Finding and Monitoring RDP and VNC with Censys
Over the holidays, we added data for remote desktop protocol (RDP) and virtual network computing (VNC) to Censys. Now you can search for any RDP or VNC clients that are online and tied to your organization and ensure that they’re locked down appropriately. These remote desktop instances are basically a front door to your organization and it’s essential that they require strong user credentials and authentication measures to protect them from unauthorized user access.
There are quite a few known attacks where malicious actors use RDP to gain access, most often either by finding and using login credentials and expanding their access across the organization or by hijacking a highly privileged account session. Mitre.org came up with a good list of some of these known attacks and provides some mitigation tips. Our basic RDP and VNC protection techniques are at the bottom of this article.
Searching Censys for RDP and VNC servers
So, get searching on Censys to find all your RDP and VNC servers and make sure you’re not an easy target for attackers. In Censys, RDP is port 3389 and VNC is on ports 5900-5903.
The next step is to go through each of these servers and make sure you’re following best practices for RDP and VNC servers. If you find anything that’s wide open and unused or unsecure, either secure it immediately or take it offline to prevent unauthorized access.
Best practices for securing RDP and VNC servers include:
- Require strong authentication on the server (username and unique, strong password plus two-factor authentication)
- Restrict access to VNC and RDP servers to your VPN
- Minimize who has administrative access
- Enforce lockout policies after unsuccessful login attempts
- Use network level authentication, if available (RDP only)
- Take advantage of RDP Gateways to reduce the number of Internet-accessible entry points
- Employ firewalls to block regions or users who meet certain “risky” criteria
- As always, make sure your RDP and VNC server and client software is patched and up-to-date