How to protect your RDP access from ransomware attacks
You didn’t believe that the ransomware wave was about to come to an end, did you, huh? After all, reports of massive ransomware campaigns have been on the decline, so it’s reasonable to believe this. However, the recent radio silence may be due to some recent developments in the field.
Ransomware attacks are becoming more targeted as a means of increasing their effectiveness. Furthermore, the Remote Desktop Protocol (RDP) is one of the most common attack vectors (RDP). Remote desktop is exactly what it sounds like: a feature that allows you to control a computer from a distance. It almost feels as if you are sitting behind that computer with the software that is currently available, which is one of the factors that contribute to its potential danger.
Threat actors obtain login credentials for a remote desktop session through social engineering or brute force attacks. They can use this access to deploy specialized tools to accomplish the following tasks:
Increase the importance of their privileges (when needed)
Backdoors should be left open for future use.
Increase your control over a larger portion of the infiltrated network by deploying ransomware and leaving payment instructions.
It is the first three steps that businesses should pay close attention to because they are the ones that must be investigated after a breach has been discovered.
By paying the ransom, you are providing the threat actors with the means to continue their criminal activities, and we feel obligated to inform you of this. However, we are also aware that there are times when you simply have no choice. What you do have control over, on the other hand, is doing everything in your power to prevent this type of attack from occurring.
If you want to deploy software to allow you to remotely control your work computers, RDP is a safe and simple protocol to use. It comes with a client that is pre-installed on Windows systems and is also available for other operating systems. The following are some measures you can take to make it much more difficult for unauthorized RDP connections to obtain access to your network:
- Put RDP access behind a virtual private network (VPN) so that it is not directly accessible.
- Alternatively, you can use a Remote Desktop Gateway Server, which provides you with some additional security and operational benefits, such as two-factor authentication (2FA). When you are trying to figure out what might have happened, the logs of the RDP sessions can be particularly helpful. Because these logs are not stored on the
- compromised machine, they are more difficult for intruders to falsify.
- It is beneficial to use strong passwords to make it more difficult for a brute force attack to succeed.
- Network Level Authentication (NLA) should not be disabled because it provides an additional authentication level. If it hasn’t already been enabled, do so now.
- Port-scanners looking for open RDP ports will miss yours if you change the RDP port to a different one. As a default, the server accepts connections on port 3389 for both TCP and UDP traffic. Changing the port will not prevent a determined attacker from succeeding, but it will prevent you from appearing on a list of likely easy targets.
- Limit the number of people who can use it to only those who need it. I’ll go into more detail about this below because it can’t be done through the Remote Desktop settings and instead necessitates the use of security policies.
- If at all possible, restrict access to specific IP addresses. There is no requirement for a large number of IP addresses to have RDP access.
Patch to prevent privilege elevation
There are several ways to elevate user privileges on Windows computers, including through the use of Remote Desktop Connection (RDP), but all of the known methods have been patched. As a result, as is always the case, ensure that your systems are fully up to date and patched to prevent privilege elevation and other exploits from being utilized.
Users should be limited to those who are truly in need of it.
The first step in this process is to create a user group that will be granted access to the system via the internet. This can be accomplished through the Group Policy Management Console (GPMC.MSC).
- Select Computer Configuration > Windows Settings > Security Settings > Restricted Groups from the left-hand menu of this console.
- Restricted Groups can be created by selecting Add Group from the context menu of the right-clicking Restricted Groups.
- Click Browse, type Remote, and then click Check Names. You should see “REMOTE DESKTOP USERS” appear in the list.
- In the Add Groups dialogue box, select OK.
- Click on the Add button next to the MEMBERS OF THIS GROUP box and then browse.
- To check for domain group names, type in the name of the domain group and then click Check Names > click OK > OK.
- To refresh the policy on the PC, open a command prompt in elevated mode and type gpupdate/FORCE into it.
- When you go to the REMOTE tab of the PC’s SYSTEM PROPERTIES, you should be able to see the group that was created under the SELECT USERS button.
- User rights assignment can now be accessed through the Control Panel by going to the System and Security > Administrative Tools > Local Security Policy > User Rights Assignment menu option.
Limit the users to those that need it
Do not grant access to the account with the username “Administrator” and do not include the “Administrators” group in your “Allow log on through Remote Desktop Services” policy. That account is ideal for the intruders, and they would jump at the chance to take it over. Remove the “Remote Desktop Users Group” as well, even though it appears to be contradictory. Because the user group “Everyone” is automatically a member of the “Remote Desktop Users” group by default, this is the case.
Put in the names of the user(s) who you specifically want to have remote access to this system, and make sure that they have only the permissions that they require—nothing more. Limit the actions that they can take to limit the damage that they can cause if the account is ever compromised.
Protecting your network from both the outside and the inside
The fact that you must protect your business network from the outside world is probably no longer a surprise to you. We can safely assume that you are in command of the situation, correct?
However, in the case of RDP attacks, it is also critical that you implement some internal security measures to protect yourself. Those PCs that can be reached remotely should be able to access network resources, but they should not be able to deplete their available resources. Reduce the possibility of harm being caused by any user, not just a remote one, by implementing restrictive policies on your network.
Secure your network both from the outside and inside
If your organization has been the target of a ransomware attack via RDP, you’ll need to take some steps to improve the security of your network and endpoints. After you have recovered your files from a backup or by paying the ransom, you should check your systems for any changes that the attackers may have made that would make a future visit easier for them. This is especially important if you paid the ransom and have not recovered your files yet. Essentially, you have painted a bulls-eye on your own back by paying the threat actors to do their dirty work. Because they know you are willing to pay to have your files returned if necessary, you have become a desirable target.
Check not only the PC that was remotely accessed for backdoor Trojans and hacking tools but also any networked devices that could have been accessed from the compromised PC to ensure that no artifacts have been left behind.