The Importance of IDS and IPS When Exposing RDP Port 3389
This is a guest post by CrowdSec Partner Abdallah Toutoungi, CyberShield.
The internet in Ghana is pretty stable and with speeds ranging anywhere between 30–100 Mbps (LTE and ADSL) yet the absence of safe, reliable, and affordable data centers here has been a natural attraction to find affordable IaaS, PaaS, and SaaS in the cloud beyond our borders.
Like many institutions around the globe, there was a gradual progression towards the cloud to allow collaboration on documentation, spreadsheets, and line-of-business applications forced by the Covid lockdowns of 2020-2021.
In this article, I want to walk you through one particular challenge we faced when migrating a Microsoft Windows-based accounting software that needed to be accessed remotely and showcase the importance of IDS and IPS in hardening our system to safeguard it against malicious actors.
The accounting software I mentioned earlier, needed to be accessed remotely by the accounting team, IT team, management, and auditors. The IT team recommended a German cloud VPS solution to serve the purpose of housing the accounting software while allowing the users to access it from Remote Desktop Protocol (RDP). RDP is a proprietary protocol developed by Microsoft that allows users to control a remote computer over a network connection on port 3389.
And to proactively respond to the obvious question of why we would implement such a precarious solution (given how popular a target RDP is for attackers), let me give some context. I have questioned this approach myself in any opportunity I had, but the reality is that we didn’t have many options for a different solution, considering the circumstances of not having access to VPNs and static IPs. Lockdown and post-lockdown practices pushed System Administrators to make practical solutions that were not the most secure ones. It was a necessary risk to take in order to allow the availability of the data for multiple users and collaborators. It is not a best practice but a practical workaround to take advantage of the reliability of an international data center and therefore allow for the availability of the data.
We were aware that if the Windows Server is not hardened, it will be continuously attacked until it is breached and then used for whatever sake the hackers need it for. To give you an idea of what that might look like, let’s go back to a couple of incidents we had to deal with.
During one particular incident, I logged in to the remote VPS Server and saw some sort
of cryptocurrency mining application running in the tray and the CPU of the VPS running at 100% capacity. This is a production server, so, it goes without saying, that such applications should not be running or hiding on it. I couldn’t figure out how this was installed and this incident resulted in wiping and re-imaging the VPS Server.
As another example, and following what was most likely a phishing attack, an accountant couldn’t RDP log into the box which, once again, resulted in wiping and re-imaging the
box. Naturally, the person in question was reprimanded for not exercising caution but that incident showcases perfectly how a single mistake can have dire consequences. There was no SIEM set up at that point and the logs were lost with the wiped image and the re-imaging of the VPS Server had to take place. Having a one-man IT department, it was normal to not take security best practices into consideration — as long as there was a daily backup, that was good enough even if the server was breached. Or so we thought.
Exploiting RDP vulnerabilities
One of the most common ways that attackers exploit RDP vulnerabilities is through brute force attacks. In a brute force attack, the attacker attempts to log in to the system by trying a large number of possible passwords. If the attacker is successful, they will be able to gain access to the system and install malware, steal data, or install unwanted applications.
Another common way that attackers exploit RDP vulnerabilities is through phishing attacks. In a phishing attack, the attacker sends an email that appears to be from a legitimate source, such as a bank or credit card company. The email will contain a link that, when clicked, will take the victim to a fake website that is designed to look like the real website. If the victim enters their credentials on the fake website, the attacker will be able to steal them.
Prior to learning about CrowdSec, I came across EvlWatcher.exe v2.1.5 while searching for the ultimate solution. The experience of installing EvlWatcher.exe was like looking into a petri dish through a microscope. The attacks were continuous. The open RDP port on the VPS Server was a target for continuous brute force bombardment. There was not a single dull moment. The security event log was logging non-stop failed attempts and the attacks were coming from countries across the globe — China, Russia, Europe, North and South America, etc. It seemed that the whole world was trying to brute force open the RDP port and there was nothing to do about it. As IP addresses were identified and authentication failed several login attempts, they were recorded, and then multiple offenders were banned for an amount of time. The list of the offending IP addresses kept growing and growing and growing. Every time I checked, more IP addresses were being added to the banned list.
