Your specialist subject? The bleedin' obvious... Feds warn of RDP woe

We'd assume sysadmins knew this, if SamSam wasn't still rampaging through networks

The FBI and the US Department of Homeland Security have added their voices to warnings of insecure deployments of Remote Desktop Protocol (RDP) services.

RDP servers can be left misconfigured, or poorly secured, allowing scumbags to waltz into networks and cause further damage. Compromised logins are so abundant they fetch a mere $10 a pop on dark web souks, all-too-many people hand over their logins to scammers, and vulnerable systems wind up with ransomware scrambling their files, as Hancock Health in Indiana discovered earlier this year.

Of the RDP-spread ransomware infections the FBI's advisory highlighted on Thursday, probably the one striking the most fear into sysadmin hearts was SamSam, a campaign that started in 2015 and has since then earned its operators an estimated US$5.9m in illicit gains.

SamSam rose to prominence following a Talos warning in 2016 and has plagued hospitals, schools, and US city administrations.

band_aid_648

Microsoft to lock out Windows RDP clients if they are not patched against hijack bug

READ MORE

The FBI/DHS public service announcement reiterates what sysadmins (and home users) should know, but all too often aren't acting on. Whether business or home, the statement said, you should “review and understand what remote accesses their networks allow and take steps to reduce the likelihood of compromise, which may include disabling RDP if it is not needed.”

The most common vulnerabilities, the agencies said, are weak passwords enabling brute-force or dictionary attacks; old versions using CredSSP encryption and therefore allowing man-in-the-middle attacks; unrestricted access to TCP port 3389 from anywhere in the world; and allowing unlimited login attempts to RDP accounts.

The agencies' advice is mundane, but worth reiterating: audit your use of RDP and disable it if you can (especially on critical devices), install all available patches, use strong and secret login credentials, and block TCP port 3389 from cloud VM instances and any IP address ranges you never use.

So, essentially, firewall RDP, use a VPN for access, enforce strong passwords and lockout policies, use multi-factor authentication, keep RDP access logs for 90 days and actually look at them for intrusion attempts, and make sure any contractors with RDP access stick to your policies. ®




Biting the hand that feeds IT © 1998–2018