Detecting Inbound RDP Activity From External Clients
What is RDP? (Remote Desktop Protocol)
RDP is a proprietary protocol developed by Microsoft. It provides a user with a graphical interface to connect to another computer over a network connection. It has been a native OS feature since Windows XP.
Most of the time, RDP is used for legitimate remote administration: when companies outsource IT, or remote admins have to access a server or a network users machine, they most commonly use RDP to connect to it.
Risks Associated With RDP
One of the main risks associated with RDP comes when you allow external clients access to your network. The RDP protocol typically uses TCP port 3389. Attackers often find instances of this port open by scanning infrastructure exposed to the Internet and using brute force to access open ports. Automated tools and the Shodan search engine help them find systems configured for RDP access online.
Once on a system attackers can disable endpoint protection, establish a foothold in the organization and more. Once this happens, no endpoint security solution can save you. They might download and install low-level system tweaking software and use it to disable or reconfigure anti-malware software on the machine, Sophos researchers explained in a post on RDP and ransomware distribution. RDP connections can also be used to transfer data out of a network.
Recently I spoke to a network manager who was running a trial of our LANGuardian product. Their business need was around getting visibility inside their network and not for RDP specifically. Shortly after they started to monitor network traffic they noticed a lot of inbound RDP connections from many different countries.
When their firewall was checked they found what they described as a legacy rule to allow third party vendor access. Nobody checked this and as they had no visibility inside their network they had no idea systems running RDP were exposed to external clients. They implemented a quick fix which was to block inbound RDP connection attempts.
In July this year, the SamSam group infected some 7,000 Windows PCs and 1,900 servers at LabCorp with ransomware via a brute force attack on an RDP server. In another incident this year, Hancock Health was forced to pay over $50,000 in ransom to regain access to critical data that criminals had encrypted after breaking into its network via a hospital server running RDP services.
How to Detect RDP Activity
One quick check you can do to check for RDP activity is to see if TCP port 3389 is open on your firewall. While this is not an indication of activity you should consider shutting it down for all external clients. It is also possible to run RDP over a different port number so focusing on TCP port 3389 alone is not enough.
A better approach is to monitor network traffic going to and from the Internet using a SPAN, mirror port or network TAP. Once a traffic source is established you can use a product like our own LANGuardian to detect if RDP is in use on your network. You will need a system which is application aware as RDP can run over any network port so looking for activity on TCP port 3389 alone is not sufficient.
The image below shows an example of what to look out for. In this case we can see evidence of RDP activity. Clicking on the traffic total allows us to drill down to investigate further.
Further drilldown reveals that the RDP activity is originating from a client in China and it is connecting to a host located inside the network. An immediate action would be to block that IP address on the firewall if a connection to the network from China is not expected. Blocking port 3389 would also be recommended in this case.
Getting an alert if an external client connects to your network using RDP
While running reports are useful when it comes to forensics on a past event, most network and security managers want to be notified immediately if someone external connects to their network using RDP. Follow these steps to get alerting setup on your LANGuardian:
- Select the report Applications in Use and enter all subnets in use on your network preceded with the ! symbol into the source report filter.
- Select Remote Desktop Protocol from the Protocol drop down
- Run report and then click on the Actions option and choose Save As. Enter a report name and then save.
The final step is to use this custom report to trigger an alert if RDP is detected. Click on gear symbol top right then Settings / Email and alerts configuration.
Select Add New List and then give it a name, add email addresses, select custom report and tick the last 3 boxes as per the image below.
What Should You do About RDP?
- Limit access: Consider changing the default port of TCP 3389, using virtual networking/VLANs/etc. to limit access to critical systems via RDP. Block inbound RDP access from the Internet, it is far too risky to leave open.
- Make sure systems that have RDP enabled use network level authentication with complex passwords and all activity is monitored closely.
- Monitor endpoints. Make sure you have visibility on your network and you know who is connection to what. This is especially true for inbound connections from hosts on the Internet.
- If you have a requirement for remote desktop access from outside your network, consider using a commercial product with encryption and more advanced user account options.