The importance of IDS and IPS
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are security tools that can help to protect systems from RDP attacks. IDS and IPS systems monitor network traffic for suspicious activity and can block attacks before they are successful. IDS systems work by monitoring network traffic for known attack signatures. If an IDS system detects a known attack signature, it will generate an alert. IPS systems work by blocking traffic that matches known attack signatures.
The two breaches in Q1 2023 that brought our systems to their knees were a stark reminder of the need for a robust intrusion detection and prevention system. I was adamant that I needed to have a solution that could be installed on any platform (Windows, Linux, etc..) and that also took into consideration the management of the aggressive vs. non-aggressive IP addresses. I also wanted a powerful console that could allow me to query commands from the command line and have a web interface that could allow me to manage the servers I needed to protect.
CrowdSec to the rescue
CrowdSec emerged as the ideal solution after we conducted thorough research and testing of various enterprise IDS/IPS options for both Windows and Linux servers.
After watching the installation video on the CrowdSec website, we successfully installed the Security Engine and the CrowdSec Firewall Remediation Component. We followed the instructions and effectively tested the functionality of both components. The visualization of attacks, particularly brute force attempts on port 3389, provided a clear understanding of the threats we are protecting against. Here is an actual PowerShell screenshot from our server.
Notice that under the reason column, bf in crowdsecurity/windows-bf stands for brute force.
CrowdSec gave us the solution we were looking for including additional security measures, a command-line and web interface for monitoring threats, and managing IP bans. Installing the CrowdSec Security Engine on the server was the nerdy part of the job (that we most definitely enjoyed) but it also offered us the powerful solution we needed to protect our perimeter. It was like driving an Audi RS4. 🙂
The fact that the Security Engine is open source was definitely a plus since it provided an affordable solution for our markets which was extremely necessary.
This granular control over our security posture enabled us to effectively defend against cyberattacks. Using CrowdSec, we have established a robust security perimeter between our trusted and untrusted networks.
The Windows event log works in conjunction with the first detective control, the IDS, to identify aggressive IPs. The preventive control, the IPS, then makes decisions to either ban or allow these IPs.This combination of tools hardens our security posture and allows our IT and Security teams to monitor and manage threats rather than being constantly engaged in firefighting.
The issue of administrative rights
One of the challenges of using IDS and IPS systems to protect Windows Server VPS systems is that they often require administrative rights to be installed and configured. This can become a security risk, as attackers who are able to gain administrative rights on a system will also be able to disable the IDS or IPS system.
Mitigating the risks
There are a number of things that administrators can do to mitigate the risks associated with giving administrative rights to IDS and IPS systems.
- Use Group Policy to Allow Remote Desktop Users and manage user lifecycle.
- Install the IDS or IPS system on a separate server from the Windows Server VPS system.
- Use a Privileged Access Management (PAM) solution to manage the administrative accounts for the IDS or IPS system.
- Configure the IDS or IPS system to generate alerts when administrative accounts are used to make changes to the system.
- Monitor the IDS or IPS system for suspicious activity.
There are a number of things that administrators and security engineers need to be aware of when providing their constituency a cloud solution for line-of-business applications and security best practices — especially when allowing RDP Port 3389 access. This is where the CrowdSec stack can be a huge relief for enterprise environments and for overstretched administrators and security professionals by immediately overcoming a major hurdle with the introduction of their IDS and IPS.
By leveraging CrowdSec's collective intelligence, we have effectively neutralized brute force attacks on our exposed RDP port, significantly reducing our residual risk and bolstering our defense-in-depth strategy. Using CrowdSec as our IDS/IPS solution of choice has revolutionized our daily operations, transforming our security posture from a precarious kite ride to the effortless soaring of an Airbus. It has not only shielded us from a multitude of threats but has also granted us the flexibility and resourcefulness to optimize our IT and Security teams’ efficiency and productivity.
CrowdSec's ability to adapt to evolving threats and provide real-time protection has made it an invaluable addition to our cybersecurity toolbox. This shift from reactive firefighting to proactive fortification has been nothing short of transformative.
About Abdallah Toutoungi and CyberShield
Abdallah Toutoungi is the founder of CyberShield and has 10+ years of experience in technology, finance, and non-profit. He is passionate about using technology to improve quality of life.
CyberShield Consulting Company is a leading cybersecurity service provider firm in Ghana, helping small and medium-sized organizations improve their security posture with a proven track record and team of experts.