Home » Defense in Depth

RDP Defenses

Posted 30 Aug 2011 | Comments Off on RDP Defenses | 1,729 views

The Internet Storm Center is reporting a 10-fold spike in RDP traffic. The increase in RDP scans is suspected to be caused by a new work called Morto. The worms spreads by simple port scanning and brute force attacks to gain access to the server. Once a server is compromised, the infected machine begins scanning for new RDP hosts.

This type of worm can be mitigated with relatively simple techniques. Since RDP is primarily used to access a remote computer at the operating system level rather than at the application level, this traffic should be restricted to known sources. The local firewall (and if possible the upstream network firewall) should limit access to port 3389 to trusted IP addresses or networks. More granular filtering is better. If possible, require the use of a VPN client or SSH tunnel through a bastion host.

Strong passwords should be used to counteract the password guessing activities. Google has pointers to quite a few guidelines for creating strong passwords. An even better defense would be to add two factor authentication to the login. A second identifier from an out-of-band source is a strong deterrent.

A few precautions taken in advance can save a lot of headaches and clean up time later.

Comments are closed.