TO: “The IT Guy”
FROM: Your clients’ Incident Response Coach
SUBJECT: Securing RDP Access–Changing the RDP Port Does Not Work!
This Memo comes out of necessity, please take it seriously. I have now lost track of how many times over the past couple of months I have been on “scoping calls” with a new client, its “IT Guy”, and a cybersecurity/ransomware recovery firm, and heard the following conversation take place:
FIRM: Was open RDP access being used to connect to the network before your client was hit with the ransomware attack?
IT GUY: No, it wasn’t open, we changed the port.
FIRM: Thank you, but was it secured, or, was it open to the Internet?
IT GUY: It was secured, we changed the port.
FIRM: Ok … um … was there a VPN and MFA being used to secure the RDP access?
IT GUY: Well, we secured it by changing the port. No, we were not using a VPN. [I’ve actually then heard some say “for MFA, you mean like a username and password to login?“]
I am not making this up, this is exactly how these conversations have gone as though they are reading from the same script. Here is why this is such a problem:
- RDP access is currently the #1 ransomware attack vector, being used in over 50% of the ransomware cases, according to a recent report by Coveware, a leading ransomware recovery firm. For companies with 1 to 100 employees in size, this percentage is between 80% and 60%, with smaller companies being on the higher end.
- “Until companies properly heed the risk of an improperly secured RDP connection, this attack vector will continue to be the most cost-effective target for ransomware threat actors to exploit.” -Coveware Report
- Unfortunately, there is a lot of advice out there suggesting that RDP (Remote Desktop Protocol) access can be “secured” in Windows by changing the default port used to connect to RDP. The theory here is that, by changing the default port to a non-standard port, it will not be as easy for the threat actors (i.e., the “hackers”) to find and, therefore, it is one more layer in making it more secure. This is fine, every layer you can add may help, however, while doing this may make it more secure by obscurity, it does not make it “secure.” Here is why —
- The majority of the threat actors out there are not finding your clients’ open RDP ports by poking around for them one-by-one. They are using port scanning tools and techniques to quickly find volumes of publicly facing ports for vulnerable servers all over the Internet, including your clients’ that are on non-standard ports.
- This is why changing the port really does not help in these situations and certainly does not “secure” the RDP access.
First, let’s be clear, though I have been practicing in cyber law since 1999, even after 2 decades and working on hundreds (maybe thousands) of incident responses, I am still just a lawyer, so understand that I may not get all of the technical gobbledegook just right. But, here is the advice that I have heard from the people who do know what they are doing on the technical (i.e., fingers on keyboards) side of things:
- If you do not need RDP access, disable it altogether, otherwise, limit it as much as possible.
- Do not allow domain admin access, unless absolutely necessary.
- Use a reputable Virtual Private Network (VPN) to connect.
- Secure the VPN with Multifactor Authentication (MFA), with no exceptions.
- Implement lockout policies.
- Ensure each of these devices is updated and patched.
If you want more technical detail, go to the folks who really know the ins and outs of this by reading these two Cybersecurity & Infrastructure Security Agency (CISA) reports:
- Security Tip (ST18-001) Securing Network Infrastructure Devices
- Alert (AA20-302A) Ransomware Activity Targeting the Healthcare and Public Health Sector
Thank you for your efforts, your time, and your attention. Carry on.
See these other Memos:
- ***URGENT*** MEMO TO: “THE IT GUY” RE: #RANSOMWARE / WIPING DATA
- ***URGENT*** MEMO TO: “The IT Guy” / MSP After Ransomware Attack