There’s lots of things in cyber security to consider when looking at how to defend a network, and whilst the world goes mad about public wifi and juice jacking, the real threats are often far simpler. Imagine having say an Active Directory domain member, or even controller exposed to the internet with Remote Desktop Protocol? Might sound insane but this is a common route for entry for ransomware actors.

Exposed RDP can be in my opinion a critical vulnerability, it really does depend on the details and from a black box/external position it’s hard to know, so when I find them I tend to make a fuss, because they need someone to do a clear box/crystal box/white box review. It’s way better to be safe than sorry when it comes to this.

People expose all kinds of things with RDP, sometimes they expose domain member servers where domain users are in the Remote Desktop Users group, sometimes they exposed a domain controller! (yikes).

The challenge with this is, sometimes the server/domain does not have an account lockout policy configured (or the policy is poor), other times stolen credentials just mean this is a route for network access.

Kill Chains

• Brute Force/Dicitonary Attacks Directly against RDP (with or without NLA enabled)
• Stolen/Valid Credentials used to log into an exposed RDP service
  • Someone might phish for creds or get them from a breach collection/buy the credentials etc.

Once they log in it really depends on the context, sometimes they already have local or even domain admins off the first logon. Other times attacking Active Directory is required etc.

They can then:

• Steal Data
• Deploy payloads/ransomware
• conduct other operations (e.g. espionage etc.)
• Move laterally or use as a zombie/position to attack others

So none of that is ‘good’ from a defender point of view.

Community Good

The cyber security community does lots of good, you might find a good cyber citizen discovers an exposed RDP server, they might then let you know. Now working out real community people vs beg bounty should not be too hard, the real ones won’t be asking for anything (especially not money.

So if you get a report from someone saying there’s open RDP, say thanks, investigate and then take action if appropriate, shouting POC || GTFO is not a great response, we all know we can’t just ‘magic’ our way inside, but if you have an exposure someone else might be doing far more than letting you know!

Shout out to some people who do things to help others:

• foilmanhacks
• SchizoDuckie
• uidzero
• infosux
• CalumBoal

and many many others!

Defending RDP

Organisations should conduct continual/regular attack surface monitoring to understand their internet exposed surface. They also probably want to think about their suppliers as well (how you do that could be through contractual mechanisms or through third party tools).

If you have RDP exposed consider this:

• Using allow lists
• Using a VPN in front of this
• Using Entra Global Access for pre-auth
• Using a different approach
• Ensuring you have brute force protection
• Monitoring for suspicious logons

Often people just say don’t expose it and if you can do that, great. But a well defended RDP service is possible, like many things in Cyber, it depends!