Solved

Unsecured RDP connection

  • 2 November 2020
  • 8 replies
  • 433 views

Userlevel 2
Badge +9

How can I tell if I have an unsecured RDP connection on my Windows 10 desktop computer?

icon

Best answer by coscooper 4 November 2020, 01:42

View original

8 replies

Userlevel 7
Badge +63

Hello @daveharney 

 

See this Webroot Blog: https://www.webroot.com/blog/2018/09/25/unsecure-rdp-connections-widespread-security-failure/

Userlevel 2
Badge +9

I read that article before - it’s the reason I asked my question.  That article doesn’t answer my question.  Although I’ve turned off the Windows settings option for remote connections, I’m wondering if that is all I need to do to ensure that there is no open connection - possibly from some application used in the past?

Is there a way to directly check if there are any open connections?  Thanks.

Userlevel 7
Badge +63

I don’t know maybe some Webroot Staff will chime in? @coscooper  @TylerM  @DanP  @khumphrey Or you can contact support and ask them? Webroot Customer Service

 

Note: When submitting a Support Ticket, Please wait for a response from Support. Putting in another Support Ticket on this problem before Support responses will put your first Support Ticket at the end of the queue. A reply from Support should take from 24 to 48 hours but could take a little longer because of COVID 19 and the Webroot Employees are busy working from home.

 

Thanks,

Userlevel 6
Badge +26

@daveharney - this is a great question and while that article is targeted for business users who typically maintain an edge firewall in front of a network and often times allow Remote Desktop through the firewall by creating an allowance or inbound/outbound connection through port 3389, (which is BAD!!!) this doesn’t always translate to local desktop.

However, the easiest way to confirm that your device isn’t exposed, is to check the Application Allowance section of the local firewall. For Windows10, look for the Remote Desktop line and insure they’re both off for private or public networks. This is more of a check for the remote settings you’ve already disabled. 

Windows Defender Firewall → select “Allow and app or feature through Windows Defender Firewall”

 

Look for Remote Desktop and make sure both are NOT enabled or either network type.

 

Hope this helps.

Userlevel 7
Badge +63

Thanks Shane!

 

 

Userlevel 2
Badge +9

 

 

Thanks Shane, that’s the answer I was looking for!  Neither of  my remote desktop lines were checked  as being enabled.

However, it certainly makes me wonder about the need for all the apps that do have access!  Also, why does my desktop computer which is ethernet connected to my Linksys home router and Spectrum cable modem, need any “public” lines checked?

 

 

Userlevel 6
Badge +26

@daveharney - So, the next level of Firewall review is more advanced that simply, on/off, or how to behave on the two primary network types, private/public.

Firewalls let applications communicate in two ways, outbound (the application needs to go outside the network or device to gather information or what ever it’s purpose) and Inbound (the application needs to allow external sources reach into the network or device to interact with the application.) Inbound is the most concerning, in my opinion.

It’s complex, but simple. The problem with firewalls is, they become “swiss cheese” so we can all get work done. Often times, these are the items that get “exploited”. RDP is a prime example. It is a good tool, but if not well maintained or monitored, it can also do a lot of harm if a bad actor uses it to break in. RDP is usually allows inbound requests and that’s where it goes south. 

So, the hard question related to firewalls is, what do you allow inbound/outbound. Fortunately, Microsoft has an advanced settings area that delves deep into that and you can go down a rabbit hole on every computer trying to figure out what should/shouldn’t be allowed in/out.

To investigate what you have inbound or outbound, select the “Advanced Settings”. This will get deeper into the applications by inbound or outbound. I can’t really offer too much advice on all of the applications you’ll find, but the core focus should be on remote tools and/or administrative tools that can give a bad actor keys to the device. This gets very nuanced and requires a lot of research, which is why there are security companies like WR. 8-)

 

Review your inbound/outbound list. It will surprise you, shock you and probably scare you, but if you start turning things off, it may also break applications, so change with caution and only do one at a time to see how it affects you needs.

Example:

NOTE: this is a test Win10 device that I have allowed certain applications in/out based upon what I think is needed. I’ve actually turned some of these inbound applications off and broken stuff. The other complexity to in/out is what port they use to communicate. This goes even deeper and if they use port 80 or 443, then blocking them will probably break stuff. Port 80 is wide open and should be left open as it’s HTTP or Web browsing, so if that’s blocked, then 90% of things will break.

This is why there are just firewall guys out there that manage this stuff. It’s messy and complicated. 8-)

 

Userlevel 2
Badge +9

Thanks Shane - comment much appreciated!

Reply