The Risks of Remote Desktop for Access Over the Internet

Exposing RDP to direct Internet connections is risky—beyond credential-guessing opportunities, critical vulnerabilities like CVE-2012-0002 can allow remote code execution without authentication. Mitigations include using non-default ports, enabling Network Level Authentication, and ensuring strong account credentials.

It’s convenient to use the Remote Desktop Protocol (RDP) for accessing systems over the Internet, especially in server environments. However, exposing RDP to direct connections is risky. This setup not only gives remote attackers the opportunity to guess logon credentials, but also relies on the lack of a remotely-exploitable vulnerability in Microsoft’s RDP implementation.

Microsoft’s Security Bulletin MS12-020, released in March 2012, described critical vulnerability in Microsoft’s RDP implementation on most Windows platforms (CVE-2012-0002). This bug could allow a remote unauthenticated attacker to run arbitrary code on the affected system by sending “a sequence of specially crafted RDP packets.”

Microsoft provides a detailed perspective on the CVE-2012-0002 vulnerability in its Security Research & Defense blog, stating that even though it has no knowledge of the corresponding exploits, it believes that “an exploit for code execution will be developed in the next 30 days.”

I suspect such an exploit will appear sooner than 30 days, because of the relatively fast techniques available to attackers for reverse-engineering a patch to understand the nature of the vulnerability they need to target. Such an exploit would provide an attacker with access to targeted server environments and would enable automated opportunistic break-ins into servers and workstations that expose RDP to the Internet. Such an exploit would also be effective as part of a network worm for automated propagation across vulnerable systems.

My recommendations for handling the CVE-2012-0002 RDP vulnerability and future risks related to RDP:

Understand what systems in your environment expose RDP to the Internet. Create a plan to apply the MS12-020 as soon as practical.
Change the port on which your systems listen for RDP connection to avoid using the default TCP port 3389. Automated scanners and worms will be less likely to locate your RDP listeners on high-non-standard ports.
Consider configuring your RDP settings to use Enable Network Level Authentication (NLA) on Windows Vista and later platforms, as suggested by Microsoft.
Remember to have strong authentication for systems utilizing RDP to deal with remote password-guessing attacks.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →