Exposed RDP servers see 150K brute-force attempts per week: Here's how to protect them

BlueKeep and DejaBlue renewed interest in brute-force scanning for vulnerable systems, which negatively impacts Windows Server performance. Cameyo has solutions to protect your Virtual Desktop server.

Check these settings in Windows Server to fix VPN errors If your company VPN isn't working, there are a couple of simple steps to try before worrying about a serious problem.

Remote Desktop Protocol (RDP) is—to the frustration of security professionals—both remarkably insecure and indispensable in enterprise computing. The September 2019 Patch Tuesday round closed two remote code execution bugs in RDP, while the high-profile BlueKeep and DejaBlue vulnerabilities from earlier this year have sent IT professionals in a patching frenzy. With botnets brute-forcing over 1.5 million RDP servers worldwide, a dedicated RDP security tool is needed to protect enterprise networks against security breaches.

Cameyo released on Wednesday an open-source RDP monitoring tool—appropriately titled RDPmon—for enterprises to identify and secure against RDP attacks in its environment. The tool provides a visualization of the total number of attempted RDP connections to servers, as well as a view of the currently running applications, the number of RDP users, and what programs those users are running, likewise providing insight to the existence of unapproved software. RDPmon operates entirely on-premise, the program data is not accessible to Cameyo.

SEE: Windows 10 May 2019 Update: An insider's guide (free PDF) (TechRepublic)

Customers of Cameyo's paid platform can also utilize the RDP Port Shield feature, also released Wednesday, which opens RDP ports for authenticated users by setting IP address whitelists in Windows Firewall when users need to connect. 

RDP was designed with the intent to be run inside private networks, not accessible over the internet. Despite that, enterprise use of RDP over the internet is sufficiently widespread that RDP servers are a high-profile, attractive target for hackers.

During development, Cameyo found that Windows public cloud machines on default settings—that is, with port 3389 open—experience more than 150,000 login attempts per week. "The intensity starts low initially, and then as soon as the IP is discovered by more and more RDP bots, the number of attempts grows exponentially," Eyal Doten, founder and CTO of Cameyo, told TechRepublic. "Beyond the obvious security concerns, a high amount of brute-force attacks also affects CPU and machine performance."

While it might be attractive to simply set firewall rules to block IP addresses for countries from which high incidence of scanning occurs, or, to allow only countries from which authorized users would plausibly connect from, or implement an analogue of fail2ban for RDP, there are shortfalls to these strategies.

"[That addresses] only the high volume brute-force attacks, and it's not addressing the slow attacks. There's a lot of bots that are now designed to attempt a smaller number of connections over a longer period of time, so that they don't flag that general rule of blacklisting," Rob Henshaw, CMO at Cameyo, told TechRepublic. "It doesn't address horizontal attacks. A bot can operate from different hosts, operating brute-force workloads across several locations. That is not addressed by the typical firewall blocking approach. Standard approaches to monitoring or preventing brute-force attacks don't consider the overall impact that it has on CPU and RAM."

Despite the rise of web-based, software-as-a-service (SaaS) offerings, Cameyo envisions a long life for RDP in the enterprise. "RDP seems more and more like the de-facto standard. Microsoft understands this and invests considerably into this protocol. Every major Windows build seems  to improve RDP in a way. Microsoft's upcoming Windows Virtual Desktop is also built around RDP," Doten said, adding that "If you take Windows 2019 Server and look at its RDP implementation—both server and clients perform better than ever in terms of performance, stability, features, and graphics. Microsoft continues to develop new capabilities around it such as GPU-P to help datacenters and hyperscalers improve at the hypervisor level."

For more, check out "33% of executives don't trust their organization to protect employee data" and "Fewer than one third of cloud users back up their own application data" on TechRepublic.

Also see

Smiling ethnic woman in data center

Getty Images/iStockphoto