When news of the BlueKeep remote code execution vulnerability in Windows’ Remote Desktop Services began to spread back in May, people were understandably alarmed. The wormable, critical remote code execution bug attacks the (RDP) on older and legacy versions of Windows, including Windows 7, Windows XP, Windows Visa and Windows Server 2008.
Microsoft has described the flaw as giving attackers a way to gain complete control over a vulnerable system and to install programs; view, change or modify data; and create new accounts with full user rights. The bug does not require an attacker to be authenticated or for the user to take any action to be exploited. While Microsoft quickly issued a patch, organizations that fail to apply the patch remain vulnerable to attacks.
And that’s just one of many RDP vulnerabilities. Microsoft’s Patch Tuesdays routinely reveal a handful each month, and the latest McAfee Labs Threat Report found that a leading access point for ransomware attacks are open RDP ports.
“As soon as an organization enables remote functionality on a Windows server, it opens its RDP ports to the outside world—specifically ports 3389, 3387 [and] 3392,” explained Eyal Dotan, CTO at Cameyo, a vendor specializing in application virtualization. “So if your server is directly connected to the internet, you are vulnerable to RDP brute-force and ransomware attacks.”
Those open ports can cause real problems, which Cameyo’s new RDP Port Shield aims to fix. It does this by automatically closing all RDP ports, and then opening and closing them only when needed and only for authenticated users.
“Cameyo recognizes this as an active threat and wants to help customers avoid unnecessary security vulnerabilities,” said Mark Bowker, a senior analyst at Enterprise Strategy Group. “RDP Port Shield stops the problem before it happens by blocking and stopping RDP traffic without the proper authorization and access policy.”
Dotan said that RDP Port Shield is the first security solution that can automatically and dynamically open and close RDP ports at the Windows firewall level, rather than statically.
“Other solutions keep RDP ports open to a number of predefined IPs, which limits cloud and geographic flexibility,” he said. “And in cloud environments where users are often in different locations or changing IPs, that approach can obstruct productivity.”
He added that other solutions tend to monitor for brute-force attacks only by detecting IPs that have attempted many failed RDP connections within a short period of time. While this addresses some high-volume brute-force attacks, it doesn’t adequately address some types of RDP vulnerabilities. It also can’t address slow attacks or horizontal attacks.
Open-Source RDP Monitoring Tool
In addition to RDP Port Shield, Cameyo today introduced RDPmon, a free open-source RDP monitoring tool. Designed for the cloud, RDPmon helps businesses capture visibility into where they may have potential exposure to open network services. It does this by correlating IP addresses to RDP connections, both legitimate and brute-force attacks, and live sessions. RDPmon helps organizations map the overall security situation affecting their cloud machines, have a better understanding of how users use their servers and understand which applications are involved, Dotan said.
Because the number and severity of RDP-based vulnerabilities are likely to rise, these types of solutions will become more important over time. That’s because organizations continue to rely more heavily on hosted and virtual desktops. And then there is Windows Virtual Desktop, a cloud-based desktop and app virtualization service running on Azure.
“The hosted desktop and application market is about to get some serious attention as Microsoft is set to generally release Microsoft WVD,” Bowker said.