All your RDP are belong to us?

[elvis]

Quote:

Originally Posted by nimmers

I was gonna write something from my own experience but Greg Ferro saved me the trouble: http://etherealmind.com/from-the-why...law-announced/

Good link. I'll be passing that one around.

[ranova]

Quote:

Originally Posted by elvis

Genuine question:

How many people here work for businesses that expose RDP direct to the Internet without the need for VPN connectivity first?

Unfortunatly, working for a company that provides managed service to SMB,
a lot of our "techs" (i use the term loosely) think it's quite ok to just open RDP direct.
Can't think of any client in Tas that have it open directly but the mainland clients are rife with it.
And objections/attempts to change the mindset of people results in "It's no different than a VPN, you still use your username and password"

[Shags]

Quote:

Originally Posted by elvis

Genuine question:

How many people here work for businesses that expose RDP direct to the Internet without the need for VPN connectivity first?

Not I, or any company i've ever worked for.

[PabloEscobar]

Can someone explain to me, without blatant Microsoft bashing. why this is any worse than have ANY internet facing service running unpatched?

Is it something specific to RDP that makes it worse than SSH?

How is having RDP prompt you for your credentials any better or worse than having <Insert product here> do it?

To get access, at some point you have to have some sort of connectivity between the wilds of the internets, and your internal network. Be it RDP. SSH VPN etc? What makes RDP particularly bad, and VPN particularly good?

[elvis]

Quote:

Originally Posted by PabloEscobar

Can someone explain to me, without blatant Microsoft bashing. why this is any worse than have ANY internet facing service running unpatched?

It's not. And without trying to Microsoft-bash, it is a remote code execution flaw, which are quite nasty. And typically in Microsoft's operating system design, a lot of services run in ring 0 (i.e.: "root" , "SYSTEM", or "Administrator" mode), meaning once you exploit the weakness, you own the box. Compare and contrast to a lot of services running on Linux and UNIX that don't run as root. Even when compromised, you generally get limited access to the host machine, and the volume of damage you can do from there is reduced.

An exploit is still an exploit, but there are some advantages to reduced privilege levels being a core component of an operating system's security model. An exploit is only as successful as what you can do with the exploited system. Exploiting a service that has few privileges means you might not even be able to get into the OS, user files, authentication systems, or other parts of the system.

Quote:

Originally Posted by PabloEscobar

Is it something specific to RDP that makes it worse than SSH?

Speaking entirely for myself, the amount of effort and downtime required for patching RDP (or anything on Windows) is quite high, especially factoring in reboots. Patching Linux boxes and SSH for me is trivial by comparison, and can occur even during busy production times.

Quote:

Originally Posted by PabloEscobar

How is having RDP prompt you for your credentials any better or worse than having <Insert product here> do it?

I prefer VPNs with multi-factor authentication, not just username and password. SSL certificates, one time password tokens, or SMS password relay are all great ways to add security strength to the standard user/pass combo.

Quote:

Originally Posted by PabloEscobar

To get access, at some point you have to have some sort of connectivity between the wilds of the internets, and your internal network. Be it RDP. SSH VPN etc? What makes RDP particularly bad, and VPN particularly good?

Having a VPN means that you add a layer into your security design.

So for example, our production servers can only be accessed via SSH, and SSH is only available once you've connected by OpenVPN. This way, even if there's a live exploit available for one, the urgency to patch it is somewhat overcome by the fact that only exploiting one of the two systems won't gain an attacker access to our production kit. This gives us breathing room to properly plan and deploy fixes, rather than a mad rush of patching production boxes and restarting services (or in the case of this Microsoft patch, rebooting your whole production server).

FWIW, the systems I manage collectively push about $20 million per day through them, and we get paid by a percentage cut of that. The incentive to keep them up is quite high for us, as is patching them in very small and predictable outage windows where transaction rates are at a minimum.

[m0n4g3]

I personally would NEVER do that. That's just asking for trouble. Never open up services directly to the net. Home or business.

Get yourself a vpn and do it that way.

I know a couple of people that use this method... so will be advising them to get it sorted.

