Every week, I plan to share with you the vulnerabilities and solution suggestions that I encounter most in Industrial control systems. In this week’s article, I will share Remote Desktop Service (RDP) vulnerability with you.
Vulnerability Name: Detecting RDP Service
Vulnerability Description: Active Remote Desktop Service (RDP) with port number 3389 on ICS components with Microsoft-based operating system.
Attack Vector: ICS Network
ICS MITRE ATT&CK ID: T0886
ICS MITRE ATT&CK Tactics: Initial Access, Lateral Movement
ICS MITRE ATT&CK Platforms: Control Server, Engineering Workstation, Human-Machine Interface (HMI)
Detecting vulnerability: As a result of Nmap discovery scan in IP blocks in the network, it can be determined that RDP port 3389 is open.
Detection Tools and Command: NMAP Tools, #nmap -A -p3389 {IP Address}
Suggested Solution: Remote access services increase the attack surface on the local network. If the relevant service is not used, it must be disabled. If its use is necessary, it should be ensured that access is provided only from allowed IP blocks, and it should be hardened by applying access list rules on the switch to which it is connected, or by firewall rules. Another solution is to implement access control on the host.
Related Documentation of Mitigation Actions:
http://ssg.cs.ucdavis.edu/services/security/disabling-rdp-in-windows
https://www.isumsoft.com/windows-2008/enable-disable-remote-desktop-on-windows-server-2008-r2.html
Security Event Logs: If you have a SIEM solution, the event logs to be followed for RDP security are as follows;
Network Connection, EventID: 1149
Logon, EventID: 21, 22
Authentication, EventID: 4624, 4625
Session Disconnect/Reconnect, EventID: 24, 25, 39, 40, 4778, 4799
Logoff, EventID: 23, 4634