News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – How to avoid using RDP in Windows

    Home Forums AskWoody blog Patch Lady – How to avoid using RDP in Windows

    Tagged: ,

    This topic contains 54 replies, has 22 voices, and was last updated by  woody 1 month ago.

    • Author
      Posts
    • #1913759 Reply

      woody
      Da Boss

      An important new article from Susan Bradley in CIO Online: https://www.youtube.com/watch?v=J9Cyi_exdJM BlueKeep and DejaBlue are both potent threats.
      [See the full post at: Patch Lady – How to avoid using RDP in Windows]

      7 users thanked author for this post.
    • #1913813 Reply

      anonymous

      Hi Woody, thank you for being there for us and having your MVPs and this site.

      You mentioned, “In Vista or Win7, click My Computer and choose Computer. At the top, click System properties. On the left, click Remote Settings. You should be on the Remote tab, and the button under Remote Desktop marked “Don’t allow connections to this computer” should be selected. If it isn’t, click it and click OK.”

      But on my Windows 7 Home Premium under System Properties, the Remote tab has, “Allow Remote Access connections to this computer” and one would uncheck that to prevent it.

      Thank you again.

      4 users thanked author for this post.
      • #1913882 Reply

        Tex265
        AskWoody Plus

        The Remote Tab contains two (2) items:

        1. Remote Assistance (checkmark to Allow)
        2. Remote Desktop (Select dot one of three)

        Windows 10 Pro x64 v1803 and Windows 7 Pro SP1 x64
        1 user thanked author for this post.
        • #1913900 Reply

          anonymous

          Both of those 2 settings rate an Article that explicitly states just what Windows/Third Party software makes use of that”

          “1. Remote Assistance (checkmark to Allow)
          2. Remote Desktop (Select dot one of three)”

          That Remote Assistance is according to MS’s included link in the System Properties Panel/Remote Assistance Tab:

          “What happens when I enable Windows Remote Assistance?

          When you enable Windows Remote Assistance:

          You can get help using Windows Remote Assistance.

          Windows Remote Assistance is allowed through Windows Firewall so that it can communicate with your helper’s computer. For more information, see What are the risks of allowing programs through a firewall?”

          And under that there is more under another link, What are the risks of allowing programs through a firewall? so that’s:

          “What are the risks of allowing programs through a firewall?

          When you add a program to the list of allowed programs in a firewall, or when you open a firewall port, you allow a particular program to send information to or from your computer through the firewall. Allowing a program to communicate through a firewall (sometimes called unblocking) is like punching a hole in the firewall.

          Each time you open a port or allow a program to communicate through a firewall, your computer becomes a bit less secure. The more allowed programs or open ports your firewall has, the more opportunities there are for hackers or malicious software to use one of those openings to spread a worm, access your files, or use your computer to spread malicious software to others.

          It’s generally safer to add a program to the list of allowed programs than to open a port. If you open a port, it stays open until you close it, whether or not a program is using it. If you add a program to the list of allowed programs, the “hole” is open only when needed for a particular communication.

          To help decrease your security risk:

          Only allow a program or open a port when you really need to, and remove programs from the list of allowed programs or close ports that you no longer need.

          Never allow a program that you don’t recognize to communicate through the firewall.”

          2 users thanked author for this post.
      • #1913901 Reply

        cyberSAR
        AskWoody Plus

        Home doesn’t allow RDP connections. I always uncheck allow remote assistance… I figure if you ever need it you can enable it.

        4 users thanked author for this post.
        • #1913902 Reply

          LHiggins
          AskWoody Plus

          Yes, my remote tab only has one choice – the checkbox to allow remote connections.

          Remote-tab

          I have Win 7 Home Premium.

          Attachments:
          2 users thanked author for this post.
          • #1913935 Reply

            anonymous

            Yes that RDP is for Windows 7 Pro/Pro Windows OS Versions and above and Home users are not even able to do System Image Backups to a Network Share(Hard-drives/SSD Disks connected via an Ethernet connection in a NAS[Networked Attached Storage] device or similar connected storage option).

            That’s MS’s segmenting of its Pro and above OS versions and that RDP is mostly for IT departments managing fleets of Business Grade PCs/Laptops via that RDP functionality for the Enterprise’s/Employee’s needs. For business grade Laptops especially and the enterprise’s road warriors that need that RDP so the IT department can fix things remotely.

        • #1914014 Reply

          Susan Bradley
          AskWoody MVP

          I honestly haven’t used remote assistance in…. I can’t even remember how long.  On my Dad’s computer I have logmein installed.  Others I use copilot.  I would uncheck remote assistance given that everyone (including the scammers) use third party tools that work better than remote assistance.

