News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – How to avoid using RDP in Windows

    Home Forums AskWoody blog Patch Lady – How to avoid using RDP in Windows

    Tagged: ,

    Viewing 19 reply threads
    • Author
      Posts
      • #1913759 Reply
        woody
        Da Boss

        An important new article from Susan Bradley in CIO Online: https://www.youtube.com/watch?v=J9Cyi_exdJM BlueKeep and DejaBlue are both potent threats.
        [See the full post at: Patch Lady – How to avoid using RDP in Windows]

        7 users thanked author for this post.
      • #1913813 Reply
        anonymous
        Guest

        Hi Woody, thank you for being there for us and having your MVPs and this site.

        You mentioned, “In Vista or Win7, click My Computer and choose Computer. At the top, click System properties. On the left, click Remote Settings. You should be on the Remote tab, and the button under Remote Desktop marked “Don’t allow connections to this computer” should be selected. If it isn’t, click it and click OK.”

        But on my Windows 7 Home Premium under System Properties, the Remote tab has, “Allow Remote Access connections to this computer” and one would uncheck that to prevent it.

        Thank you again.

        4 users thanked author for this post.
        • #1913882 Reply
          Tex265
          AskWoody Plus

          The Remote Tab contains two (2) items:

          1. Remote Assistance (checkmark to Allow)
          2. Remote Desktop (Select dot one of three)

          Windows 10 Pro x64 v1909 and Windows 7 Pro SP1 x64 (RIP)
          1 user thanked author for this post.
          • #1913900 Reply
            anonymous
            Guest

            Both of those 2 settings rate an Article that explicitly states just what Windows/Third Party software makes use of that”

            “1. Remote Assistance (checkmark to Allow)
            2. Remote Desktop (Select dot one of three)”

            That Remote Assistance is according to MS’s included link in the System Properties Panel/Remote Assistance Tab:

            “What happens when I enable Windows Remote Assistance?

            When you enable Windows Remote Assistance:

            You can get help using Windows Remote Assistance.

            Windows Remote Assistance is allowed through Windows Firewall so that it can communicate with your helper’s computer. For more information, see What are the risks of allowing programs through a firewall?”

            And under that there is more under another link, What are the risks of allowing programs through a firewall? so that’s:

            “What are the risks of allowing programs through a firewall?

            When you add a program to the list of allowed programs in a firewall, or when you open a firewall port, you allow a particular program to send information to or from your computer through the firewall. Allowing a program to communicate through a firewall (sometimes called unblocking) is like punching a hole in the firewall.

            Each time you open a port or allow a program to communicate through a firewall, your computer becomes a bit less secure. The more allowed programs or open ports your firewall has, the more opportunities there are for hackers or malicious software to use one of those openings to spread a worm, access your files, or use your computer to spread malicious software to others.

            It’s generally safer to add a program to the list of allowed programs than to open a port. If you open a port, it stays open until you close it, whether or not a program is using it. If you add a program to the list of allowed programs, the “hole” is open only when needed for a particular communication.

            To help decrease your security risk:

            Only allow a program or open a port when you really need to, and remove programs from the list of allowed programs or close ports that you no longer need.

            Never allow a program that you don’t recognize to communicate through the firewall.”

            2 users thanked author for this post.
        • #1913901 Reply
          cyberSAR
          AskWoody Plus

          Home doesn’t allow RDP connections. I always uncheck allow remote assistance… I figure if you ever need it you can enable it.

          4 users thanked author for this post.
          • #1913902 Reply
            LHiggins
            AskWoody Plus

            Yes, my remote tab only has one choice – the checkbox to allow remote connections.

            Remote-tab

            I have Win 7 Home Premium.

            Attachments:
            2 users thanked author for this post.
            • #1913935 Reply
              anonymous
              Guest

              Yes that RDP is for Windows 7 Pro/Pro Windows OS Versions and above and Home users are not even able to do System Image Backups to a Network Share(Hard-drives/SSD Disks connected via an Ethernet connection in a NAS[Networked Attached Storage] device or similar connected storage option).

              That’s MS’s segmenting of its Pro and above OS versions and that RDP is mostly for IT departments managing fleets of Business Grade PCs/Laptops via that RDP functionality for the Enterprise’s/Employee’s needs. For business grade Laptops especially and the enterprise’s road warriors that need that RDP so the IT department can fix things remotely.

          • #1914014 Reply
            Susan Bradley
            AskWoody MVP

            I honestly haven’t used remote assistance in…. I can’t even remember how long.  On my Dad’s computer I have logmein installed.  Others I use copilot.  I would uncheck remote assistance given that everyone (including the scammers) use third party tools that work better than remote assistance.

