The recent discovery of several security vulnerabilities targeting Remote Desktop Protocol (RDP) has led to warnings that we should immediately patch Windows. CVE-2019-0708 (BlueKeep), CVE-2019-1181 (BlueKeep II), and CVE-2019-1182 (BlueKeep III) all rely on the fact that many admins still set up servers and leave them open to remote access over the internet.
Reviewing what or who is accessing your Remote Desktop Services (RDS) can be a difficult process. The log files and artifacts left by remote desktop are not the easiest to track. For years the way that many attackers would gain access to a server hosted in a data center was to use the tool TSgrinder to brute-force guess a system password.
Why do we still use Remote Desktop to connect to servers when we know that it’s less than ideal? Why are we still using it to connect to Azure virtual machines as well? Let’s face it, it’s familiar. It uses tools and techniques that we’ve used for years. It provides us with a resulting desktop that we’re familiar with. That familiarity means that attackers are familiar with it, too.
Recommendations for minimizing RDP risk
The first recommendation is only one step away from direct exposure of port 3389, over which Remote Desktop runs, but it’s a key step: By using the native Windows firewall, you can set up a rule to limit access of a machine to specific IP addresses. While this won’t protect machines from the latest RDP vulnerabilities, it does protect machines from brute-force password attacks.