          Susan Bradley Patch Lady

      • #1913993 Reply

        HiFlyer
        AskWoody Plus

        Re: #1913813

        “But on my Windows 7 Home Premium under System Properties, the Remote tab has, “Allow Remote Access connections to this computer” and one would uncheck that to prevent it.”

        My win8.1x64HPrem.   Has only that one box to leave unchecked.   Nothing else I can find.

    • #1913907 Reply

      woody
      Da Boss

      Good suggestions!

      I wish I felt more comfortable in saying “If you don’t allow remote connections on the Remote tab you’re protected from BlueKeep and DejaBlue.”

      That should be true, but I still haven’t found anybody who knows the Blues intimately who’s just come out and said it. For now, blocking RDP is an obvious first step – which every Windows user can follow.

      5 users thanked author for this post.
      • #1914015 Reply

        Susan Bradley
        AskWoody MVP

        Microsoft does in their ATP documentation:

        • Customers that don’t turn on Remote Desktop Services are not exposed to exploits for these vulnerabilities. Remote Desktop Services is off by default on affected platforms.

        August 2019 RDP update advisory

        Executive summary

        As part of the August 2019 Security Updates, Microsoft released fixes for unauthenticated remote code execution vulnerabilities (CVE-2019-1181 and CVE-2019-1182) in Remote Desktop Services on Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016. Attackers might weaponize these vulnerabilities to launch various attacks, including disruptive attacks that cause affected systems to crash.

        Customers should prioritize the deployment of critical updates to all affected platforms. If updating immediately isn’t an option, consider turning off Remote Desktop Services. Where Remote Desktop Services is required, turn on network-level authentication (NLA) for RDP to mitigate malicious client machines attacking servers.

        Key insights

        • Successful exploits of these vulnerabilities could be used to gain remote access to vulnerable systems.
        • Microsoft has not observed, at the time of publication, any attacks exploiting these vulnerabilities in the wild.
        • Customers with Remote Desktop Services enabled and network-level authentication turned off are at higher risk for attack. Machines in this configuration that are exposed to the internet are at the highest risk. Turning on network-level authentication for RDP significantly mitigates known remote vectors for exploitation for servers.
        • Customers evaluating the risks posed by these vulnerabilities should account for potential attacks within their networks. Past malware has used similar vulnerabilities to spread within enterprise environments after gaining a foothold within the network.

        Mitigations

        Apply these mitigations to reduce the impact of the vulnerabilities.

        • Machines running Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 R2, Windows 10, or Windows Server 2016 should apply fixes for CVE-2019-1181 and CVE-2019-1182. These fixes are available as part of the August 2019 Security Updates.
          • Machines running Windows Server 2008 are not vulnerable.
          • Customers that don’t turn on Remote Desktop Services are not exposed to exploits for these vulnerabilities. Remote Desktop Services is off by default on affected platforms.
        • Enable network level authentication (NLA) for RDP. This will help mitigate attacks against machines running Remote Desktop Services by changing the requirement to exploit from unauthenticated access to authenticated access.
        • Reduce the risk to internet-facing machines with Remote Desktop Services enabled by placing them behind an authenticated gateway or a firewall.
        • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

        Detection details

        Endpoint detection and response (EDR)

        The following alert can indicate threat activity related to exploitation of these vulnerabilities. This alert might fire for other suspicious but unrelated network activity and is not monitored as part of this report.

        • Suspicious number of outbound network connections — this alert flags spikes in the number of outbound connections to the common RDP port (TCP/3389). These connections can indicate port scanning or worm-like behavior that might be abusing these vulnerabilities.

        Advanced hunting

        The following query finds processes with unexpected connections to the common RDP port (TCP/3389). It filters out common RDP programs and scanning tools. It also provides contextual information, such as the names and IP addresses of the machines involved in the connections.

        You can use it to find processes that might be scanning for possible targets or exhibiting worm-like behavior.

        // Find unusual processes with outbound connections to TCP port 3389 
        NetworkCommunicationEvents 
        | where RemotePort == 3389 
        | where ActionType == "ConnectionSuccess" and Protocol == "Tcp"
        | where InitiatingProcessFileName !in~ //Remove common RDP programs
        ("mstsc.exe","RTSApp.exe", "RTS2App.exe","RDCMan.exe","ws_TunnelService.exe", 
        "RSSensor.exe","RemoteDesktopManagerFree.exe","RemoteDesktopManager.exe", 
        "RemoteDesktopManager64.exe","mRemoteNG.exe","mRemote.exe","Terminals.exe", 
        "spiceworks-finder.exe","FSDiscovery.exe","FSAssessment.exe", "chrome.exe", 
        "microsodeedgecp.exe", "LTSVC.exe", "Hyper-RemoteDesktop.exe", "", 
        "RetinaEngine.exe", "Microsoft.Tri.Sensor.exe" ) 
        and InitiatingProcessFolderPath  !has "program files" 
        and InitiatingProcessFolderPath !has "winsxs" 
        and InitiatingProcessFolderPath !contains "windows\\sys"
        | where RemoteIP !in("127.0.0.1", "::1")
        | summarize ComputerNames = make_set(ComputerName), 
        ListofMachines = make_set(MachineId), 
        make_set(EventTime), 
        ConnectionCount = dcount(RemoteIP) by InitiatingProcessFileName, 
        InitiatingProcessSHA1, bin(EventTime, 1d)
        

