/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */

Continuous advancements have been made to improve Remote Desktop security; however, universities still remain as a major target for exploiting Remote Desktop vulnerabilities:

1. Lack of security awareness - Although today's user is more IT savvy, lack of security awareness is still one of the leading causes for RDP exploits. Remote access users must be made aware of their security responsibilities.

Awareness training and formally documented policies and procedures can help inform remote access users on important security topics. Such training and policies should include best practices to adhere to when working outside of the office, firewall configuration and password requirements.

2. Local Administrative Right - Most of the users are granted with local administrative right on their computers. With the administrative right, users have full control over the configuration and software installation of the computers.

In some cases, best practice of configuration may have been performed on local computers of users by IT department. However, since the local administrative right resides with the users, configurations can be easily modified or reset. Users who are not aware of the risks with using RDP access will be more susceptible to information disclosure attacks and brute force attacks.

3. Use of 3rd party software - Users may use 3rd party software readily available on the internet for remote desktop access such as EchoVNC, iTALC, rdesktop, RealVNC Free and TightVNC. There may be vulnerabilities present in these 3rd party softwares which may be exploited by the attacker. For instance, vulnerability has been reported for TightVNC in March 2009, which can be potentially exploited by a malicious hacker to compromise a target computer. User awareness education and regularly update the version and security patch can reduce the adverse effect by the vulnerabilities. This can also be secured by using the highest level of encryption which encrypts the data transmission in both directions by using a 128-bit key.

4. Un-patched Operating Systems - Un-patched Operating Systems leave vulnerabilities exposed and compromises overall security within the system. Windows Remote Desktop, in particular, has had a history of related patches to address several major vulnerabilities. For example, Microsoft released a security patch (MS09-044) in August 2009 to improve the security of Windows Remote Desktop. The patch helped fix a heap-based buffer overflow problem in Remote Desktop Connection that allowed attackers to execute arbitrary code via unspecified parameters.

Administrators should apply the latest patches as soon as possible to mitigate such risks. Patches should be tested on a test server first to avoid any problems or incompatibility issues with the new patch.

5. Decentralised PC administration - Due to the large number of students and staff who require remote access to work off-campus, it is difficult for universities to centrally manage the computers requiring remote access. Furthermore, it is not feasible for the IT department to configure each computer for secure remote desktop connection. As a result, universities are susceptible to greater risks as remote access users may have weak configurations or may be unaware to the security risks when using RDP. Computers with weak configuration may be compromised, and used by attackers to perform further attack within the university network.

Universities may consider limiting RDP access to only certain users (e.g. students for courses requiring remote access). Administrators can also consider restricting the range of IPs that can remotely connect to the server. This can be done by configuring the firewall to provide additional access control using user-based authentication or IP restrictions. Alternatively, server configuration can be hardened by using IPSec to filter IPs.

6. External threats - Based on the factors above, universities remain a prime target for external attackers to exploit Remote Desktop vulnerabilities. Below are some examples of attacks that can be performed on universities:
 

• Enumeration on server port - Enumeration is the process of gathering information about a target system or network a hacker wants to compromise. Identifying active Terminal Server ports is generally the first step in an attack. One method is to use an internet search engine such as Google to locate the ActiveX authentication form in the default location TSWeb/default.htm. Changing these default parameters and removing these common text strings from your installation can easily "hide" your connection page from this type of search.
  
  Another common method is to do a port scan for TCP port 3389, which is the default port for RDP. Once an open port is located, the attacker can use their Terminal Server client to connect to the target IP and be prompted for login and password. Hackers can then perform a Brute Force attack and gain access to that Terminal Server. To mitigate this risk, the port number should be changed to a non-standard port for both the Remote Desktop Connection & Remote Desktop Web Connection. Connecting to the Terminal Server using other methods such as VPN, RAS or SSL will also prevent external attacks using this method.
• Password Guessing Attacks - Password guessing is still the primary method for attacking Terminal Servers. Dictionary based password-cracking tools are available to guess passwords using brute force. It takes advantage of the fact that the Administrator account cannot be locked out for local logins and, therefore, can be cracked through unlimited attempts. This is all done through the encrypted channel, which may allow the attacker to go undetected by Intrusion Detection Systems.
  
  Important risk-mitigating controls include configuring low account lockout thresholds with manual reset, implementing complex passwords that are changed on a frequent basis, implementing a logon banner, disabling of shared accounts, and renaming the Administrator account. Connecting through a VPN or SSH tunnel, limiting access control by IP or other information, or using 2-factor authentication will add further protection against this threat.
• Local Privilege Escalation - The interactive rights required for Terminal Server access allows the ability to run privilege escalation and grant the attacker Administrator equivalent privileges. Attackers are utilising the zero-day vulnerabilities to launch blended exploits. This type of vulnerability allows for an interactively logged in user (either at the physical host or using some remote-desktop type of network application) to elevate their privileges to higher-privileged accounts, typically Administrator or SYSTEM. The attack tools are freely available for download on the Internet and other methods use only the tools available in a session. Access control lists and software restriction policies must be carefully designed to protect against this threat. Disabling Active Desktop also prevents a few specific attacks.

Read More [Previous Article]

To be continued in the next issue....