Remote access to your servers and other PC's is essential for effective support. The problem is implementing this in a secure manner that only gives you access and keeps everything else out. Ransomware has abused remote desktop and ports exposed to the internet as an attack vector, not just the traditional avenues such as phishing and malicious websites.
In 2017 Wannacry used publicly exposed SMB ports as its primary attack vector and not via a coordinated email campaign. Remote desktop is also often compromised by user accounts with weak passwords, the attacker would guess a common username and brute force password options on the exposed RDP connection.
Let's look at remote desktop and Teamviewer as remote access tools and how to use them securely:
MICROSOFT REMOTE DESKTOP
RDP is still a great remote access tool but needs a few layers of security to make it safe:
- Ideally the RDP endpoint should not be directly exposed to the internet. RDP should be accessed via a VPN. This reduces the endpoint's attack surface considerably.
- The RDP default port (3389) should be changed. This can(and should) be done in 2 ways, the first being on the firewall, your firewall should redirect a non-default port to the endpoint. If the endpoint is a Windows machine then you can also change the listening port for RDP on the machine itself. Yes, security by obscurity is not security, it's simply cutting out the noise and adding another layer of 'security'. Changing the internal listening port also means more obscurity on the LAN side.
- Monitor Security Event Logs for brute force attempts on your RDP endpoint. Event ID 4625 will show failed login attempts. If you have a publicly accessible RDP endpoint on the default port (3389) you will most certainly have a significant amount of failed login attempts in your logs. You'll also notice the attacker probably use different usernames such as 'guest', 'user' etc. Changing the listening port instantly cuts out almost all of the 'noise' from the internet.
- Audit users every single user that has RDP access. Quite often it is not the administrator account that is compromised, it's usually a secondary account with a weak password. This has been the case in every single ransomware attack on servers that we have encountered.
A great tool for remote access that can be used in a variety of ways. Teamviewer has sharpened up their security recently after a breach, so this is why we are including them as an option. 2 Factor authentication as well as more control over what devices are allowed to access your Teamviewer account (all new devices should first be verified).
- Teamviewer Host is a great tool for unattended access. First and foremost you should have a strong password for access. Secondly 2-factor authentication should also be enabled.
- Teamviewer VPN combined with Remote Desktop is also a good combination. Use Teamviewer to establish a VPN to your endpoint. From there you can use traditional Remote Desktop to connect to the endpoint.
Teamviewer handles brute force attacks quite well, preventing multiple password attempts with timeouts but there are more options to configure Teamviewer to be more secure:
- Disable the random 1 time use password
- Setup an access Whitelist to only allow yourself
- Set to lock computer on session finish (Options -> Advanced -> Lock Remote Computer = Always.)
From a security perspective, Teamviewer appears to be quite safe but one always has to consider future security holes that that can be abused to bypass all security layers and gain access to you or your endpoints.
In summary, the fewer ports you expose to the internet, the better. Also consider that no matter how many layers of security you implement, the possibility of software exploits always exist and these can potentially render all security moot.
Hopefully this gives you some ideas to consider when implementing a remote access strategy for your servers or PC's.
Do you use a different strategy? Been bitten once and now have experience? Let us know in the comments.