            Susan Bradley Patch Lady

        • #1913993 Reply
          HiFlyer
          AskWoody Plus

          Re: #1913813

          “But on my Windows 7 Home Premium under System Properties, the Remote tab has, “Allow Remote Access connections to this computer” and one would uncheck that to prevent it.”

          My win8.1x64HPrem.   Has only that one box to leave unchecked.   Nothing else I can find.

      • #1913907 Reply
        woody
        Da Boss

        Good suggestions!

        I wish I felt more comfortable in saying “If you don’t allow remote connections on the Remote tab you’re protected from BlueKeep and DejaBlue.”

        That should be true, but I still haven’t found anybody who knows the Blues intimately who’s just come out and said it. For now, blocking RDP is an obvious first step – which every Windows user can follow.

        5 users thanked author for this post.
        • #1914015 Reply
          Susan Bradley
          AskWoody MVP

          Microsoft does in their ATP documentation:

          • Customers that don’t turn on Remote Desktop Services are not exposed to exploits for these vulnerabilities. Remote Desktop Services is off by default on affected platforms.

          August 2019 RDP update advisory

          Executive summary

          As part of the August 2019 Security Updates, Microsoft released fixes for unauthenticated remote code execution vulnerabilities (CVE-2019-1181 and CVE-2019-1182) in Remote Desktop Services on Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016. Attackers might weaponize these vulnerabilities to launch various attacks, including disruptive attacks that cause affected systems to crash.

          Customers should prioritize the deployment of critical updates to all affected platforms. If updating immediately isn’t an option, consider turning off Remote Desktop Services. Where Remote Desktop Services is required, turn on network-level authentication (NLA) for RDP to mitigate malicious client machines attacking servers.

          Key insights

          • Successful exploits of these vulnerabilities could be used to gain remote access to vulnerable systems.
          • Microsoft has not observed, at the time of publication, any attacks exploiting these vulnerabilities in the wild.
          • Customers with Remote Desktop Services enabled and network-level authentication turned off are at higher risk for attack. Machines in this configuration that are exposed to the internet are at the highest risk. Turning on network-level authentication for RDP significantly mitigates known remote vectors for exploitation for servers.
          • Customers evaluating the risks posed by these vulnerabilities should account for potential attacks within their networks. Past malware has used similar vulnerabilities to spread within enterprise environments after gaining a foothold within the network.

          Mitigations

          Apply these mitigations to reduce the impact of the vulnerabilities.

          • Machines running Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 R2, Windows 10, or Windows Server 2016 should apply fixes for CVE-2019-1181 and CVE-2019-1182. These fixes are available as part of the August 2019 Security Updates.
            • Machines running Windows Server 2008 are not vulnerable.
            • Customers that don’t turn on Remote Desktop Services are not exposed to exploits for these vulnerabilities. Remote Desktop Services is off by default on affected platforms.
          • Enable network level authentication (NLA) for RDP. This will help mitigate attacks against machines running Remote Desktop Services by changing the requirement to exploit from unauthenticated access to authenticated access.
          • Reduce the risk to internet-facing machines with Remote Desktop Services enabled by placing them behind an authenticated gateway or a firewall.
          • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

          Detection details

          Endpoint detection and response (EDR)

          The following alert can indicate threat activity related to exploitation of these vulnerabilities. This alert might fire for other suspicious but unrelated network activity and is not monitored as part of this report.

          • Suspicious number of outbound network connections — this alert flags spikes in the number of outbound connections to the common RDP port (TCP/3389). These connections can indicate port scanning or worm-like behavior that might be abusing these vulnerabilities.

          Advanced hunting

          The following query finds processes with unexpected connections to the common RDP port (TCP/3389). It filters out common RDP programs and scanning tools. It also provides contextual information, such as the names and IP addresses of the machines involved in the connections.

          You can use it to find processes that might be scanning for possible targets or exhibiting worm-like behavior.

          // Find unusual processes with outbound connections to TCP port 3389 
          NetworkCommunicationEvents 
          | where RemotePort == 3389 
          | where ActionType == "ConnectionSuccess" and Protocol == "Tcp"
          | where InitiatingProcessFileName !in~ //Remove common RDP programs
          ("mstsc.exe","RTSApp.exe", "RTS2App.exe","RDCMan.exe","ws_TunnelService.exe", 
          "RSSensor.exe","RemoteDesktopManagerFree.exe","RemoteDesktopManager.exe", 
          "RemoteDesktopManager64.exe","mRemoteNG.exe","mRemote.exe","Terminals.exe", 
          "spiceworks-finder.exe","FSDiscovery.exe","FSAssessment.exe", "chrome.exe", 
          "microsodeedgecp.exe", "LTSVC.exe", "Hyper-RemoteDesktop.exe", "", 
          "RetinaEngine.exe", "Microsoft.Tri.Sensor.exe" ) 
          and InitiatingProcessFolderPath  !has "program files" 
          and InitiatingProcessFolderPath !has "winsxs" 
          and InitiatingProcessFolderPath !contains "windows\\sys"
          | where RemoteIP !in("127.0.0.1", "::1")
          | summarize ComputerNames = make_set(ComputerName), 
          ListofMachines = make_set(MachineId), 
          make_set(EventTime), 
          ConnectionCount = dcount(RemoteIP) by InitiatingProcessFileName, 
          InitiatingProcessSHA1, bin(EventTime, 1d)
          