        References

        Change log

        • 2019-08-15 20:47 UTC | Enhanced advanced hunting query
        • 2019-08-15 05:15 UTC | Entry created

        Susan Bradley Patch Lady

        5 users thanked author for this post.
    • #1913917 Reply

      Microfix
      Da Boss

      These are a couple of extra/precautionary steps I’ve taken and checked on Win7 x86/x64 installations.
      Patch Lady mentioned in the video, blocking port 3389 using your firewall if you do not use RDP at all. I’ve blocked the incoming port 3389 in both Windows 7 and 8.1
      This port is used in the RDP protocol and blocks attempts to establish a connection.(better safe than sorry)

      Also mentioned was NLA and Windows 7 Home Premium has no GPedit so..
      To check and ensure Network Level Authentication is ON

      Within Regedit, navigate to the following keys and check that the data value is set as follows:

      HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
      Value: UserAuthentication
      Data: 1

      HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\
      Value: UserAuthentication
      Data: 1

      ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

      4 users thanked author for this post.
      • #1914007 Reply

        HiFlyer
        AskWoody Plus

        Re #1913917

        @microfix   ” I’ve blocked the incoming port 3389 in both Windows 7 and 8.1″

        I’d like to do both too.  Simple way?

        • #1914026 Reply

          Microfix
          Da Boss

          Win8.1: go to Control Panel/Windows Firewall and open it up.
          LHS panel: Advanced Settings (opens up new window)
          LHS panel: click Inbound Rules
          RHS panel: click New Rule (opens new window)
          Click on Port Radio button then click Next
          Select TCP radio button and input specific remote port as 3389 then click Next
          Select Block the connection radio button then click Next
          Tick all Private Domain and Public then click Next
          give it a rulename 3389 and click Finish

          ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

          1 user thanked author for this post.
          • #1914151 Reply

            anonymous

            Unless you are using a third party Firewall, or Virus/Firewall Security Suite, vendor and then Window’s Firewall will be disabled and Windows will refer to that installed third party Security Software by name and you must use that vendor’s methods to manage the firewall settings.

            Windows Firewall:

            “These settings are being managed by vendor application [Such and Such security suite] “

      • #1914067 Reply

        HiFlyer
        AskWoody Plus

        Re: 1914026

        @microfix  Push pull click click block ports that quick.

        Thanks for making it simple and easy.

        1 user thanked author for this post.
    • #1913918 Reply

      geekdom
      AskWoody Plus

      Here:
      cap1908-3

      Group G{ot backup} TestBeta
      Win7Pro · x64 · SP1 · i3-3220 · RAM 8GB · Firefox: uBlock Origin - NoScript · HDD · Canon Printer · Microsoft Security Essentials · Windows: Backup - System Image - Rescue Disk - Firewall
      Attachments:
    • #1913950 Reply

      GreatAndPowerfulTech
      AskWoody Lounger

      Our shop has disabled RDP in every PC we sell or service, unless the customer needs it, which is very rare with superior options available. We saw this as a potential vulnerability decades ago. I’m surprised it took so long to actually (theoretically) become one.

      GreatAndPowerfulTech

      4 users thanked author for this post.
    • #1914012 Reply

      zero2dash
      AskWoody Lounger

      Most people, even if RDP is enabled, would not be able to access it from the outside since most consumer-level ISP modems and routers have NAT and port 3389 (the RDP port) is not open.

      Obviously there are the network techies out there like myself who know how to open this, but I would hope that we are smart enough to provide a workaround either via VPN or SSH tunneling, which is what I’ve done on my home setup. I have a custom SSH port open but my Bitvise SSH Server is locked down as tight as it can be. I SSH in with PuTTY and then RDP to anything on my internal home network, with practically no care (or scare) in the world.

      For average Joe and Jane user, if you need to remotely access a system, use Chrome Remote Desktop, or Teamviewer.

      1 user thanked author for this post.
      • #1915366 Reply

        anonymous

        zero2dash said:
        For average Joe and Jane user, if you need to remotely access a system, use Chrome Remote Desktop, or Teamviewer.

        Another option is AnyDesk, which is no-install & free for personal use (with some limitations, eg. maximum of 1 connection at any one time, max 30 mins’ connection per session).

        That being said, any sort of remote desktop connection tool — if improperly configured & used carelessly on a poorly secured network — can be a point of entry for attack.

