• Dana Epp

Why you should not allow direct RDP to your Azure infrastructure

So last month McAfee had a great article on how organizations leave backdoors open to cheap Remote Desktop Protocol (RDP) attacks. While researching underground hacker marketplaces, the McAfee Advanced Threat Research team discovered that access linked to security and building automation systems of a major international airport could be bought for only US$10.

The dark web contains RDP shops, online platforms selling remote desktop protocol (RDP) access to hacked machines, from which one can buy logins to computer systems to potentially cripple cities and bring down major companies. In these shops include compromised IaaS hosts in Azure. I saw one server hosting a web application that connects to Azure SQL database... which means there is a good chance that RDP access will end up revealing their database credentials and connection strings to an attacker *groan*

(Yes, I've already reported this to Microsoft)

Microsoft offers guidance on how to connect and log onto an Azure virtual machine running Windows safely. But that doesn't mean you should hang out port 3389 for the world to see.

When you setup RDP access you should be connecting to Azure via an Express Route or a Site-to-Site VPN connection. Microsoft is clear about this. But they don't prevent you from setting up a public IP address in Azure and expose the port.

Stop the insanity! If you must use RDP and can't create a trusted network connection with Express Route or a VPN, at the very least use a Network Security Group (NSG) and isolate RDP access to only your IP. And then consider using Azure AD to cloud join the machines so you can benefit from the strong authentication options that it provides. Hell, that isn't just for RDP; you can now use Azure AD with your Linux VMs too.

You should regularly audit your NSG rules, looking for the exposure of port 3389. You can use Azure Activity Log and audit and receive notifications when an NSG firewall rule is altered, and use NSG diagnostic logging to track behaviour. And it never hurts to do a port scan externally with NMAP. Personally I use an Azure Container Instance (ACI) of a custom container I built that spins up and scans our hosts regularly for me.

Audit and ensure you aren't hanging your ass(ets) out to dry.... or risk becoming inventory in these RDP shops.