          References

          Change log

          • 2019-08-15 20:47 UTC | Enhanced advanced hunting query
          • 2019-08-15 05:15 UTC | Entry created

          Susan Bradley Patch Lady

          5 users thanked author for this post.
      • #1913917 Reply
        Microfix
        AskWoody MVP

        These are a couple of extra/precautionary steps I’ve taken and checked on Win7 x86/x64 installations.
        Patch Lady mentioned in the video, blocking port 3389 using your firewall if you do not use RDP at all. I’ve blocked the incoming port 3389 in both Windows 7 and 8.1
        This port is used in the RDP protocol and blocks attempts to establish a connection.(better safe than sorry)

        Also mentioned was NLA and Windows 7 Home Premium has no GPedit so..
        To check and ensure Network Level Authentication is ON

        Within Regedit, navigate to the following keys and check that the data value is set as follows:

        HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
        Value: UserAuthentication
        Data: 1

        HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\
        Value: UserAuthentication
        Data: 1

        | Win8.1 Pro x64 | Linux Hybrids x86/x64 | Win7 Pro x86/x64 Offline |
        4 users thanked author for this post.
        • #1914007 Reply
          HiFlyer
          AskWoody Plus

          Re #1913917

          @Microfix   ” I’ve blocked the incoming port 3389 in both Windows 7 and 8.1″

          I’d like to do both too.  Simple way?

          • #1914026 Reply
            Microfix
            AskWoody MVP

            Win8.1: go to Control Panel/Windows Firewall and open it up.
            LHS panel: Advanced Settings (opens up new window)
            LHS panel: click Inbound Rules
            RHS panel: click New Rule (opens new window)
            Click on Port Radio button then click Next
            Select TCP radio button and input specific remote port as 3389 then click Next
            Select Block the connection radio button then click Next
            Tick all Private Domain and Public then click Next
            give it a rulename 3389 and click Finish

            | Win8.1 Pro x64 | Linux Hybrids x86/x64 | Win7 Pro x86/x64 Offline |
            1 user thanked author for this post.
            • #1914151 Reply
              anonymous
              Guest

              Unless you are using a third party Firewall, or Virus/Firewall Security Suite, vendor and then Window’s Firewall will be disabled and Windows will refer to that installed third party Security Software by name and you must use that vendor’s methods to manage the firewall settings.

              Windows Firewall:

              “These settings are being managed by vendor application [Such and Such security suite] “

        • #1914067 Reply
          HiFlyer
          AskWoody Plus

          Re: 1914026

          @Microfix  Push pull click click block ports that quick.

          Thanks for making it simple and easy.

          1 user thanked author for this post.
      • #1913918 Reply
        geekdom
        AskWoody Plus

        Here:
        cap1908-3

        G{ot backup} TestBeta
        offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 Windows{Image/Defender/Firewall}
        online▸ Win10Pro 1909.18363.959 x64 i5-9400 RAM16GB HDD Firefox80.0b4 Windows{Image/Defender/Firewall}
        Attachments:
      • #1913950 Reply
        GreatAndPowerfulTech
        AskWoody Plus

        Our shop has disabled RDP in every PC we sell or service, unless the customer needs it, which is very rare with superior options available. We saw this as a potential vulnerability decades ago. I’m surprised it took so long to actually (theoretically) become one.

        GreatAndPowerfulTech

        4 users thanked author for this post.
      • #1914012 Reply
        zero2dash
        AskWoody Lounger

        Most people, even if RDP is enabled, would not be able to access it from the outside since most consumer-level ISP modems and routers have NAT and port 3389 (the RDP port) is not open.

        Obviously there are the network techies out there like myself who know how to open this, but I would hope that we are smart enough to provide a workaround either via VPN or SSH tunneling, which is what I’ve done on my home setup. I have a custom SSH port open but my Bitvise SSH Server is locked down as tight as it can be. I SSH in with PuTTY and then RDP to anything on my internal home network, with practically no care (or scare) in the world.

        For average Joe and Jane user, if you need to remotely access a system, use Chrome Remote Desktop, or Teamviewer.

        1 user thanked author for this post.
        • #1915366 Reply
          anonymous
          Guest

          zero2dash said:
          For average Joe and Jane user, if you need to remotely access a system, use Chrome Remote Desktop, or Teamviewer.