        For instance, the backend supply-chain hack of CCleaner in 2017 was enabled by TeamViewer, which the hackers used to infiltrate the Piriform network via an unattended PC.

        Subsequently, the hackers roamed around the Piriform network, & successfully logged in as administrator to various PCs using the Windows Remote Desktop connection.

        1 user thanked author for this post.
    • #1914028 Reply

      jdroestfs
      AskWoody Plus

      In the Microsoft article quoted above by Susan, there is the following bullet point:

      • Reduce the risk to internet-facing machines with Remote Desktop Services enabled by placing them behind an authenticated gateway or a firewall.

      Is the RDS Gateway (the one included in SBS 2011) an authenticated gateway? Many of our users are able to logon to Remote Web Access, select their computer, and remote in to get access to their work computer. I have always considered this to be safe as it requires authentication before RDP can be used.

      Any thoughts?

      • #1914060 Reply

        Susan Bradley
        AskWoody MVP

        Yes SBS 2011 provides RDS Gateway in the background and thus is an authenticated gateway.  You are protected.

        Susan Bradley Patch Lady

        2 users thanked author for this post.
      • #1914167 Reply

        NetDef
        AskWoody_MVP

        Notes for fun.

        The RDP Gateway role on SBS 2011, and on Server 2012/R2 and 2016 Essentials, acts as a sort of “Broker” for remote desktop access. (The role is also available on Server 2019 Standard.)

        It uses port 443 by default, sets up a SSL tunnel between itself and the remote client using a trusted SSL Certificate installed and renewed by the admin to encrypt the connection. Port scans to this service on port 443 are initially treated much like any HTTPS request until the tunnel is negotiated. There are (at least) two authentication stages, they may or may not use the same user credentials. (I say at least because both Radius and MFA are also options. )

        The first stage is to authenticate on the Gateway server itself, involving certificate recognition and user credentials. Once that succeeds an RDP session to the internal target is created, and another authentication for that is required. Internal targets can be sessions, VM’s or physical workstations/servers within the LAN that are joined to the AD domain.

        Additionally the only port forwarding to the gateway server needed on the external firewall is 443. Really, that’s it. The RDP Gateway handles routing to RDP targets inside the network itself.

        So . . .

        Externally, with this setup, one might surmise that the organization is immune to outside Bluekeep attacks. And so far at least this is true. (Someday someone is going to find a way, and it will be patched months later with great fanfare. Much sleep will be lost in the gap.)

        But the problem still exists that if the vulnerability is exploited from within the LAN, it could be used in worm fashion to infect everything else on your subnet. Because the clients still have to have RDP enabled.

        The initial vector could be a malicious email attachment or a browser drop. This is keeping me up at night . . . because most of my clients are addicted to having RDP available (and for good reasons, the software they run locally and via RDP is very expensive.)

        ~~~ heavy sigh ~~~

        ~ Group "Weekend" ~

        • #1914266 Reply

          Susan Bradley
          AskWoody MVP

          IMHO the “once they get inside you are toast” is generally true of everything these days.  See the ransomware hit on umpteen Texas small cities as an example.  We just need time to patch, not absolute security.

          Susan Bradley Patch Lady

          1 user thanked author for this post.
    • #1914030 Reply

      anonymous

      In the Windows Firewall (MS Server 2016) I’ve set the built-in RDP rules to allow connection from ONLY my (remote) IP. Drops everything touching port 3389.

    • #1914147 Reply

      wavy
      AskWoody Plus

      Just out of curiosity, In W10 Pro with Remote Desktop off does the Remote Assistance check box actually do anything? I would think not but …

      [BTW its Dameware from Solarwinds (which bought Dameware) now. Who would think that Solarwinds is a 4 1/ Billion $ company.]

      Is Teamviewer (the Civic ) still recommended ? I remember that was a favorite at one time .

      🍻

      Just because you don't know where you are going doesn't mean any road will get you there.
      1 user thanked author for this post.
      • #1914183 Reply

        NetDef
        AskWoody_MVP

        Teamviewer has gotten very expensive, and recently pretty aggressive about chasing one-off users that were using their free version. Oh the free version is still available, but if you even smell like you might be using it professionally, you’re likely to get a nasty-gram.

        Dameware’s price has tripled now that SW owns them. (from 89 to over 300) Additionally they now have verbiage about an annual maintenance fee, but I cannot seem to find what that fee is on their website. Worse, I can’t tell if you have to have maintenance, or if it’s optional. Knowing SW, it’s going to segue into required, over time. And the price will likely go up again. (I might be a little bitter, they did this a few years ago to my favorite SMB remote console system when they acquired GFI-Max.)

        ~ Group "Weekend" ~

      • #1914247 Reply

        Bluetrix
        AskWoody MVP

        Is Teamviewer (the Civic ) still recommended ? I remember that was a favorite at one time .

