Darren's back in the kitchen with an illustrated scenario of online brute forcing every systems administrators beloved remote desktop. He whips up some home made chicken noodle soup and tosses on the ol' white hat for a talk about countermeasures and security best practices. Then Matt brings you a full featured and aggressively priced alternative to Microsoft's own Terminal Service. Do I hear cheap thin clients around the corner?
Online Brute Force Countermeasures And Chicken Noodle Soup
Similar in function to SSH, Remote Desktop Protocol is one of the essential tools for administrating Microsoft Windows Servers. The natively encrypted services comes standard on Windows Server and even XP Pro and Vista. It is also serve as the example for a brief follow up to my previous segment on Offline Brute Forcing.
In my scenario I demonstrate how the tool TSGrinder can be used to perform dictionary attacks against RDP services with character substitution (or leet) options. This attack simply demonstrates a few weaknesses in Windows.
First of all by default the Administrator account cannot be locked out remotely. This behavior can be changed using the Passprop utility from the Windows 2000 resource kit. This tool will also allow you to enforce strong passwords. It is also recommended that the administrator account be renamed. There are a few tools for this as well. Though more obscurity than security I recommend changing the RDP listen port. I strongly recommend reviewing Microsoft's password best practices and considering passphrases. PasswordMeter.com is a nice site that will rate your password on complexity. Finally I recommend enabling extensive auditing. There are a number of third party security applications made specifically for auditing that offer alerting options on events such as online brute force attempts. One application in particular, 2X SecureRDP offers advanced filtering based on IP and Mac addresses for RDP connections. I'm particularly interesting in hearing your feedback on Windows extensive auditing software so please drop me a line, darrenAThak5.0rg!
And my final recommendation on securing RDP is to limit its exposure by keeping TCP 3389 (or whatever port you've changed it to) closed. A little SSH tunneling or VPNing can go a long way to keeping unncessary serices away from the wild wild web. I've laid the foundation for this in a segment on 1x07 and will follow up with a more robust VPN segment soon. If you've got ideas again drop me a line.