0405119483 digby@dig-it.com.au
Select Page

I tend to use Windows Remote Desktop rather that Teamviewer when performing any remote administration on clients computers.

Remote Desktop in my experience has the following benefits

  • It’s built in and therefore there’s no need for the client to install software.
  • It’s faster.
  • You avoid problems with User Account Control

There is of course a down side if the client does not have a Static IP address you will need to setup a dynamic DNS host name which is no problem really as companies such as DynDns offer these services cheaply and most modern ADSL modems support it.

The real down side of course is opening a port on your work router and it wasn’t until recently I appreciated how much of a risk this is and how fundamentally important it is to maintain strong password for remote desktop access.

A client of mine had their remote desktop connection accessed by unwanted visitors and in these case although a security breach it was accessed by former employees wanting access to specific software.

I was asked to check the logs to create a report which could be given to the police to check the logged IP addresses. What I found there was initially disturbing.

 

The above picture is a screen capture of an entry in one of the event logs for remote desktop connections Remote Desktop event logs are maintained in the event log under
Windows Applications and Services Logs -> Microsoft -> Windows -> Terminal Services -> RemoteConnectionManager
and
Windows Applications and Services Logs -> Microsoft -> Windows -> Terminal Services -> LocalSessionManager.

Further examination of the Remote Connection Manager log indicated 100’s of entries from unknown and unwanted IP adresses saying
Remote Desktop Services: User authentication succeeded:
however there was not a matching listing in the Local Session Manager and what this indicates is that someone from a remote machine using an rdp client that does not have Network Level Authentication eg(ubuntu rdp client) was trying to guess a username and login. The event was logged in event viewer as successful however the user of course cannot login.

A successful login would have an entry in the Local Session Manager Log similar to the screenshot below

As I have continued examining the logs on other machines I have had a similar experience on every machine that had remote desktop connection enabled. There are attempts from unwanted IP addresses and if you have a weak usernames and passwords implemented your machine will be compromised.

Two policies I now implement are to only allow access from computers using Network Level Authentication and ensure your password for Remote Desktop users are very strong.

Share Button