        As mentioned by@cyberSAR , Win10 Home doesn’t have RDP functionality, but it can (or could at one time) be enabled using stascorp’s rdpwrap, easily dl’ed from GitHub.

        I chose to go with TeamViewer instead, it’s up to V-14 now, though I use V-13 free.

        I use it to help just a few friends, it works for me. Never got a nasty-gram … yet 🙂

        Windows10 Home 1809 | Mint19 on VM

      • #1914254 Reply

        RetiredGeek
        AskWoody MVP

        Hey Y’all,

        I’ve used TeamViewer free version for years to fix friends and family computers all over the world and have never had a problem, just lucky I guess.

        May the Forces of good computing be with you!

        RG

        PowerShell & VBA Rule!
        Computer Specs

        1 user thanked author for this post.
    • #1914169 Reply

      GoneToPlaid
      AskWoody Plus

      Microsoft does in their ATP documentation: Customers that don’t turn on Remote Desktop Services are not exposed to exploits for these vulnerabilities. Remote Desktop Services is off by default on affected platforms.

      I wonder if there might be a caveat associated with this statement from Microsoft. Microsoft’s statement makes no mention of Remote Assistance. Microsoft’s statement might assume that the user is also using Windows Firewall and not a third party firewall which could still be passing RDP port 3389. From my understanding, if stuff through RDP port 3389 isn’t blocked, then the specific unpatched DLL is exploitable.

      Here is a trick that I learned in terms of third party firewalls: Some third party firewalls do not pickup newly configured rules in Windows Firewall if Windows Firewall is disabled. This sometimes can cause weird networking issues. For example, Panda’s firewall has this issue. The solution is to temporarily disable the third party firewall, then enable Windows Firewall, and then enable the third party firewall. The third party firewall should then pick up the new rules in Windows Firewall. Most third party firewalls then automatically disable Window Firewall. Panda’s firewall, for example, will pick up the new rules in Windows Firewall and then disable Windows Firewall when Panda’s firewall is re-enabled. I consider this to be a bug with an easy workaround.

      If anyone is afraid to install the August updates, you should be able to block port 3389 in your home router or ISP provided modem/router. Remember to block port 3389 for all protocols, specifically HTTP and UDP.

      • This reply was modified 1 month ago by  GoneToPlaid. Reason: Fixed a typo
      1 user thanked author for this post.
      • #1914185 Reply

        NetDef
        AskWoody_MVP

        Remote assistance uses port 3389, same as remote desktop protocol. Worse, it attempts to use uPNP on your firewall to create a port forwarding rule for 3389 on your external firewall to your computer.

        https://support.microsoft.com/en-us/help/300692/description-of-the-remote-assistance-connection-process

        ~ Group "Weekend" ~

        • This reply was modified 1 month ago by  NetDef.
        2 users thanked author for this post.
        • #1914237 Reply

          GoneToPlaid
          AskWoody Plus

          Yep, very true. Thus MS’s statement that disabling RDP, with no mention about Remote Assistance, now comes into question.

          • #1914245 Reply

            NetDef
            AskWoody_MVP

            I am rather curious too, esp since I just thought to go look at something – an old router.

            The way it’s supposed to work, if you send a remote assistance request, along with the request Windows tries to use uPnP on your router to open that port. In theory, uPnP sessions are supposed to expire. In reality I’ve seen plenty of times where that doesn’t work.

            And sure enough. On a loaner router sitting in my storage, booted up tonight and looked at the uPnP tables . . . and there were several port forwarding rules listed for 3389 to specific internal IP’s.

            (Among other things, this is why I generally turn uPnP off on my regular stuff. This was a loaner that really never got configured to my standards.)

            So the question I have for Microsoft is:

            Given a scenario with Windows Home (no official RDP), with Remote Assistance on, and RA has been used at least once on a router that has uPnP enabled . . .

            Vulnerable to Bluekeep? Yes? No?

            I’m betting on yes.

            ~ Group "Weekend" ~

            4 users thanked author for this post.
        • #1914730 Reply

          woody
          Da Boss

          I wish we could get definitive statements about blocking BlueKeep and the DejaBlues – is it sufficient to turn off RDP in the GUI? is it sufficient to block 3389? – but there don’t appear to be any forthcoming.

          Based on what I’ve seen, I’m not 100% sure that enabling NLA will keep the DejaBlues off a network (besides, neophytes messing around with NLA can lead to all sorts of problems).

          Also, 3389 is the default RDP port – but it can be reassigned.

          3 users thanked author for this post.
          • #1914997 Reply

            NetDef
            AskWoody_MVP

            NLA requires that the user be authenticated to the target workstation before a RDP session is created on that target. When NLA is NOT enabled, queries to port 3389 start the RDP session immediately, and then authentication is presented. That’s why Microsoft listed that as the first mitigation.

            Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713(v=ws.11)

            ~ Group "Weekend" ~

            2 users thanked author for this post.
          • #1915318 Reply

            anonymous

            Woody said:

            Also, 3389 is the default RDP port – but it can be reassigned.

            Since port 3389 is a long well-known port of entry for attack, I’d years ago changed the default RDP port 3389 to a random number X (where: 1025 ≤ X ≤ 65535, as long as it is not already in use). In addition, I use the firewall to block both port 3389 & port X.

            Qn: Can an attacker somehow (by remote brute force ?) reassign my customized RDP port number to some other available port number of the attacker’s choice, & then gain entry via the latter ?

    • #1914236 Reply

      GoneToPlaid
      AskWoody Plus

      I read that there were potential serious caveats when trying to install Powershell 5 on Win7 systems, and that specific steps had to be taken. This might be beyond the average user, and users might want a much simpler yet secure solution. I instead highly recommend installing the paid version of RealVNC if you need remote access to your computers. Here are the configuration settings for RealVNC which I use:

      I disabled allowing access via the RealVNC Java viewer since having Java installed is an inherent security risk. Instead, I must use the actual RealVNC program to remotely access my computers.

      I set a very strong password.

      I do not use VNC’s default Java port 5800 or HTTP port 5900 since these two ports are regularly scanned by hackers since they know that most users of RealVNC will not bother to change the default ports.

      I disallowed shared connections so that a hacker can’t try to log in if I am already logged in and remotely accessing one of my computers.

      I further configured RealVNC, via its Expert tab, with these following settings:

      AuthTimeout — 120 seconds (a user must authenticate the login attempt within 120 seconds)

      BlacklistThreshold — 5 failed login attempts (the max number of authorization attempts by an individual host, after which the host IP is blacklisted if all login attempts fail)

      BlacklistTimeout — 3600 seconds (If a host gets blacklisted, the host now must wait 15 minutes before trying to login again)

      Three or four years ago, the above settings successfully defeated an adept Russian hacker who tried for nearly three weeks to gain access using scripted commands, via VNC, to my computers. The hacker also tried all 65535 ports in order to try to gain access to my local network. The hacker eventually gave up and never tried again. I don’t recall the city to which I tracked the hacker’s IP address.

      RealVNC is a UK company which is not subject to the whims of the NSA.

      Note: I have no affiliations with RealVNC.

       

    • #1914344 Reply

      WildBill
      AskWoody Plus

      Here’s how it works for Win8.1 Home (no Premium):

      1. Since there’s no “My Computer”, click the File Explorer icon on the Desktop Taskbar. (If you’re on the Start screen [UWP apps], click Search, then enter “File Explorer” in the Search box & click File Explorer in the Search results.)
      2. At the top, click “Computer” to get the ribbon. On the ribbon, click “System properties” on the far right. Here’s the resulting screen:Capture-1
        On the left, click Remote Settings. You should be on the Remote tab, and the check box under Remote Assistance marked “Allow Remote Assistance connections to this computer” is probably checked. If it is, uncheck it and click OK.

      Windows 8.1, 64-bit, now in Group B!
      Wild Bill Rides Again...

      Attachments:
      2 users thanked author for this post.
    • #1914366 Reply

      OscarCP
      AskWoody Plus

      From a previous discussion at Woody’s on this very issue, I came out with the idea that RDP was not a problem with Windows 7 Pro and higher, but only with Home (perhaps) or Server. Am I wrong?

      Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W + Mac&Lx

      • #1914491 Reply

        Paul T
        AskWoody MVP

        RDP is a problem in all Windows versions. It is not required and should be turned off.

        cheers, Paul

        2 users thanked author for this post.
    • #1914496 Reply

      Paul T
      AskWoody MVP

      Checking Your RDP Status

      1. Go to the GRC page.
      2. Click Services > ShieldsUp.
      3. Click “Proceed”, in the middle of the page.
      4. Type “3389” in the text box in the middle of the screen.
      5. Click “User Specified Custom Port Probe”.

      A green “Passed” stamp is the correct response.
      If you get anything else pop in and ask us for help.

      cheers, Paul

      5 users thanked author for this post.
      • #1914689 Reply

        woody
        Da Boss

        YES. That’s the link I was looking for. Appreciate it!

        1 user thanked author for this post.
      • #1915325 Reply

        anonymous

        Paul T said:

        4. Type “3389” in the text box in the middle of the screen.
        5. Click “User Specified Custom Port Probe”.

        Direct link to probe a single specific port (eg. 3389 — or whatever custom number it has been reassigned to):  https://www.grc.com/x/portprobe=3389

        The ideal result should be: “Stealth” (green background), ie. the port does NOT respond at all to probes, & thus seemingly does not exist. Any response (including telling the world that the port is closed) is not ideal.

