我是苏珊·布拉德利,这里是CSO在线。这周我要做一个挑战给你们,也给我自己。所以,如果这个小窗口就是你访问服务器和管理服务器的方式,我建议你停止使用远程桌面连接。那么我为什么说我们应该停止使用RDP呢?主要是因为最近出现了三个不同的漏洞,这表明我们仍然在使用一种非常古老的技术,这将我们置于危险之中。在5月和8月都发布了一个漏洞,基本上当一个未经身份验证的攻击者可以连接到目标系统,满足RDP,他们发送特别制作的请求端口的漏洞。使攻击者不必在系统上进行身份验证。他们可以直接把这些精心制作的数据包扔到3389端口。如果端口是开放的,他们可以访问系统并获得对系统的权限,他们可以安装程序、视图、更改和删除数据,在系统上创建具有完全用户权限的帐户。我们在5月份遇到的第一个漏洞非常严重,以至于他们甚至发布了针对旧系统的补丁。 They recommended that we disable remote desktop services, enable network level authentication and even block port 3389 at the enterprise permanent firewall.
微软甚至还发布了Windows XP的更新,我已经好几年没有看到Windows XP的补丁了,他们向所有人发布了它,而不仅仅是那些购买了扩展支持合同的人。现在到了八月,我们又有两个RDP漏洞。同样,如果攻击者有专门制作的包,他们可以把它们扔到端口3389,如果他们获得访问权,他们可以安装程序、更改或删除数据,并创建具有完全用户权限的新帐户。这是你需要认真对待的事情确保你尽快打补丁特别是如果你有直接访问端口的系统。自从五月份关于RDP漏洞的更新发布以来,已经过去了三个月。在此期间,大约五分之一的面向RDP的互联网服务器没有被修补。我想确保你们认真对待这个问题,不要仅仅因为我们没有在野外看到一个漏洞就认为这是不值得认真对待的事情。开放端口不仅容易受到这样的攻击,还容易受到暴力攻击,即有人坐在那里,试图一次又一次地猜测密码,最终进入系统。我经常听说医疗系统,特别是在旧平台上,管理员仍然使用RDP来访问和维护系统。如果使用RTP,特别是如果它被攻击者使用,有时很难准确地确定谁是好人,谁是坏人。 The log files aren't clear. I've included a link in the article to help you determine. And sometimes it's sometimes hard to determine which ones are the good guys and which ones are the bad guys you sometimes have to go through step by step. And look at both sides of the user side of the logs as well as the server side to determine which things are good authentication or which ones are bad. Back in February of this year I had an article on how to install powerful five on Windows 7 in particular. I recommended that because it enabled logging and also you could turn on PowerShell remoting. With PowerShell remoting you don't have to open up RDP port or use 3389. You could do it in a secure way. And in fact I recommend that you do it over TLS or SSL. And I've got some recommendations on how to do that as well. But just a reminder again if this is how you connect to your servers and manage them. I want to challenge you to stop doing that and think about other ways you can script the same things PowerShell remoting is a very very powerful tool. So that you don't have to use port 3389 and expose yourself to additional risks. And don't forget sign up for the IDG tech talk channel out there on YouTube. Until next time this is Susan Bradley for CSO Online.