          Another option is AnyDesk, which is no-install & free for personal use (with some limitations, eg. maximum of 1 connection at any one time, max 30 mins’ connection per session).

          That being said, any sort of remote desktop connection tool — if improperly configured & used carelessly on a poorly secured network — can be a point of entry for attack.

          For instance, the backend supply-chain hack of CCleaner in 2017 was enabled by TeamViewer, which the hackers used to infiltrate the Piriform network via an unattended PC.

          Subsequently, the hackers roamed around the Piriform network, & successfully logged in as administrator to various PCs using the Windows Remote Desktop connection.

          1 user thanked author for this post.
      • #1914028 Reply
        jdroestfs
        AskWoody Plus

        In the Microsoft article quoted above by Susan, there is the following bullet point:

        • Reduce the risk to internet-facing machines with Remote Desktop Services enabled by placing them behind an authenticated gateway or a firewall.

        Is the RDS Gateway (the one included in SBS 2011) an authenticated gateway? Many of our users are able to logon to Remote Web Access, select their computer, and remote in to get access to their work computer. I have always considered this to be safe as it requires authentication before RDP can be used.

        Any thoughts?

        • #1914060 Reply
          Susan Bradley
          AskWoody MVP

          Yes SBS 2011 provides RDS Gateway in the background and thus is an authenticated gateway.  You are protected.

          Susan Bradley Patch Lady

          2 users thanked author for this post.
        • #1914167 Reply
          NetDef
          AskWoody_MVP

          Notes for fun.

          The RDP Gateway role on SBS 2011, and on Server 2012/R2 and 2016 Essentials, acts as a sort of “Broker” for remote desktop access. (The role is also available on Server 2019 Standard.)

          It uses port 443 by default, sets up a SSL tunnel between itself and the remote client using a trusted SSL Certificate installed and renewed by the admin to encrypt the connection. Port scans to this service on port 443 are initially treated much like any HTTPS request until the tunnel is negotiated. There are (at least) two authentication stages, they may or may not use the same user credentials. (I say at least because both Radius and MFA are also options. )

          The first stage is to authenticate on the Gateway server itself, involving certificate recognition and user credentials. Once that succeeds an RDP session to the internal target is created, and another authentication for that is required. Internal targets can be sessions, VM’s or physical workstations/servers within the LAN that are joined to the AD domain.

          Additionally the only port forwarding to the gateway server needed on the external firewall is 443. Really, that’s it. The RDP Gateway handles routing to RDP targets inside the network itself.

          So . . .

          Externally, with this setup, one might surmise that the organization is immune to outside Bluekeep attacks. And so far at least this is true. (Someday someone is going to find a way, and it will be patched months later with great fanfare. Much sleep will be lost in the gap.)

          But the problem still exists that if the vulnerability is exploited from within the LAN, it could be used in worm fashion to infect everything else on your subnet. Because the clients still have to have RDP enabled.

          The initial vector could be a malicious email attachment or a browser drop. This is keeping me up at night . . . because most of my clients are addicted to having RDP available (and for good reasons, the software they run locally and via RDP is very expensive.)

          ~~~ heavy sigh ~~~

          ~ Group "Weekend" ~

          • #1914266 Reply
            Susan Bradley
            AskWoody MVP

            IMHO the “once they get inside you are toast” is generally true of everything these days.  See the ransomware hit on umpteen Texas small cities as an example.  We just need time to patch, not absolute security.

            Susan Bradley Patch Lady

            1 user thanked author for this post.
      • #1914030 Reply
        anonymous
        Guest

        In the Windows Firewall (MS Server 2016) I’ve set the built-in RDP rules to allow connection from ONLY my (remote) IP. Drops everything touching port 3389.

      • #1914147 Reply
        wavy
        AskWoody Plus

        Just out of curiosity, In W10 Pro with Remote Desktop off does the Remote Assistance check box actually do anything? I would think not but …

        [BTW its Dameware from Solarwinds (which bought Dameware) now. Who would think that Solarwinds is a 4 1/ Billion $ company.]

        Is Teamviewer (the Civic ) still recommended ? I remember that was a favorite at one time .

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
        1 user thanked author for this post.
        • #1914183 Reply
          NetDef
          AskWoody_MVP

          Teamviewer has gotten very expensive, and recently pretty aggressive about chasing one-off users that were using their free version. Oh the free version is still available, but if you even smell like you might be using it professionally, you’re likely to get a nasty-gram.

          Dameware’s price has tripled now that SW owns them. (from 89 to over 300) Additionally they now have verbiage about an annual maintenance fee, but I cannot seem to find what that fee is on their website. Worse, I can’t tell if you have to have maintenance, or if it’s optional. Knowing SW, it’s going to segue into required, over time. And the price will likely go up again. (I might be a little bitter, they did this a few years ago to my favorite SMB remote console system when they acquired GFI-Max.)