        2 users thanked author for this post.
    • #1914669 Reply

      anonymous

      As a simple home PC user (2 PCs unaware of each other, but each wired connected to a router, which is in turn wired connected to my ISP’s cable modem) I block all incoming accesses in the Windows Firewall using the ‘Control Panel\All Control Panel Items\Windows Firewall\Customise Setting’ window by ticking the ‘Block all incoming connections, including those in the list of allowed applications’ options for both Private and Public networks. Hopefully this more global setting includes the specific RDP port setting described in comments above?

      (I also tick the 2 ‘Notify me …’ boxes expecting to be prompted if anything attempts incoming access, but I have not seen anything in the 5 years or so since I started using Windows Firewall, which I hope is a good sign?)

      Note: Firefox adds ‘allow incoming access’ rules on installation. I don’t know why (possibly to do with settings sync-ing which I don’t use?), but as a Firefox user I have seen no side-effect of the global blocking override. Similarly my HP printer s/w adds ‘allow incoming access’ rules, but I connect each PC independently to the printer using a USB cable on the rare occasions that I print to paper (or more commonly scan from paper) so again I have seen no side-effect there either.

      As of mid-2016 I have also setup a policy to enforce this, which being a “policy” I assume will be even harder than just the Control Panel setting? As this was originally done on a W7 Home Premium PC without Group Policy Editor I don’t know the settings for gpedit, but in the Registry directly I have the keys ‘HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile’ and ‘…\PrivateProfile’ each with the sub-keys “DoNotAllowExceptions” DWORD set to 1 and “DisableNotifications” DWORD set to 0.

      (On a 64bit PC I also have these sub-keys in the keys ‘HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Wow6432Node\Microsoft\WindowsFirewall\PublicProfile’ and ‘…\PrivateProfile’, but I don’t know if these Wow6432Node versions are strictly necessary? Or just belt-and-braces?)

      HTH. Garbo.

      PS: On a similar theme but slightly off-topic, not doing any local networking I also ‘Disable NetBIOS over TCP/IP’ for both wired and wireless connections and Disable the ‘TCP/IP NetBIOS Helper’ service. This is on recommendation of the Steve Gibson (GRC) ‘Sheilds Up’ firewall testing site, which describes such a setting as “unusual” but “cool” (or something similar – I forget the exact words).

      To do this go to ‘Control Panel\All Control Panel Items\Network and Sharing Center\Change adapter settings’ (link on the LHS). For each of the network adapters (wired or wireless), right click and select Properties. In the list select ‘Internet Protocol Version 4’ so that the Properties button becomes available and click it. In the new window select Advanced. In the 2nd new window select WINS and in the 3rd new window the NetBIOS options are at the bottom. Select ‘Disable NetBIOS over TCP/IP’ and OK for each of these windows. Repeat for each adapter.

      To disable the service, (on the desktop if enabled or) in explorer right click on ‘This PC’ (in W8.1 or the equivalent in W7 or W10) and select ‘Manage’ to open the Computer Management window. Select ‘Services and Applications’, select Services, scroll down to ‘TCP/IP NetBIOS Helper’, highlight, right click and select Properties and change ‘Startup type’ to Disabled (and stop the service if it is running?) and OK.

      PPS: I forget if you need to restart the PC for any of these changes to take effect, but it cannot do any harm to restart 🙂

       

      • #1914823 Reply

        Larry B
        AskWoody Lounger

        Note: Firefox adds ‘allow incoming access’ rules on installation. I don’t know why (possibly to do with settings sync-ing which I don’t use?), but as a Firefox user I have seen no side-effect of the global blocking override. Similarly my HP printer s/w adds ‘allow incoming access’ rules, but I connect each PC independently to the printer using a USB cable on the rare occasions that I print to paper (or more commonly scan from paper) so again I have seen no side-effect there either.

        Where is that setting?

         

        Thanks

        • #1914874 Reply

          anonymous

          I don’t know which “setting” you are referring to wrt the clip you copied from my comment above, but the Firefox and HP Printer installers added the inbound allow access rules to Windows Firewall (WF) without asking or informing me (as far as I can remember). It was only by chance when I looked at the WF settings sometime later that I spotted these allow rules.

          To see the WF inbound rules (if that is what you are asking me?), in the Control Panel select the “Windows Firewall” option and then the “Advanced settings” option on the left hand side (LHS). In the “Windows Firewall with Advanced Security” window which opens, in the LHS pane select Inbound Rules and the middle pane shows the rules. By default this is all rules whether these are enabled or not. You can use the “Filter by State” options on the RHS pane to just display a subset of rules if you prefer.

