportunity is endless.

I can start by following these steps which I just finish #2,

Reconnaissance
Initial intrusion into the network
Establish a backdoor into the network
Obtain user credentials
Install various utilities
Privilege escalation/ lateral movement/ data exfiltration
Maintain persistence

Google "pass the hash" , "windows privilege escalation"

or I just drop a ransomware on the file servers to lock all the user data , etc. etc...

Re: Rdp windows

simsim — Sat, 02 May 2020 04:12:26 GMT

In that case what If I go for without joining domain (Work station )

Thanks

Re: Rdp windows

SutareMayur — Sat, 02 May 2020 08:25:10 GMT

@simsim,

Better approach will be allow Remote Access over custom port instead of 3389.

Mayur

Re: Rdp windows

simsim — Sat, 02 May 2020 08:53:42 GMT

Hi,

I am trying to understand what are the pros and cons .

If I give without joining domain is there any benefit

Thanks

Re: Rdp windows

nextgenhappines — Sat, 02 May 2020 12:00:05 GMT

@simsim

The pro is easy to setup to allow remote access to your network using RDP..

The con is without sufficient protection and monitoring in place (ie MFA, patch system, log monitoring), once the hacker gains access via RDP. The damage that can cause is unlimited.

Re: Rdp windows

SutareMayur — Sat, 02 May 2020 13:11:31 GMT

Agreed with @nextgenhappines .

RDP over the internet is most insecure way of providing access. Attackers can also exploit vulnerable RDP services to perform remote code execution and seize control over targets.

Better approach would be allowing access over VPN. If not possible over VPN, give access over custom port instead of default port.

Hope it helps!

Mayur

Re: Rdp windows

simsim — Sat, 02 May 2020 20:08:36 GMT

Hi,

If I change the default port to a different what is the possibility of identifying rdp service on that port by an attacker

Thanks

Re: Rdp windows

SutareMayur — Sun, 03 May 2020 06:22:25 GMT

@simsim ,

If you use custom port for RDP connection, then it decreases probability of hacking that port. As there're 65535 ports so it will be difficult for attacker to know the exact custom port. Technically porte will be less than 65535 as some of the ports are reserved still you get my point right..

My personal opinion would be not to open direct RDP access over the internet. But if you don't have any other options like VPN and still you want to open it, then go for above option of custom port.

Mayur

Re: Rdp windows

BPry — Sun, 03 May 2020 13:46:00 GMT

The whole "obscure RDP by changing the port" thing doesn't really work anymore, and hasn't for probably a decade. Will it take additional time for someone to scan your public-ip and actually discover the port, sure. Since you aren't using the default of 3389 (and hopefully nothing near that, as many scanners will include 3389+- 15 ports) then you won't get picked up by some scanning because they are only looking for the easy targets.

You will still eventually be scanned and picked up and known to be running RDP on a non-common port. It's not like a port scan is a difficult thing to do, and we have organizations that exists to scan the internet and publish all open ports. Once you open up RDP, even on non-default ports, you've opened up RDP to the outside world.