Every week, I plan to share with you the vulnerabilities and solution suggestions that I encounter most in Industrial control systems. In this week’s article, I will share Remote Desktop Service (RDP) vulnerability with you.

Vulnerability Name: Detecting RDP Service

Vulnerability Description: Active Remote Desktop Service (RDP) with port number 3389 on ICS components with Microsoft-based operating system.

Attack Vector: ICS Network

ICS MITRE ATT&CK ID: T0886

ICS MITRE ATT&CK Tactics: Initial Access, Lateral Movement

ICS MITRE ATT&CK Platforms: Control Server, Engineering Workstation, Human-Machine Interface (HMI)

Detecting vulnerability: As a result of Nmap discovery scan in IP blocks in the network, it can be determined that RDP port 3389 is open.

Detection Tools and Command: NMAP Tools, #nmap -A -p3389 {IP Address}

Suggested Solution: Remote access services increase the attack surface on the local network. If the relevant service is not used, it must be disabled. If its use is necessary, it should be ensured that access is provided only from allowed IP blocks, and it should be hardened by applying access list rules on the switch to which it is connected, or by firewall rules. Another solution is to implement access control on the host.

Related Documentation of Mitigation Actions:

http://ssg.cs.ucdavis.edu/services/security/disabling-rdp-in-windows

https://it.stonybrook.edu/news/articles/protect-your-windows-computer-by-disabling-the-remote-desktop-protocol-rdp-service

https://www.isumsoft.com/windows-2008/enable-disable-remote-desktop-on-windows-server-2008-r2.html

Security Event Logs: If you have a SIEM solution, the event logs to be followed for RDP security are as follows;

Network Connection, EventID: 1149

Logon, EventID: 21, 22

Authentication, EventID: 4624, 4625

Session Disconnect/Reconnect, EventID: 24, 25, 39, 40, 4778, 4799

Logoff, EventID: 23, 4634