Common Entry Points #4 – RDSH
If there is a weak point in your IT environment, it’s only a matter of time before a threat actor exploits it. So far, our series of “Common Entry Points” has scrutinized ITaaS (IT-as-a-Service), VPNs, and unpatched and obsolete OSS, all based on real incidents CYREBRO has dealt with. Now, we’ll look at another common entry point, Remote Desktop Session Host (RDSH). In the wake of the pandemic and companies shifting to work-from-home structures, RDSH attacks have become popular with bad actors.
What is RDSH?
RDSH is a Remote Desktop Service (RDS) role. It holds session-based desktops and apps shared with users who access them through Remote Desktop clients or via a web client and supported browser. Once users have access, they have control over the connected device.
Although Remote Desktop Protocol (RDP) has been around for decades, its use has skyrocketed as more people work remotely. In April 2020, the US Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and the UK National Cyber Security Centre (NCSC) published a joint alert about a substantial rise in cyberattacks. The alert noted that a 127% increase in exposed RDP endpoints had led to RDP becoming the most common attack vector for cybercriminals and ransomware gangs.
An insider’s view of an RDSH attack
As the pandemic provided a prime opportunity for bad actors to launch their campaigns, CYREBRO dealt with a complicated case involving an RDSH attack. In an effort to keep productivity high for the dispersed employees, the company deployed an RDSH platform, allowing users to interactively connect to a gateway server that connected to both the internet and the internal network.
Through the server, users could access any services they needed to complete their day-to-day work or use the server to perform RDP to their own endpoint at the office. However, the client’s domain was completely compromised by an attacker who had gained access to Domain Controllers and managed to generate a “Golden Ticket.”
While the solution kept employees connected and able to work, two points of failure led to severe consequences:
- The server had cached credentials of a domain admin, so after the attacker managed to breach the server and simply extract the credentials, they could connect to any server they wished.
- The RDSH server was not isolated from the company’s server network, which allowed the attackers to use the credentials they harvested and connect to any server.
This breach resulted in the client having to rebuild their domain entirely from scratch, which took several months and caused significant downtime. This story is a specific case, but unfortunately, many other businesses have suffered or will suffer the same fate due to having unsecured gateways. But you don’t need to be a statistic if you follow proper security protocols.
Adjusting to a new normal: The work-from-home era
In Owl Labs’ State of Remote Work 2021, 70% of US employees worked remotely. Some countries are still deep in the pandemic and face social distancing requirements, including working from home. Even in countries where the pandemic is now nearly endemic, many companies, including 3M, Atlassian, Twitter, Spotify, and Reddit, have not required workers to return to the office. That means remote and hybrid work is here to stay. Businesses must harden their security to face this new reality.
A focus on perimeter security
Companies must provide tools and solutions that allow teams to be as productive as they would be if they were in the office. You open yourself up to more vulnerabilities as you add more tools, but following a few common-sense best practices can do wonders for your security posture.
Solutions like RDSH are no longer nice-to-haves; they are a must. As these solutions provide gateways to the internal network, security must be tight around your network’s perimeter. A network perimeter is the boundary between its internal network and the internet. The edge of the perimeter essentially separates what a company has control over versus what it doesn’t. Securing your perimeter from unauthorized intrusions should be a top priority.
Best practices for using RDSH
As work-from-home opportunities continue to be a selling point for retaining employees and new hires, security leaders need to establish security standards and implement best practices. Luckily, it’s not that hard to do.
Set a GPO: To put it bluntly, domain admins should NEVER have cached credentials on servers. If your company does, it’s time to change that via Microsoft’s Group Policy Object (GPO), which are settings that define how systems look and behave for groups of users. You can use the Group Policy Management Console (GPMC) to create a GPO that defines security options, registry-based policies, software and script options, and more.
Group Policy settings can provide security by:
- Limiting access to Control Panel to protect data and systems
- Disabling Command Prompt, which will trigger a refusal message if someone attempts to open a command window
- Preventing software installations that could include malware or other undesirable applications
Safeguard and monitor: RDSH and other remote services connected to the internet should be blocked from all critical assets and should be tightly monitored. If your company doesn’t have the capacity to do that on its own, partnering with a cybersecurity company like CYREBRO is a smart move. Monitoring needs to be done continuously so that should assets be compromised, the attack can be stopped or mitigated when first detected. To bolster security further, ensure that your company has installed a reliable endpoint detection and response (EDR) or other endpoint protection solutions. These solutions will alert you to any malicious activity, so you can investigate incidents quickly and contain endpoint attacks.
Awareness is key
In all likelihood, RDSH is just one of several remote services your company uses these days to deal with the challenges of work-from-home setups. Now that work looks different, you need to reassess your security strategy to appropriately meet the remote work movement that seems poised to stay for the long term.
Every business has weaknesses. Being aware of vulnerabilities is what will ultimately enable you to build stronger defenses.