RDP or Remote Desktop Protocol is a very convenient way to access the graphical interface of a computer in your facility. Unfortunately, it is also a convenient way for others to access your facility as well. When implemented correctly it can be a secure and powerful tool. This article is intended to provide a brief outline of Remote Desktop Protocol use cases, basic vulnerabilities and possible pitfalls. It is not intended as a step by step article, our standard disclaimer applies.
Remote Desktop Protocol
Remote Desktop Protocol is a component of Microsoft Remote Desktop Services (formerly known as Terminal Services) and has been included with Windows since Windows NT. Having Remote Desktop Services (or RDP server) operating on a Windows implementation allows a user to remotely access the graphical “desktop” interface over a network connection. Microsoft has client applications available for a wide range of devices, include Microsoft, Apple and Android applications.
Down the Licensing Rabbit-hole
The only purpose of RDP is to access the graphical interface on a remote computer, but if we step back for a second, why do you need to access the graphical interface on a remote computer. It is for convenience? Are you working remotely but don’t want to (or can’t) relocate the physical hardware? Are you trying to find a way to allow more than one user to connect to that computer? While the first few questions are all valid reasons to access a computer remotely, let’s review the latter. What does licensing actually allow? According to Microsoft--for Windows Server architecture:
“Each user and device that connects to a Remote Desktop Session host needs a client access license (CAL).”
The statement from Microsoft explains why Windows 10 Professional only allows one user to connect at a time. It also explains why the local user is “logged out” (technically just locked) from accessing the local desktop when an RDP user connects remotely. To allow multiple simultaneous users to connect to a Windows computer, the licensing must be updated, while involves using Windows Server and brings new acronyms, such as VDI and CAL into the mix. Further discussion into licensing for Remote Desktop Services is a huge topic reserved for another blog post.
If you are remotely connecting to a computer running your SCADA system, there are multiple vendors, such as Wonderware or Citect, that feature remote access licensing features that don’t necessarily require you to upgrade or change your Windows installation. In addition to solving some licensing issues, the capabilities of the target software directly supporting remote access is that the operator interface can be customized for the target device. For example, instead of scrolling around a desktop sized screen on your mobile, you can access pages, specifically sized, for mobile devices.
Back to RDP - Open the Gates
In order for remote clients to connect to a Remote Desktop Protocol server, the server must be accessible to the remote client. If the remote client is attempting to connect via the Internet, than the RDP server must be accessible over the internet somehow. It is the “somehow” that starts the discussion. The most straight forward, and least secure, method is by simply opening a port on your firewall and configuring your gateway to forward the port to the RDP server. By “opening” the server up to the internet, you are allowing remote clients to send incoming packets directly to the server, typically on port 3389.
Using a website like SHODAN, people around the world can search for protocols such as RDP and see all computers with it enabled and exposed to the internet. This search is similar to using Google and is often used by hackers to find exploitable devices. If your computer or server has or had RDP enabled, it may show up on SHODAN, for anyone to see. The attacker could see your IP, approximate location and be prompted with a field to enter a username and password. Although (hopefully) protected by a password, there is a possibility it can still be breached using brute force attacks, or by utilizing Windows exploits.
Shots in the Dark
A brute force attack is where someone (or an automated process) tries something over and over again in different ways until it works. In the case of breaking into your computer with RDP, it involves trying different passwords repeatedly until one works. Typical RDP configuration utilizes simple password-based authentication. An attacker can try millions and millions of passwords till they get yours right if they have the enough time, and resources.
To deploy a brute-force attack, there are different techniques the attacker can use. The first of which is trying different combinations and quantities of characters until one works. In a brute force attack this has an extremely high chance of working as all possible combinations of letters, numbers and symbols will be tried. However, the downside to the attack is it takes an extremely long time to execute even in terms of computational speeds and may require the hacker to change their IP frequently if they get locked out. This is one of the important reasons for having complex passwords, the more variance in characters, and longer the password it is, the longer the password to take to crack.
The second potentially faster method is to utilize data dumps. This is where they use previously hacked passwords that have been released to the internet. Each one of these can contain thousands and thousands of usernames and passwords combinations. From these dumps there are often very common themes that can be seen, with many people using the same passwords across sites. In 2019 the most common password found in data dumps was 123456, which was found 23.2 million times. Now statistically speaking, if you are using a common password found on lists like these, the hacker will get in significantly faster. A third method is more targeted, if someone knows they want to access your data specifically they can try using key words from your life such as where you grew up and pets’ names.
Denying Your Own Service
Using a strong password (or pass phrase) can slow down an attack but it may not prevent it. The careful balance between convenience and security must be evaluated to determine the best method of defense. For example, if you wish to prevent brute-force style attacks, you can simply apply a lockout and retry delay on login attempts—however now you must balance that with the possibility of denial-of-service. Could the login lockout be leveraged by a hacker to simply prevent you from accessing your own machine?
In addition to strong passwords, the practices you use should be strong as well. RDP although useful and convenient, is not a strong practice and is full of easily exploitable vulnerabilities. One example is known as “Bluekeep”, which allows hackers to gain access to exposed and unpatched Windows machines. Bluekeep is known as a wormable exploit, which means it can replicate itself to spread to other computers. This exploit is present in all unpatched versions of Windows 2000 to Windows 7 with variations appearing on Windows 8 and Windows 10. According to a BinaryEdge scan done by ZDNet.com there are still 700,000 systems unpatched and vulnerable to this exploit.
Now that we have reviewed the background and basic vulnerabilities associated with RDP, do you still need remote access? If yes, that continue on and let’s review some leading options.
1. Sticking with RDP but adding some additional layer(s) of defense. Keep the RDP server on the local network and don’t expose it directly to the internet. A Virtual Private Network (VPN) connection can be established to create a secure tunnel around the RDP connection, essentially, the remote client will appear as part in the Local Area Network (LAN).
2. One practice you can do is disable RDP when not in use. If you are using it for tech support, someone onsite can enable it while you are supporting the facility then disable when you are done. This will slightly reduce the probability of someone malicious getting in as there is still a window for attack while connected.
3. The best option to protect your facility is disable RDP all together. Thankfully, there are much safer alternatives for remote access. The safest option is to use a Virtual Private Network (VPN). A VPN connects a computer or device on another network, to your network. VPNs require a password, as well as a certificate to access. The certificate is what reduces the probability of exploit significantly.
4. Directly access facilities using a third-party service (application) on the local computer without a VPN requirement. This is a very appealing option as it transfers part of the risk to a third-party provider. Examples of this include Team Viewer and Splashtop. Both of which give remote access to computers interfaces. They involve the user to download and install software at both ends, the remote computer and the device that is accessing. The main advantage to these software services is they utilize an outgoing connection rather than an incoming connection. This allows your router to be configured to block incoming connections. The software can track who is accessing the remote computer, providing a record of access. Exploiting these software tools is significantly harder as they have full IT team ensuring their exploits are patched, rather than relying on the operations staff to do so. Typically, these software's can also lock out users if passwords are entered incorrectly too many times, making a brute force attack very unlikely.
The above options are just the beginning--there are numerous options available to access your systems. As this is not a one size fits all solution it comes down to each client’s specific system, tolerance for risk, and budget.