FBI issues cybersecurity advisory on Windows RDP access

FBI issues cybersecurity advisory on Windows RDP access

The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) issued an advisory on Remote Desktop Protocol (RDP) access related threats. The FBI reports seeing an increased level of risk of attacks using the RDP protocol do not require user input, making intrusions difficult to detect. Key vulnerabilities noted include:

  • Weak passwords – passwords using dictionary words or do not include a mixture of uppercase/lowercase letters, numbers, and special characters – are vulnerable to brute-force attacks and dictionary attacks.
  • Outdated versions of RDP may use flawed CredSSP, the encryption mechanism, thus enabling a potential man-in-the-middle attack.
  • Allowing unrestricted access to the default RDP port (TCP 3389).
  • Allowing unlimited login attempts to a user account.

Customers operating their Windows instances on AWS have multiple options for securing their hosting environments from RDP related attacks. stackArmor’s engineers recommend following AWS Best Practices for securing Windows instances on AWS EC2.

Specific recommendations are described below.

Bastion or VPN based access: When managing Windows instances, limit access to a few well-defined centralized management servers or bastion hosts to reduce the environment’s attack surface. Also, use secure administration protocols like RDP encapsulation over SSL/TLS.

Centralized User Accounts: Use Active Directory or AWS Directory Service to tightly and centrally control and monitor interactive user and group access to Windows instances, and avoid local user permissions. Also avoid using Domain Administrators and instead create more granular, application-specific role-based accounts.

AWS-native security services: Systems Administrators should use Windows accounts with limited access to perform daily activities, and only elevate access when necessary to perform specific configuration changes. Additionally, only access Windows instances directly when absolutely necessary. Instead, leverage central configuration management systems such as EC2 Run Command, Systems Center Configuration Manager (SCCM), Windows PowerShell DSC, or Amazon EC2 Simple Systems Manager (SSM) to push changes to Windows servers. Also, implementing robust login and monitoring of services using AWS GuardDuty and installing a SIEM solution like Splunk can help detect detect anomalous logins.

About stackArmor

stackArmor is a AWS certified Microsoft and Windows solutions competency holder with specific expertise in providing cloud management and security solutions for regulated markets with HIPAA, FISMA, FedRAMP or NIST cybersecurity requirements. Learn more on our Microsoft competency page.

https://stackarmor.com/microsoft/

 

SHARE

MOST RECENT

CONTACT US