          ~ Group "Weekend" ~

        • #1914247 Reply
          Bluetrix
          AskWoody MVP

          Is Teamviewer (the Civic ) still recommended ? I remember that was a favorite at one time .

          As mentioned by@cyberSAR , Win10 Home doesn’t have RDP functionality, but it can (or could at one time) be enabled using stascorp’s rdpwrap, easily dl’ed from GitHub.

          I chose to go with TeamViewer instead, it’s up to V-14 now, though I use V-13 free.

          I use it to help just a few friends, it works for me. Never got a nasty-gram … yet 🙂

        • #1914254 Reply
          RetiredGeek
          AskWoody MVP

          Hey Y’all,

          I’ve used TeamViewer free version for years to fix friends and family computers all over the world and have never had a problem, just lucky I guess.

          May the Forces of good computing be with you!

          RG

          PowerShell & VBA Rule!
          Computer Specs

          1 user thanked author for this post.
      • #1914169 Reply
        GoneToPlaid
        AskWoody Plus

        Microsoft does in their ATP documentation: Customers that don’t turn on Remote Desktop Services are not exposed to exploits for these vulnerabilities. Remote Desktop Services is off by default on affected platforms.

        I wonder if there might be a caveat associated with this statement from Microsoft. Microsoft’s statement makes no mention of Remote Assistance. Microsoft’s statement might assume that the user is also using Windows Firewall and not a third party firewall which could still be passing RDP port 3389. From my understanding, if stuff through RDP port 3389 isn’t blocked, then the specific unpatched DLL is exploitable.

        Here is a trick that I learned in terms of third party firewalls: Some third party firewalls do not pickup newly configured rules in Windows Firewall if Windows Firewall is disabled. This sometimes can cause weird networking issues. For example, Panda’s firewall has this issue. The solution is to temporarily disable the third party firewall, then enable Windows Firewall, and then enable the third party firewall. The third party firewall should then pick up the new rules in Windows Firewall. Most third party firewalls then automatically disable Window Firewall. Panda’s firewall, for example, will pick up the new rules in Windows Firewall and then disable Windows Firewall when Panda’s firewall is re-enabled. I consider this to be a bug with an easy workaround.

        If anyone is afraid to install the August updates, you should be able to block port 3389 in your home router or ISP provided modem/router. Remember to block port 3389 for all protocols, specifically HTTP and UDP.

        • This reply was modified 11 months, 3 weeks ago by GoneToPlaid. Reason: Fixed a typo
        1 user thanked author for this post.
        • #1914185 Reply
          NetDef
          AskWoody_MVP

          Remote assistance uses port 3389, same as remote desktop protocol. Worse, it attempts to use uPNP on your firewall to create a port forwarding rule for 3389 on your external firewall to your computer.

          https://support.microsoft.com/en-us/help/300692/description-of-the-remote-assistance-connection-process

          ~ Group "Weekend" ~

          • This reply was modified 11 months, 3 weeks ago by NetDef.
          2 users thanked author for this post.
          • #1914237 Reply
            GoneToPlaid
            AskWoody Plus

            Yep, very true. Thus MS’s statement that disabling RDP, with no mention about Remote Assistance, now comes into question.

            • #1914245 Reply
              NetDef
              AskWoody_MVP

              I am rather curious too, esp since I just thought to go look at something – an old router.

              The way it’s supposed to work, if you send a remote assistance request, along with the request Windows tries to use uPnP on your router to open that port. In theory, uPnP sessions are supposed to expire. In reality I’ve seen plenty of times where that doesn’t work.

              And sure enough. On a loaner router sitting in my storage, booted up tonight and looked at the uPnP tables . . . and there were several port forwarding rules listed for 3389 to specific internal IP’s.

              (Among other things, this is why I generally turn uPnP off on my regular stuff. This was a loaner that really never got configured to my standards.)

              So the question I have for Microsoft is:

              Given a scenario with Windows Home (no official RDP), with Remote Assistance on, and RA has been used at least once on a router that has uPnP enabled . . .

              Vulnerable to Bluekeep? Yes? No?

              I’m betting on yes.

              ~ Group "Weekend" ~

              4 users thanked author for this post.
          • #1914730 Reply
            woody
            Da Boss

            I wish we could get definitive statements about blocking BlueKeep and the DejaBlues – is it sufficient to turn off RDP in the GUI? is it sufficient to block 3389? – but there don’t appear to be any forthcoming.

            Based on what I’ve seen, I’m not 100% sure that enabling NLA will keep the DejaBlues off a network (besides, neophytes messing around with NLA can lead to all sorts of problems).

            Also, 3389 is the default RDP port – but it can be reassigned.

