RDP servers exposed to the public internet have long been a target hackers look for and try to exploit in order to gain access to corporate networks.
Despite multiple fixes released by Microsoft to prevent this, recently, it has been discovered that hackers are again gaining access, elevating account privileges and then encrypting all company files in order to demand ransom. They are also looking for VSS copies of files and deleting them to prevent companies from recovering from backups.
Here at itopia, we are committed to helping our customers by automating configurations and creating documentation that assist IT service providers in standardizing their operations around industry best practices and to help them prevent this and other types of attacks that could negatively impact their business. Below are a few tips and default configurations built into our solution that help prevent RDP attacks.
1. Restrict RDP access to Google instances by modifying the "default-allow-rdp" to include source IP addresses or ranges clients and admins connect from.
- Go to the Google Cloud console select the desired project.
- On the main menu, select "VPC network" and go to "Firewall rules"
- Click on the "default-allow-rdp" rule and then "Edit"
- Remove 0.0.0.0/0 entry and configure specific IP addresses or ranges you which to allow connections from.
2. Enable RDS Gateway for all deployments. Now available in our Starter Plan
Restricting by source IP addresses is not always practical, especially when you want users to connect from anywhere, anytime and any device. Isn't that the point of the Cloud in the first place? For instance, by having an RDS gateway as part of your deployment, users and admins connect via RDP over HTTPS (443). Therefore not needing RDP (3389) to connect to Session Servers. In this case, you could remove RDP access for good or restrict it to office IP addresses to connect to the domain in the event the RDS Gateway is not responsive.
3. Enforce Active Directory password complexity, expiration and lockout policy for all deployments.
Enabled by default on all itopia deployments. These are the settings:
Enforce password history 24 passwords remembered
Maximum password age 42 days
Minimum password age 1 days
Minimum password length 7 characters
Password must meet complexity* requirements -Enabled
Store passwords using reversible encryption -Disabled
*Complexity refers to upper, lower case letters, special characters and it cannot include the users full name or same account name, even if its separated by comas, periods, hyphens, etc, the password is parsed for that and if it sees it, it will deny the password.
4. Configure itopia's Google Snapshots automation to recover encrypted or deleted files.
Optionally, please make sure you have a backup solution in addition to Windows Volume Shadow Copy Service.