This article re -edits the "Windows -equipped RDP is easy to be cyber attack? What are the necessary measures?"
Against the backdrop of remote work, which spreads due to the effects of the corona, the use of RDP, which enables remote connection via the server, is spreading, and attacks aimed at RDP vulnerabilities by cyber attackers are increasing.In this article, we will explain the vulnerabilities of RDP, the problem of use, the case that actually encountered the damage, and the necessary measures to suppress the damage.
RDP (Remote Desktop Protocol) is known as a protocol that realizes a remote desktop in a Windows environment.Developed by Microsoft and is standard on Windows PCs and Windows servers.
With a remote desktop, you can operate your computer and server remotely.As the introduction of teleworking due to corona evil, it has been attracting attention as a means of operating PCs at home and remote areas.Used as a means of connecting to a personal computer in the office or connecting to a server in the data center.Previously, there have been needs for server management and customer support.The following three benefits are representative.
・ Low cost and short -term can be started in a short period of time compared to other means
Separately, there is no need to purchase or install software and hardware, so you can reduce costs and man -hours.If you enable a remote desktop function on a Windows computer, you can start work immediately.
・ Smooth BYOD introduction by responding to various terminals
A remote desktop can be used not only for Windows terminals, but also from Android and iOS mobile devices, as well as BYODs that use personal terminals.
・ Reduction of information leakage risks that limited data storage destinations
The remote desktop has a mechanism that does not remain on the terminal because the data is stored at the connection destination.The risk of leakage of personal information and confidential information can be reduced.
When using an RDP protocol on a remote desktop, a dedicated channel is opened on the 3389 port and data is transmitted and received.It is possible to remotely work by transmitting and receiving encrypted keyboards and mouse operations, screen information, etc. via the Internet.
As mentioned earlier, when using RDP, the port will be opened outside, making it easier to target cyber attacks.As evident in Fig. 1, cyber attacks aimed at RDP are increasing rapidly on Corona.
Figure 1: Monthly transition graph of threat aiming for RDP (first half of 2020, domestic)
In fact, what cyber attacks have occurred?Here are some examples below.
・ Malware "GOLDBRUTE" that expands the total attack
For terminals that publish a remote desktop function using RDP, the number of Blue Force attacks that log in with IDs and passwords overall are increasing.GOLDBRUTE is a malware that identifies a new attack target from a terminal that has logged in with a total attack and repeats the total attack.As the spread of the infection, the scale of the Blue Force attack expands, causing serious damage.
・ Ransomware "PHOBOS" that attempts to enter via RDP
PHOBOS is known as a ransomware that infects terminals in the network via the RDP protocol.A port open on the Internet is detected, and an account is obtained using a Blue Force attack, leading to invasion.After September 2020, the activity has been activated, and attention has been made in Japan.When infected with PHOBOS, the file is incredibly encrypted, and a ransom in bitcoin is required for file decoding.
In addition, GrandCrab, Ragnar Locker, and Crysis have been found as ransomware for exploiting RDP.
Before Corona, "Bluekeep" was a big topic at the beginning of the discovery.The vulnerability found in 2019 has released a security patch by Microsoft.According to Shodan, the background is that there are many servers that have released RDP ports of 3389.A warning was issued because many servers did not apply patches for Bluekeep.
In addition to using Windows RDP, the remote desktop has options for free and paid.This chapter explains the advantages and disadvantages of each.
・ Chrome Remote Desktop
The Remote Desktop mechanism developed by Google is Chrome Remote Desktop.We perform secure communication using technologies such as Webrtc.The advantage is that the connection setting is easy, not just in the Windows environment.However, it is necessary to go through the Internet and cannot be used in a closed LAN.
・ Remote desktop products such as TeamViewer and AnyDesk
Third -party remote desktop products also have a free version, making it easy to use a remote desktop.Although the paid version is costly, a substantial security countermeasure function, such as multi -factor authentication and the number of login trials, can be used.
When introducing a remote desktop, we want to take the following basic security measures.
・ Introduction of multi -element authentication
Among the knowledge elements, ownership elements, and biological elements, multi -element authentication is to log in using multiple means.It is unlikely that multiple elements will be stolen, reducing the risk of illegally logging in.
・ Restrictions on the number of login trials
If you fail multiple times within a certain period, temporarily stop your account.It is possible to protect the account from the Blue Force attack, which tries an ID and password with a brute force hit.
・ IP address connection restriction
There is a method of limiting the connection based on the IP address of the terminal that is the connection source of the remote desktop.It is effective when allowed to connect only from a specific office.
・ Connect via VPN
VPN (Virtual Private Network) communicates with virtual lines.The data to be communicated on a remote desktop is encrypted, reducing the risk of eavesdropping and tampering.
・ Enhancement of password policy
Determine the password requirements used for login and apply it to the whole company.For example, more than 15 characters, such as combining British, lower letters, numbers, and symbols, may be considered.In addition, we would like to use the requirements, such as prohibition of reusing passwords and prohibiting words that are easy to guess.
・ Change of RDP port number
RDP is standard to use 3389 ports in the initial setting, making it easier to be targeted for attackers who plan to abuse.By changing the usage port number, the risk of attacking is reduced.
Even if the above measures are taken, it is difficult to take measures when malware is already hiding or unknown attack methods.However, if the EDR (EndPoint Detection and Response) product is introduced, even if malware is hidden in RDP, it is possible to detect and deal with the malicious behavior early.In addition, there is a method of connecting a virtual server via VPN or introducing a virtual desktop (VDI).The advantage is that multiple users can share one server in a high security environment.
In recent years, the DaaS (Desktop as a Service) mechanism has been developed.It is a method of logging in to a virtual desktop in the cloud, generally charged, making it easier to optimize cost -effectiveness.In response to the corona, the remote desktop mechanism is no longer indispensable.I want to try to optimize security and cost while increasing work efficiency.
■ Related site
![A workaround that can be used immediately after the iPhone 13 freezes (Lifehacker [Japan version]) --Yahoo! News](https://website-google-hk.oss-cn-hongkong.aliyuncs.com/drawing/article_results_7/2022/3/3/45e4bce7ecbeb696b3a7fb4669c70965_1.jpeg)