            3 users thanked author for this post.
            • #1914997 Reply
              NetDef
              AskWoody_MVP

              NLA requires that the user be authenticated to the target workstation before a RDP session is created on that target. When NLA is NOT enabled, queries to port 3389 start the RDP session immediately, and then authentication is presented. That’s why Microsoft listed that as the first mitigation.

              Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713(v=ws.11)

              ~ Group "Weekend" ~

              2 users thanked author for this post.
            • #1915318 Reply
              anonymous
              Guest

              Woody said:

              Also, 3389 is the default RDP port – but it can be reassigned.

              Since port 3389 is a long well-known port of entry for attack, I’d years ago changed the default RDP port 3389 to a random number X (where: 1025 ≤ X ≤ 65535, as long as it is not already in use). In addition, I use the firewall to block both port 3389 & port X.

              Qn: Can an attacker somehow (by remote brute force ?) reassign my customized RDP port number to some other available port number of the attacker’s choice, & then gain entry via the latter ?

      • #1914236 Reply
        GoneToPlaid
        AskWoody Plus

        I read that there were potential serious caveats when trying to install Powershell 5 on Win7 systems, and that specific steps had to be taken. This might be beyond the average user, and users might want a much simpler yet secure solution. I instead highly recommend installing the paid version of RealVNC if you need remote access to your computers. Here are the configuration settings for RealVNC which I use:

        I disabled allowing access via the RealVNC Java viewer since having Java installed is an inherent security risk. Instead, I must use the actual RealVNC program to remotely access my computers.

        I set a very strong password.

        I do not use VNC’s default Java port 5800 or HTTP port 5900 since these two ports are regularly scanned by hackers since they know that most users of RealVNC will not bother to change the default ports.

        I disallowed shared connections so that a hacker can’t try to log in if I am already logged in and remotely accessing one of my computers.

        I further configured RealVNC, via its Expert tab, with these following settings:

        AuthTimeout — 120 seconds (a user must authenticate the login attempt within 120 seconds)

        BlacklistThreshold — 5 failed login attempts (the max number of authorization attempts by an individual host, after which the host IP is blacklisted if all login attempts fail)

        BlacklistTimeout — 3600 seconds (If a host gets blacklisted, the host now must wait 15 minutes before trying to login again)

        Three or four years ago, the above settings successfully defeated an adept Russian hacker who tried for nearly three weeks to gain access using scripted commands, via VNC, to my computers. The hacker also tried all 65535 ports in order to try to gain access to my local network. The hacker eventually gave up and never tried again. I don’t recall the city to which I tracked the hacker’s IP address.

        RealVNC is a UK company which is not subject to the whims of the NSA.

        Note: I have no affiliations with RealVNC.

         

      • #1914344 Reply
        WildBill
        AskWoody Plus

        Here’s how it works for Win8.1 Home (no Premium):

        1. Since there’s no “My Computer”, click the File Explorer icon on the Desktop Taskbar. (If you’re on the Start screen [UWP apps], click Search, then enter “File Explorer” in the Search box & click File Explorer in the Search results.)
        2. At the top, click “Computer” to get the ribbon. On the ribbon, click “System properties” on the far right. Here’s the resulting screen:Capture-1
          On the left, click Remote Settings. You should be on the Remote tab, and the check box under Remote Assistance marked “Allow Remote Assistance connections to this computer” is probably checked. If it is, uncheck it and click OK.

        Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V2004. As long as it's a Lot Less Buggy!
        Wild Bill Rides Again...

        Attachments:
        2 users thanked author for this post.
      • #1914366 Reply
        OscarCP
        AskWoody Plus

        From a previous discussion at Woody’s on this very issue, I came out with the idea that RDP was not a problem with Windows 7 Pro and higher, but only with Home (perhaps) or Server. Am I wrong?

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        • #1914491 Reply
          Paul T
          AskWoody MVP

          RDP is a problem in all Windows versions. It is not required and should be turned off.

          cheers, Paul

          2 users thanked author for this post.
      • #1914496 Reply
        Paul T
        AskWoody MVP

        Checking Your RDP Status

        1. Go to the GRC page.
        2. Click Services > ShieldsUp.
        3. Click “Proceed”, in the middle of the page.
        4. Type “3389” in the text box in the middle of the screen.
        5. Click “User Specified Custom Port Probe”.

        A green “Passed” stamp is the correct response.
        If you get anything else pop in and ask us for help.

        cheers, Paul

        5 users thanked author for this post.
        • #1914689 Reply
          woody
          Da Boss

          YES. That’s the link I was looking for. Appreciate it!

          1 user thanked author for this post.
        • #1915325 Reply
          anonymous
          Guest

          Paul T said:

          4. Type “3389” in the text box in the middle of the screen.
          5. Click “User Specified Custom Port Probe”.

          Direct link to probe a single specific port (eg. 3389 — or whatever custom number it has been reassigned to):  https://www.grc.com/x/portprobe=3389

          The ideal result should be: “Stealth” (green background), ie. the port does NOT respond at all to probes, & thus seemingly does not exist. Any response (including telling the world that the port is closed) is not ideal.

