Description
This report identifies hosts that have Remote Desktop (RDP) Service running and are accessible to the world on the Internet. Misconfigured RDP can allow miscreants access to the desktop of a vulnerable host and can also allow for information-gathering on a target host, as the SSL certificate used by RDP often contains the system’s trivial hostname.
Assessment
The entries in this report are hosts that have the Remote Desktop Protocol (RDP) Service open towards the internet. The hostname and certificate presented by this service equal information leakage, and possible identification of the owner of the server. Additionally, there are known vulnerabilities on this protocol (BlueKeep and others), and it is generally considered best security practices to not have your RDP services exposed to the internet. The likelihood of discovery is high. RDP is a high value target, and attackers are actively looking for targets. The impact is high. Out of the many exposed RDP ports a part of them will be vulnerable. The Shadow Server reports also highlight the servers vulnerable for BlueKeep.
Recommendations
- If possible, restrict access to RDP servers to internal networks.
- If remote access is necessary use a VPN, lock accounts after multiple failed login attempts, enforce strong passwords, and use multi-factor authentication wherever possible.
- Make sure the server is always up-to-date.
References
Shadow Server – RDP Scanning Project
Microsoft - CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019- 0708 − Wikipedia – Bluekeep