Greetings friends and current Remote Desktop Commander users! We’ve just released Version 4.5 of our Remote Desktop Commander Suite, and Version 2.0 of our free RDS Log Viewer. Both tools have incredible new features focused around RDP security and Remote Desktop Gateway monitoring, so please read on!
In this RDPSoft E-Newsletter:
FBI Sounds the Alarm on RDP Attacks
Remote Desktop Commander Suite v4.5 Features – Audit and Visualize All RDS Login and Logon Failure Activity
RDS Log Viewer 2.0 Now Available – With Remote Desktop Gateway Login and Logon Failure Tracking
Purchase, Download, and Consulting Links
FBI and the Department of Homeland Security Issue Alert on Cyberattacks via RDP
On September 27th, 2018, the FBI and Department of Homeland Security issued a Public Service Announcement on the proliferation of hacking and ransomware attacks taking place via the Remote Desktop Protocol. Here are some key takeaways:
Remote administration tools, such as Remote Desktop Protocol (RDP), as an attack vector has been on the rise since mid-late 2016 with the rise of dark markets selling RDP Access. Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the Internet to compromise identities, steal login credentials, and ransom other sensitive information.
CrySiS Ransomware: CrySIS ransomware primarily targets US businesses through open RDP ports, using both brute-force and dictionary attacks to gain unauthorized remote access. CrySiS then drops its ransomware onto the device and executes it. The threat actors demand payment in Bitcoin in exchange for a decryption key.
Dark Web Exchange: Threat actors buy and sell stolen RDP login credentials on the Dark Web. The value of credentials is determined by the location of the compromised machine, software utilized in the session, and any additional attributes that increase the usability of the stolen resources.
Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
If you haven’t been keeping tabs on RDP access attempts into your network or Azure cloud environment, now is the time to start doing so. Read on, as we have two tools that can help you do just that.
Remote Desktop Commander Suite v4.5 Features – Audit and Visualize All RDS Login and Logon Failure Activity
-
Consolidate All RDS Logins and Logon Failures, Regardless Of Whether Or Not They Occurred On Session Hosts Or On Remote Desktop Gateway Servers
-
Geolocate RDS Logins and Logon Failures In the Brand New User IP Geolocation Dashboard – Find Out Where Your Users Are Working From, and Locate the Source Of Brute Force RDP Hack Attempts
-
Schedule Daily User Login and Logon Failure Reports, With Six New Reports To Choose From
-
See The Actual IP Address and Geolocation Information for User Sessions In Existing Time Tracking Reports
Consolidate All RDS Logins and Logon Failures, Regardless
Of Whether Or Not They Occurred On Session Hosts Or Remote Desktop Gateway Servers
Our CEO, Andy Milford, has written at length about the challenges faced when attempting to correlate RDP logon failure data from session hosts at his PureRDS.org blog. Attempting to track successful RDP logins is no picnic either, as multiple log files from multiple different systems – the session host servers and remote desktop gateway servers – must be consulted and the information correlated.
In version 4.5 of the Remote Desktop Commander Suite, the Remote Desktop Reporter Service automatically collects and correlates key events from event log files on Session Host servers and Remote Desktop Gateway servers. The result is a treasure trove of valuable login and logon failure data that it retains in its SQL database, allowing us to deliver the incredible new features described below.
Geolocate RDS Logins and Logon Failures In the Brand New User IP Geolocation Dashboard – Find Out Where Your Users Are Working From, and Locate the Source Of Brute Force RDP Hack Attempts
Remote Desktop Services login and logon failure data correlation from session hosts and gateways is a valuable feature in its own right, but the rich visualizations of this data is what sets Remote Desktop Commander Version 4.5 apart from the competition. The User IP Geolocation Dashboard combines IP geolocation data with interactive worldwide maps and tabular, filterable tables so administrators can zero in on both legitimate RDS users and hackers.
Our dashboard is completely extensible via PowerShell scripts, which are designed to receive selected server names, usernames, and IP addresses as input parameters. This is especially useful for the remediation of inbound hack attempts.
Instantly build reports from the filtered RDP login and logon failure data in the dashboard, or simply export the data to comma-delimited text.
Schedule Daily User Login and Logon Failure Reports, With Six New Reports To Choose From
Scheduled reports make it easy to keep track of both where your users are routinely connecting from, as well as the sources of hacking and penetration attempts. Group login and logon failure data by country or by user. With routine review of these reports, you can quickly spot geographic RDP login anomalies that could be suggestive of a compromised user account.
See The Actual IP Address and Geolocation Information for User Sessions In Existing Time Tracking Reports.
By default, the Microsoft Terminal Services client (MSTSC) does not report its actual global IP address when connecting to a terminal server. When connecting through a Remote Desktop Gateway system, no IP address information is transmitted at all. Many admins have requested that we transform the incorrect or missing IP address information with the actual global IP address of the user, whether or not they are connecting through a RD Gateway.
Based on this feedback, we have retrofitted several existing reports, such as the User Sessions – Session Details By User report family, to include the correct global IP of the user based on the correlated log data now collected by our central polling service. Also, when possible, the global IP address is accompanied with the geographic region of the user’s ISP
RDS Log Viewer 2.0 Now Available – With Remote Desktop Gateway Login and Logon Failure Tracking
Back in March, we released Version 1 of our RDS Log Viewer tool. It tracked RDP logins and logon failures on Remote Desktop Session Host Servers. In Version 2, it has the ability to track RDS connections through a Remote Desktop Gateway Server, and it also will show you some of the logon failures on your Remote Desktop Gateway. This is useful for several reasons:
- You can see what IP addresses your users are connecting from through your RD Gateway server, to see if there are significant discrepancies in source IP. You can manually geolocate these IP addresses if you want. A user account that connects through the gateway using IP addresses from ISPs in different regions may be compromised.
- You can view the first 30 logon failures from your Gateway server. If you see user accounts that are not part of your domain in the initial list of failures, your RD Gateway may be experiencing repeated brute force attacks. You can investigate further by starting a subscription to our Remote Desktop Commander Suite, which, as you learned above, has the ability to track all logon failures, putting you in a position to fix the problem.
Purchase, Download, and Consulting Links
To download RDS Log Viewer v2.0, please click here.
Request a web demo with an RDPSoft solutions expert to see all our solution’s features in depth.
Learn more about our training and professional services, including RDS Performance Audits, custom report design, and much more.