          2 users thanked author for this post.
      • #1914669 Reply
        anonymous
        Guest

        As a simple home PC user (2 PCs unaware of each other, but each wired connected to a router, which is in turn wired connected to my ISP’s cable modem) I block all incoming accesses in the Windows Firewall using the ‘Control Panel\All Control Panel Items\Windows Firewall\Customise Setting’ window by ticking the ‘Block all incoming connections, including those in the list of allowed applications’ options for both Private and Public networks. Hopefully this more global setting includes the specific RDP port setting described in comments above?

        (I also tick the 2 ‘Notify me …’ boxes expecting to be prompted if anything attempts incoming access, but I have not seen anything in the 5 years or so since I started using Windows Firewall, which I hope is a good sign?)

        Note: Firefox adds ‘allow incoming access’ rules on installation. I don’t know why (possibly to do with settings sync-ing which I don’t use?), but as a Firefox user I have seen no side-effect of the global blocking override. Similarly my HP printer s/w adds ‘allow incoming access’ rules, but I connect each PC independently to the printer using a USB cable on the rare occasions that I print to paper (or more commonly scan from paper) so again I have seen no side-effect there either.

        As of mid-2016 I have also setup a policy to enforce this, which being a “policy” I assume will be even harder than just the Control Panel setting? As this was originally done on a W7 Home Premium PC without Group Policy Editor I don’t know the settings for gpedit, but in the Registry directly I have the keys ‘HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile’ and ‘…\PrivateProfile’ each with the sub-keys “DoNotAllowExceptions” DWORD set to 1 and “DisableNotifications” DWORD set to 0.

        (On a 64bit PC I also have these sub-keys in the keys ‘HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Wow6432Node\Microsoft\WindowsFirewall\PublicProfile’ and ‘…\PrivateProfile’, but I don’t know if these Wow6432Node versions are strictly necessary? Or just belt-and-braces?)

        HTH. Garbo.

        PS: On a similar theme but slightly off-topic, not doing any local networking I also ‘Disable NetBIOS over TCP/IP’ for both wired and wireless connections and Disable the ‘TCP/IP NetBIOS Helper’ service. This is on recommendation of the Steve Gibson (GRC) ‘Sheilds Up’ firewall testing site, which describes such a setting as “unusual” but “cool” (or something similar – I forget the exact words).

        To do this go to ‘Control Panel\All Control Panel Items\Network and Sharing Center\Change adapter settings’ (link on the LHS). For each of the network adapters (wired or wireless), right click and select Properties. In the list select ‘Internet Protocol Version 4’ so that the Properties button becomes available and click it. In the new window select Advanced. In the 2nd new window select WINS and in the 3rd new window the NetBIOS options are at the bottom. Select ‘Disable NetBIOS over TCP/IP’ and OK for each of these windows. Repeat for each adapter.

        To disable the service, (on the desktop if enabled or) in explorer right click on ‘This PC’ (in W8.1 or the equivalent in W7 or W10) and select ‘Manage’ to open the Computer Management window. Select ‘Services and Applications’, select Services, scroll down to ‘TCP/IP NetBIOS Helper’, highlight, right click and select Properties and change ‘Startup type’ to Disabled (and stop the service if it is running?) and OK.

        PPS: I forget if you need to restart the PC for any of these changes to take effect, but it cannot do any harm to restart 🙂

         

        • #1914823 Reply
          Larry B
          AskWoody Plus

          Note: Firefox adds ‘allow incoming access’ rules on installation. I don’t know why (possibly to do with settings sync-ing which I don’t use?), but as a Firefox user I have seen no side-effect of the global blocking override. Similarly my HP printer s/w adds ‘allow incoming access’ rules, but I connect each PC independently to the printer using a USB cable on the rare occasions that I print to paper (or more commonly scan from paper) so again I have seen no side-effect there either.

          Where is that setting?

           

          Thanks

          • #1914874 Reply
            anonymous
            Guest

            I don’t know which “setting” you are referring to wrt the clip you copied from my comment above, but the Firefox and HP Printer installers added the inbound allow access rules to Windows Firewall (WF) without asking or informing me (as far as I can remember). It was only by chance when I looked at the WF settings sometime later that I spotted these allow rules.

            To see the WF inbound rules (if that is what you are asking me?), in the Control Panel select the “Windows Firewall” option and then the “Advanced settings” option on the left hand side (LHS). In the “Windows Firewall with Advanced Security” window which opens, in the LHS pane select Inbound Rules and the middle pane shows the rules. By default this is all rules whether these are enabled or not. You can use the “Filter by State” options on the RHS pane to just display a subset of rules if you prefer.

