emPSN have been contacted by the UK CERT who has obtained and collated information from an open source – ShadowServer, which has identified hosts on the empsn network that are RDP servers (Remote Desktop Protocol). The information provided to us identifies the services which are ‘vulnerable’ as RDP has the possibility of disclosing sensitive information or unknowingly providing remote access to the system if configured improperly.
Shadowserver are querying all computers with routable IPv4 addresses that are not firewalled from the internet on port 3389/tcp with an RDP negotiation request and capturing the response. If a host replies affirmatively, we follow that query up with an attempt to fetch the client’s SSL certificate.
As guidance on how to reduce RDP server’s vulnerabilities please consider the following items:
- Consider RDP Gateways as this enhances the security over stand out the box RDP
- Consider two-factor authentication on highly sensitive systems
- Set an account lockout policy
- Ensure your passwords are a minimum of 8 characters long and contain lower and uppercase letters, numbers and keyboard symbols
- Use unique passwords on all your accounts and do not use the same login / password combination for multiple services
- Consider changing your RDP port to a ‘non-standard port’
- Restrict access using firewalls
- Restrict/limit Access to RDP to authorized users
- Maintain up-to-date antivirus signatures and engines
- Deploy Microsoft’s Enhanced Mitigation Experienced Toolkit (EMET)
- Perform regular backups of all critical information storing data offline
Alternative remote access solutions are available from empsn on network suppliers from a little as £25 per user per year, with no requirement for onsite devices. We can offer a managed IPSEC VPN solutions for site admins, Leadership Teams, admin staff or the entire school if required.
We strongly recommend that system administrators regularly check for any potential compromise of the servers accessible from the Internet. If so a scan and clean of the servers should then be undertaken in order to remove any malicious software. Once this has been completed please act to reset all account passwords and any other accounts where the same or similar passwords are used.
Other Useful Links
- Malware removal – https://www.empsn.org.uk/2016/03/08/malware-removal/
- How to report cyber-attack – http://www.actionfraud.police.uk/
- Get Safe OnLine – http://getsafeonline.org/
- Cyber Streetwise – http://cyberstreetwise.com/
- Safer Internet Centre – https://www.saferinternet.org.uk/
If you would like more help regarding this or would like to discuss this information further, please contact firstname.lastname@example.org