          I had deleted my HP Printer inbound rules after installation – it is an old printer and I don’t expect to have any communications with HP about it and I connect it to a PC using a USB cable. I forget if I also deleted the Firefox rule(s) as well, but present now is a Disabled “allow” rule for C:\Program Files\Mozilla Firefox\firefox.exe for the Private profile (which makes me think that this is intended for some communication between Firefox instances on different PCs in a local network, not via the wider internet which I assume would need a  Public profile inbound rule?) and the TCP protocol for all Ports. I don’t remember if I disabled this Firefox rule or if the Firefox installer did – sorry!

          Anyway my main point was that I expect the “Block all incoming connections …” setting to override any enabled inbound “allow” rules setup here for anything, but in several years of experience with this setting I have seen no side-effects. Again my usual caveat: I’m just a simple PC user not attempting any complicated local networking 🙂

          HTH. Garbo.

           

          1 user thanked author for this post.
    • #1914826 Reply

      Larry B
      AskWoody Lounger

      I use Teamviewer to remotely update a friends PC.  Will changing the setting for a Win 7 HP SP1 remote assistance not allow me to use Teamviewer.  This question if for both my PC and the friends PC.

      Thanks

      • #1914851 Reply

        Paul T
        AskWoody MVP

        TeamViewer does not use RDP or the RDP port. You can continue to use TV without issue.

        cheers, Paul

        1 user thanked author for this post.
      • #1915288 Reply

        NetDef
        AskWoody_MVP

        I use Teamviewer to remotely update a friends PC.  Will changing the setting for a Win 7 HP SP1 remote assistance not allow me to use Teamviewer.  This question if for both my PC and the friends PC.

        Thanks

        TeamViewer on Windows, on both the client and the target, requires ports 80, 443 and 5938. It should be adding those exceptions to the Windows Firewall during install. On a home router, there is generally no need to make any special rules for TeamViewer to work.

        Disabling Windows RDP and Windows Remote Assistance, and blocking corresponding port 3389 will have no effect on TeamViewer.

        Source: https://community.teamviewer.com/t5/Knowledge-Base/Which-ports-are-used-by-TeamViewer/ta-p/4139

        ~ Group "Weekend" ~

    • #1915576 Reply

      anonymous

      Thanks for the article – but I’ve got a quick question. On my computer, I’ve got two separate sections. The second is what was described in the article as “remote desktop”, and that’s marked off to “don’t allow connections”.

      The first one, though, isn’t mentioned specifically. It’s labeled “remote assistance” and by default seems to be set to “Allow remote assistance connections”.  From what I’ve read about it online, it seems more creepy than it’s worth (have someone else take over your computer? Really? Why do I feel like that can’t possibly end well). I’ve never had reason to use a service like that, the closest I’ve come (and it’s pretty far off) is to have the computer check it’s own systems for problems, have my antivirus program run scans, or have the computer check why my internet connection isn’t working.

      I’ve turned it off for now, but is that ok? Should this be turned off? If it affects your answer, I’m on windows 7,  just a regular computer at home (not part of a business network on anything like that).

      Thanks!

      • #1915618 Reply

        Paul T
        AskWoody MVP

        Remote Assistance is not required and should be off.

        Why don’t you check your ports as suggested in post #1915325 above?

        cheers, Paul

    • #1916705 Reply

      bbearren
      AskWoody MVP

      Checking Your RDP Status Go to the GRC page. Click Services > ShieldsUp. Click “Proceed”, in the middle of the page. Type “3389” in the text box in the middle of the screen. Click “User Specified Custom Port Probe”. A green “Passed” stamp is the correct response. If you get anything else pop in and ask us for help.

      My port 3389 got the green stamp, it’s in full stealth mode.

      I’ve done none of the suggestions listed, I’m just fully updated by Windows Update.

      As for UPnP, I’ve been disabling that on my routers for a couple of decades.

      I use RDP routinely, almost daily, in fact.  It’s how I administer my home network.  I’ll keep using it.  If I get attacked, I’ll be sure to let everyone here know, right after I’ve restored my drive images to mitigate whatever.

      Create a fresh drive image before making system changes, in case you need to start over!
      "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Captain Jack Sparrow
      "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns

      "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

    • #1916927 Reply

      anonymous

      Off Topic But it’s really unfortunate non AskWoody Plus members can no longer use the Master Patch List.

      1 user thanked author for this post.
      • #1916951 Reply

        woody
        Da Boss

        I appreciate your concern, but….

        We’re trying hard to make enough money to keep the site (and the Patch List) going. This is the first step. Shortly — maybe early next week — we’ll be limiting the latest Newsletter to Plus members, also.

        I’ve waited more than six months to make the transition. Probably shouldn’t have waited that long.

        Keep in mind that we’re still on the donation model – you can choose how much to donate for a one year’s membership.

        1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – How to avoid using RDP in Windows

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.