            I had deleted my HP Printer inbound rules after installation – it is an old printer and I don’t expect to have any communications with HP about it and I connect it to a PC using a USB cable. I forget if I also deleted the Firefox rule(s) as well, but present now is a Disabled “allow” rule for C:\Program Files\Mozilla Firefox\firefox.exe for the Private profile (which makes me think that this is intended for some communication between Firefox instances on different PCs in a local network, not via the wider internet which I assume would need a  Public profile inbound rule?) and the TCP protocol for all Ports. I don’t remember if I disabled this Firefox rule or if the Firefox installer did – sorry!

            Anyway my main point was that I expect the “Block all incoming connections …” setting to override any enabled inbound “allow” rules setup here for anything, but in several years of experience with this setting I have seen no side-effects. Again my usual caveat: I’m just a simple PC user not attempting any complicated local networking 🙂

            HTH. Garbo.

             

            1 user thanked author for this post.
      • #1914826 Reply
        Larry B
        AskWoody Plus

        I use Teamviewer to remotely update a friends PC.  Will changing the setting for a Win 7 HP SP1 remote assistance not allow me to use Teamviewer.  This question if for both my PC and the friends PC.

        Thanks

        • #1914851 Reply
          Paul T
          AskWoody MVP

          TeamViewer does not use RDP or the RDP port. You can continue to use TV without issue.

          cheers, Paul

          1 user thanked author for this post.
        • #1915288 Reply
          NetDef
          AskWoody_MVP

          I use Teamviewer to remotely update a friends PC.  Will changing the setting for a Win 7 HP SP1 remote assistance not allow me to use Teamviewer.  This question if for both my PC and the friends PC.

          Thanks

          TeamViewer on Windows, on both the client and the target, requires ports 80, 443 and 5938. It should be adding those exceptions to the Windows Firewall during install. On a home router, there is generally no need to make any special rules for TeamViewer to work.

          Disabling Windows RDP and Windows Remote Assistance, and blocking corresponding port 3389 will have no effect on TeamViewer.

          Source: https://community.teamviewer.com/t5/Knowledge-Base/Which-ports-are-used-by-TeamViewer/ta-p/4139

          ~ Group "Weekend" ~

      • #1915576 Reply
        anonymous
        Guest

        Thanks for the article – but I’ve got a quick question. On my computer, I’ve got two separate sections. The second is what was described in the article as “remote desktop”, and that’s marked off to “don’t allow connections”.

        The first one, though, isn’t mentioned specifically. It’s labeled “remote assistance” and by default seems to be set to “Allow remote assistance connections”.  From what I’ve read about it online, it seems more creepy than it’s worth (have someone else take over your computer? Really? Why do I feel like that can’t possibly end well). I’ve never had reason to use a service like that, the closest I’ve come (and it’s pretty far off) is to have the computer check it’s own systems for problems, have my antivirus program run scans, or have the computer check why my internet connection isn’t working.

        I’ve turned it off for now, but is that ok? Should this be turned off? If it affects your answer, I’m on windows 7,  just a regular computer at home (not part of a business network on anything like that).

        Thanks!

        • #1915618 Reply
          Paul T
          AskWoody MVP

          Remote Assistance is not required and should be off.

          Why don’t you check your ports as suggested in post #1915325 above?

          cheers, Paul

      • #1916705 Reply
        bbearren
        AskWoody MVP

        Checking Your RDP Status Go to the GRC page. Click Services > ShieldsUp. Click “Proceed”, in the middle of the page. Type “3389” in the text box in the middle of the screen. Click “User Specified Custom Port Probe”. A green “Passed” stamp is the correct response. If you get anything else pop in and ask us for help.

        My port 3389 got the green stamp, it’s in full stealth mode.

        I’ve done none of the suggestions listed, I’m just fully updated by Windows Update.

        As for UPnP, I’ve been disabling that on my routers for a couple of decades.

        I use RDP routinely, almost daily, in fact.  It’s how I administer my home network.  I’ll keep using it.  If I get attacked, I’ll be sure to let everyone here know, right after I’ve restored my drive images to mitigate whatever.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      • #1916927 Reply
        anonymous
        Guest

        Off Topic But it’s really unfortunate non AskWoody Plus members can no longer use the Master Patch List.

        1 user thanked author for this post.
        • #1916951 Reply
          woody
          Da Boss

          I appreciate your concern, but….

          We’re trying hard to make enough money to keep the site (and the Patch List) going. This is the first step. Shortly — maybe early next week — we’ll be limiting the latest Newsletter to Plus members, also.

          I’ve waited more than six months to make the transition. Probably shouldn’t have waited that long.

          Keep in mind that we’re still on the donation model – you can choose how much to donate for a one year’s membership.

          1 user thanked author for this post.
    Viewing 19 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – How to avoid using RDP in Windows

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.