Working via Remote Desktop to the office, you have been advised.
It's now over one month since the announcement of the RDP Exploit and systems offered the patch should have been automatically or manually updated that same day. Those that don't use Remote Desktop should have checked to make sure it is disabled. Now that you have done all that it's time to counter with more countermeasures.
Security Advice: This advice is based on my best effort free support. I make no guarantees or warranties as to the overall effectiveness of this advice in your IT environment.
Security Advice Checksum: Advice is given based on my testing and system configurations. It is in my best effort and following the “Practice what you preach” processes. Some advice offered online today may be only theoretical. A good point if you have no starting point. In this article I have production systems running based on the process and procedures and actively monitor these applications. If I discover adverse conditions I’ll be the first to post the issue. (Keep your IT fingers crossed IT)
Hi all, just in case you haven’t been watching the Cybercriminal news headlines they are looking for your Remote Desktop Service.
It’s not a joke that so many think and I’ll show you what you most likely don’t know because you’re working with your head in the sand. (Search this site Head in the Sand)
You know the program, it’s start > run or search > mstsc.exe
Remember the above screen for your Remote Desktop Connection now?
I hope you’re going to follow these steps because the end result isn’t going to hurt as much if you do.
- Run the RD Exploit Fix from Microsoft, read more here.
- Run the FIX application that Microsoft offers to change your Remote Desktop connection port.
- Windows 7 XP RDP Port Change Fix
- Backup your Registry learn how here from Microsoft.
- Learn how to connect the client to the remote computer.
- Learn how to add the port to your Windows Firewall.
- NOTICE: Suggested ports 3390, 3391, etc are only suggestions, DO NOT USE THEM! I have hundreds of logs showing these are scanned after 3389 and end up around 3400. Just like port 5900, 5901, 5902 should never be used in SSH when at all possible. SSL VPN over 443 should not be use.
- You need to select a nonstandard port between 0 and 65536 that is not being used on your system.
- If all this sounds to difficult ask a Technician here to remotely help you setup.
If I didn't tell you I've noticed on my local network an increase in RDP connection attempts. A typical week of attempts was about 20 but now I'm seeing log reports of over 200 per week. This is not just from the Exploit it's from more people offering advice on how to hack your friends computer. Simple enough if you know the login, password, IP address.
Remote Desktop Protocol shouldn't be enabled and by its default settings it is not. But, what if Junior wanted to access the home computer from school? You wouldn't really know to look under the Computer Properties or run from the run or search line "Remote Desktop" to check, but you might take a look just to be safe.
Look for more How To Remote Desktop "Safer" in the Computer Boot Camp section.
NOTE: Yes, you can ask but I'll send you here. Where is my Remote Desktop Application? I can't find it!!!! Sometimes if you could only see the technicians face. I'll save you from that image.
Remote Desktop Remote Terminal Services run line for windows mstsc mstsc.exe
I can't recall how many times this question comes up when you don't use remote desktop that often. Where is the program in my programs menu? I find it easier to click start then run and type mstsc for Microsoft Terminal Server Connection Manager.
- Click Start
- Click Run
- Type in the run box mstsc
- Click Ok
Follow the steps to connect to your remote computer and you are set.
Additional Post added: I had a rogue post that needed to be included. The Ports I list are also examples.
Look who’s hacking now, its Billie, your next door neighbor hooking your Remote Desktop, port 3389.
In the old days (2000) this would be a nice full network research report identifying the aggressive network and posting the information for our friends to take care of the issue. But that was in the old days when White hats were awarded the respect.
Today I can't identify if the attempt is just Billie next door at his dad's office trying to test my systems from inside or it's her evil twin trying to take down this page.
From 20 and 30 valid attempts per day to 100 to 200 attempts. I could just look over the logs and identify most by IP addresses. Like a good old friends telephone number that pops up on your caller ID I had the same groups same networks returning each and every week, month with new exploits and new SQL scripts.
But today it's alarming the number of new network searching fans. I don't want lock them out for a long period of time but I have to set some type of standards.
I've been thinking about publishing the 3389 exploit attempts and the Telenet 23 Exploit of this year to seperate the Billies from the old timers.
Until I figure out a good easy and fun way of publicly displaying your activity I'll just keep the logs to myself.
Here's what you can do to make finding your RDP more difficult.
You might want to make your remote desktop connection a little harder to find.
The link above offers 2 methods of changing your listening ports. The Fix It application is really easy to use and does work on XP SP3 just fine. I haven't tested with Vista or Windows 7.
You can always do your own registry edit by following the instructions from the link above.
Now that you have changed your Listening Port to your favorite unused port that isn't listed in most of the common port assignment lists you need to setup your client remote desktop application to connect to this port.
I know it's a pain at times but if you only knew how many people look to connect to your computer while you are away you would start doing the following.
Your connection should be the name of the computer or the IP address of the computer now if you are using the default listening port of 3389.
Example: MyComputer would connect to 3389 but if my remote computer called MyComputer has had the Remote Desktop port changed it will never connect sending on the default port from your remote desktop application. To make the connection we need to add our port.
Example: MyComputer:6500 would make the connection to the remote computer on port 6500. You will need to check if your firewall has this port open.
If you use IP addresses: 192.168.0.25:6500
In the following picture you can see the port I selected for one of my remote desktop machines. Check using netstat -a to make sure the port you select isn't being used on your computer and then check the reference lists linked below this image to find your favorite port. I used an old application on 652x to 652x and never really saw much port scanning traffic. But after I just published it I might start seeing scans.
Now, the best method to do all this is to have your VPN setup at home or in the office.
I see many people using a normal router designed for home use and they hack away at the NAT or enable port forwarding to make the connection. This is all good but it's only a matter of time before a port probe finds your forwarded ports.
VPNs are not cheap and I'm not going to recommend one here but you can search for a VPN application. Software VPNs are nice but nothing beats hardware VPNs.
Just as a reminder, any SSL-VPN application to hardware will allow you to connect securely to your network. Then depending on your internal LAN settings you can then connect to other computers or devices.
Basically if you have a VPN you really don't need to change the default listening port unless you want to add additional security to your internal network. It is recommended but not required. For those that like having a Windows Computer connected directly to the internet then you really need to make it hard to find. Not at all recommended but then again, not everyone can have a VPN appliance at home.
If you have any questions or comments feel free to send them to port 3389 at your.dyns domain.hak.
Have a Remote Desktop Exploit Free Day!