The Aftermath of the RDP Exploit

Now that you have patched your system and have the warm and fuzzy feeling once again about connecting to your work computer via your home computer everything is just fine, right?

You have to patch the perimeter working your way toward your computer.

This means you need to secure your network from the first device.

If that first device is your router, make sure you enable the firewall which should be built into your router.

If you don't have a class "Good" firewall in your Router then you need to add to your "Must have list" a good firewall.

A good firewall is a firewall that allows you to restrict and configure on a granular level. This is very important today and most routers allow this.

It's time to take a short history lesson.

Years ago it was published at Microsoft.Com as a best practice to change the port of your RDP from 3389 to anything between 0 and something over 65000 that isn't being used by other programs.

It also was advised to use Network Level Authenification but many thought this was a way to force you to upgrade from Windows XP. Actually that isn't correct and if you read the security alert you will find the update for Windows XP.

So what does this change in our computer world as we know it today?

Drop the Port 3389 or do something even better and block the listen port and connect from your VPN.

What you say? Block the port but connect anyway?

Dear Grasshopper,  you must learn the difference between what is evil and what is not so evil.

WAN or your Internet is Evil, your LAN or Intranet is "Not so Evil". To make it safe you would have to disconnect from the WAN and not allow humans behind the keyboards. But that's not going to happen this year.

What I do is simple, I make a VPN connection to my internal network then start my RDP session. It connects me on any port I choose but because I have a full tunnel VPN I can BLOCK the port from all networks except my VPN network.

Changing the port Number from 3389 to your favorite banking pin number would work but remember you might have to share this number with others.

Different port like 5920 or make it easy and if you use the VPN approach make your RDP one 00010 from the actual VPN port.

Next, you need to prove that your network is secure.

This is more than just documenting your network configuration. This takes time and is an ongoing requirement for many industries.

How we monitor our networks is by log reports which are generated each and every time activity over the firewall or router occur.

With this data we can identify issues and unusual activity. In fact, March 6 2012 showed an increase in 3389 port activity for us which tells us that maybe the exploit was being used prior to the patch.

Vulnerability Measurements are part of your day at work and at home.

You might not think of your home network as a problem or a security risk but it is.

In my opinion it might be your weakest link or the security issues the affects you directly as a person.

Your network may be part of a BOT NET and while you're not surfing on your computer your computer might be doing things for someone else that you wouldn't approve of.

Malware, Spyware, Trojans all affect you if you do any bill pay, banking or remote into your office via the internet.

If your computer has a key logger virus and you that computer to connect to a secured website like your bank you can bet someone other than you now has your username and password. It might not be today that they empty your bank account but when they get around to it and you make a good deposit they just might. Read the story about a California company that lost $135 Million on a Sunday due to a password hack which most likely came from a logging virus.

Here's a good link to have and I would bet most of you never knew our government agrees to remove that junk software bundled with your new computer.


Now that the RDP Exploit has been patched do you feel safe to enter the 3389 port again? Sounds from the movie Jaws should be in the background.