www.belgium.be Logo of the federal government

Description

This report identifies hosts that have Remote Desktop (RDP) Service running and are accessible to the world on the Internet. Misconfigured RDP can allow miscreants access to the desktop of a vulnerable host and can also allow for information-gathering on a target host, as the SSL certificate used by RDP often contains the system’s trivial hostname.

Assessment

The entries in this report are hosts that have the Remote Desktop Protocol (RDP) Service open towards the internet. The hostname and certificate presented by this service equal information leakage, and possible identification of the owner of the server. Additionally, there are known vulnerabilities on this protocol (BlueKeep and others), and it is generally considered best security practices to not have your RDP services exposed to the internet. The likelihood of discovery is high. RDP is a high value target, and attackers are actively looking for targets. The impact is high. Out of the many exposed RDP ports a part of them will be vulnerable. The Shadow Server reports also highlight the servers vulnerable for BlueKeep.

Recommendations

  • If possible, restrict access to RDP servers to internal networks.
  • If remote access is necessary use a VPN, lock accounts after multiple failed login attempts, enforce strong passwords, and use multi-factor authentication wherever possible.
  • Make sure the server is always up-to-date.

References

Shadow Server – RDP Scanning Project

Microsoft - CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability

CVE-2019- 0708 − Wikipedia – Bluekeep