[nimmers]

Quote:

Originally Posted by PabloEscobar

Is it something specific to RDP that makes it worse than SSH?

http://blogs.technet.com/b/srd/archi...cal-issue.aspx

So according to M$ "Pre-auth, network accessible, service running as SYSTEM"

Something like that with an exploitable vulnerability to run arbitrary code has a lot of potential for mischief.

Compare that to SSH, the "Pre-auth, network accessible, service" (SSH daemon) does not run as root.

[cvidler]

Quote:

Originally Posted by elvis

Genuine question:

How many people here work for businesses that expose RDP direct to the Internet without the need for VPN connectivity first?

I don't even allow that at home.

There should be NO internet facing services that aren't secured. Especially those that provide (access to the server,not just an application on the server). And those that are should be further segregated in a DMZ.

[PabloEscobar]

Quote:

Originally Posted by m0n4g3

I personally would NEVER do that. That's just asking for trouble. Never open up services directly to the net. Home or business.

Get yourself a vpn and do it that way.

No worries. I'm sure all of your customers can find you when they need a VPN to connect to the httpd service running on your webserver .

Quote:

Originally Posted by nimmers

http://blogs.technet.com/b/srd/archi...cal-issue.aspx

So according to M$ "Pre-auth, network accessible, service running as SYSTEM"

Something like that with an exploitable vulnerability to run arbitrary code has a lot of potential for mischief.

Compare that to SSH, the "Pre-auth, network accessible, service" (SSH daemon) does not run as root.

Thanks for that, That's exactly was I was looking for.

[Gecko]

We expose it on a couple of terminal server boxes with all the usual precautions (only service running on them, monitoring set up to block IP addresses after too many incorrect passwords, keeping patch levels up to date, boxes are living in DMZ etc).

As far as I am concerned, it is the same as exposing any other service to the internet, assume that it is remotely exploitable and deal with that as appropriate for your organisation.

[ninboy57]

Don't think of it as just affecting services from the internet.
Think about it also in terms of protecting from the inside where machines are infected from malware. How many organisations do you know of that allow unfetted RDP to servers from internal addresses. 90%+?
All it takes is 1 compromised workstation.

[elvis]

Quote:

Originally Posted by ninboy57

How many organisations do you know of that allow unfetted RDP to servers from internal addresses. 90%+?

Perhaps I don't work for those types of businesses frequently enough (which I'm thankful for), but I know a handful at best.

I was genuinely curious to hear how many others see this day to day, and the numbers mentioned so far are already beginning to scare me. Insert my usual disdain for the state of modern "professional" IT.

[Luke212]

nearly every small business <50 users i have seen does not use vpn. The medium ones >50 connections tend to.

small business tend to not follow best practise in many areas, maybe because they cant afford the IT teams that are genuinely experienced to deploy best practise.

The upside is small business is less likely a target than a well known company so it is security by obscurity.

[elvis]

Quote:

Originally Posted by Luke212

small business tend to not follow best practise in many areas, maybe because they cant afford the IT teams that are genuinely experienced to deploy best practise.

From what I've seen, generally it's the result of some cowboy wannabe sysadmin or company owner who knows enough just to be dangerous. Although you could argue that these people are in charge of technical implementations purely as a result of budgetary limitations.

Quote:

Originally Posted by Luke212

The upside is small business is less likely a target than a well known company so it is security by obscurity.

I disagree. Attacks like these are generally initiated by wide sweeping port scans. They tend to be purely attacks of opportunity.

[Luke212]

Quote:

Originally Posted by elvis

I disagree. Attacks like these are generally initiated by wide sweeping port scans. They tend to be purely attacks of opportunity.

random scanning ip ranges? yes that wouldnt protect the little smb! hopefully if the hackers had morals they wouldnt target the little guys though

Quote:

Originally Posted by elvis

From what I've seen, generally it's the result of some cowboy wannabe sysadmin or company owner who knows enough just to be dangerous. Although you could argue that these people are in charge of technical implementations purely as a result of budgetary limitations.

yes this. but not only this. i have seen multi mill IT providers do it. and thats their main business.