|
RDP ("Remote Desktop Protocol") is a widespread protocol used on the majority of Windows devices, especially servers, and is frequently exploited by attackers. While not insecure by nature, attackers can exploit RDP in a variety of ways: |
•Brute force attacks can be successful if the target system (and/or domain) does not have an account lockout policy in place. Brute force attacks will remain unnoticed if the target system does not have auditing enabled, and/or if audit events are not actively monitored.
•RDP may suffer from unpatched vulnerabilities, for example if the target system is running an older version of Windows or if Windows is not adequately patched.
•Man-in-the-Middle Attacks can be used to harvest user credentials
•RDP ports exposed to the Internet can also be used for information gathering, as the RDP protocol may divulge useful information about the target system.
|
To reduce your attack surface, never make RDP ports accessible to the Internet. If RDP has to be made available to untrusted networks, always change the default port, enable auditing and enforce account lockout policies. |
EventSentry Benefits |
||
Auditing & Monitoring All (un)successful logon attempts are monitored an evaluated, customized logon reports are available out of the box. Process Netstat monitoring also inventories all hosts listening on port 3389. NetFlow can capture all traffic going to/from RDP port(s). |
||
|
|
|
Anomaly Detection Anomaly monitoring can detect & flag unusual RDP activity, e.g. logons from a previously unknown user and/or IP address. Lateral movement across the infrastructure can be detected with collector-side threshold filters. |
||
