.

Accidently found publicly available server running RDP.

<<

Novo

Newbie
Newbie

Posts: 2

Joined: Wed May 20, 2009 8:00 am

Post Wed May 20, 2009 8:15 am

Accidently found publicly available server running RDP.

What do you think of this?

I work for a small IT support company in the UK. We recently took on a new client and during the audit I saw that the previous IT support provider (a very large well known company in the UK) had allowed 3389 through the firewall onto the SBS server on the LAN. Not good. I disabled this and continued my work.

Part way though the audit I needed to access the SBS server (internally) and fired up Remote Desktop client on one of the office PC's as the server was in another part of the building. Pre-populated in the cache of old RDP connections were a number of public IP addresses. Being curious I decided to check these to see what they were. One of these took me to another SBS server for another company. I can only assume that the previous IT support provider needed to do some work for another client whilst on this site so just RDP's though. To me this is very, very bad practice.

I've googled the domain name that was provided at the RDP logon page and found the company that have their server available to all and sundry over 3389.

Should I contact this company and tell them what their current provider has done? If I do would it be bad form to try and sell them support from us given that the current provider is clearly not interested in security at all?

Thanks
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Wed May 20, 2009 9:38 am

Re: Accidently found publicly available server running RDP.

I'm not sure I understand your full concern. Many businesses have remote/terminal services available for employees that work from home  ???
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Wed May 20, 2009 9:44 am

Re: Accidently found publicly available server running RDP.

That's what I was thinking as well, I know a lot of companies that use Terminal Services for employees.
Is there a default username/password or something?
Put that in your pipe and grep it!
<<

Novo

Newbie
Newbie

Posts: 2

Joined: Wed May 20, 2009 8:00 am

Post Wed May 20, 2009 9:45 am

Re: Accidently found publicly available server running RDP.

Yes they do but do they just publish it to the internet?

In my experience you're just asking for trouble. It should (at the very least) be only accessible via VPN do you not think?

It wouldn't be difficult for some script kiddie to google how to attack remote desktop and find the tools they need to have a crack at this server.

My concern is that my client (the one I've recently taken on) didn't know their server was open to the the internet. THat means that the old support company were using it themselves just for admin purposes. There are far more secure ways of providing remote admin. That being the ecase have they done this for the company I found?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed May 20, 2009 9:59 am

Re: Accidently found publicly available server running RDP.

There are tons of Terminal Services boxes on the Internet.  Remember, Citrix runs on top of TS.  Neither is particularly hack proof.  TS has come a long way especially if you run it with TLS. 

You are pretty much asking for trouble every time your boot your computer.  The only safe computer is the one powered off.
~~~~~~~~~~~~~~
Ketchup
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Wed May 20, 2009 10:45 pm

Re: Accidently found publicly available server running RDP.

The rationale for terminal services being accessible without VPN is so users don't need a client and they can connect from any where. Including those lovely "infection-free" hotel lobby computers...but I digress.
twitter.com/timmedin | http://blog.securitywhole.com
<<

Otter

Newbie
Newbie

Posts: 41

Joined: Tue Jul 03, 2007 1:03 pm

Post Thu May 21, 2009 2:34 am

Re: Accidently found publicly available server running RDP.

Heya Novo,

It's not terribly uncommon in my experience to come upon internet facing RDP.  With RDP's checkered security history, and MITM-prone past, it is cringeworthy, but not necessarily a hangin crime like... say, and SQL server listening out there with a blank SA password.  LOL.    RDP can be configured with FIPS compliant encryption at least, these days, but as another points out, making it so easy for unsecured computers to connect to these servers without strong firewall and policy enforcement in place, there's a lot to think about there.  Share out some drives over the RDP session, and suddenly there's an inbound malware propagation vector.

The general recommendation I like to make upon findings like this focuses on verifying the encryption level they're providing, and recommending that it like any other proprietary protocol be accessible only inside a fully configurable and monitored VPN. 

With SSL VPNs now available, the argument that VPNs are too complex for users to employ on a variety of platforms becomes lighter and lighter.
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Tue May 26, 2009 7:50 pm

Re: Accidently found publicly available server running RDP.

To answer the question, I'd walk away from this one.  Plenty of other folks have weighed in on TS open to the Internet.  I don't think you stand to gain anything (and potentially much to lose) by pursuing this.  Just my opinion.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Mon Jun 01, 2009 8:15 am

Re: Accidently found publicly available server running RDP.

Personal opinion on this one.
I would advise the client of what you have found relating to their environment, and told them you have provisionally disabled the service.
They may have decided they want this enabled for various reasons, and are aware and accept associated risks, as no one has the full picture its difficult to really make a clear informed decision.

As for the other clients possible issue, I would walk away in this instance as I dont think its a huge issue, and would probably cause you more pain than benefit trying to define how you found things, etc etc.

Return to Other

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software