How to Set up a Strong Password for Remote Desktop
Rapid7, an IT security company, ran an interesting year-long experiment that baited bad actors to attempt to break into systems. The results were curious, to say the least, a single letter, X, was one of the most used password attempts.
Rapid7 set up the honeypots in an effort to mimic systems running remote desktop protocol (RDP). You can use the protocol to remotely login into a system and. It's usually run by POS (point-of-sale) devices, counters, and Windows computers.
Hackers typically scan the Internet to locate RDP systems and attempt to log in by guessing the victim's password. Rapid7's test detected more than 220,000 attempts to log in into the honeypots. This allowed them to study the credentials that attackers used when trying to log in.
Most common RDP passwords
"We see some correlation in there, but the ordering is all wrong," he said in a phone interview. "Our number one password we see is 'x,'" Tod Beardsley, a security expert with Rapid7 said.
X is not the only single-character passwords that Rapid7 found either. There were three in total. Obviously, using a single letter to protect your system is a horrible idea. Security experts recommend passwords that are long and complex, with numbers and special characters to reduce the chance of hackers brute forcing it.
Most RDP systems limit password attempts to reduce the odds of anyone but the user gaining access. Because of this attackers have only so many guesses to before they're locked out completely. Tod Beardsley believes that the weak passwords the attackers used are not random.
"These are clearly dictionary attacks," Beardsley said. "They've correlated and they're cultivating small lists of passwords," the security expert added.
During the year the honeypots were collecting data, Rapid7 acquired over 4,000 passwords, of which only 20% showed up once and were never used again.
Tod Beardsley commented that he expected that the hackers would use the same credentials repeatedly. However, it seems that when they discover a new potential credential for a POS system running RDP, they attempt it, find all the vulnerable systems, then move on to the next.
"They never look again. It's not like a weekly scan," Beardsley said.
Using the default login credentials or weak passwords is especially dangerous for companies running a large number of POS devices. A huge number of credit card numbers could be stolen if their network was breached or a device hacked.
Even though security experts advise that RDP should not be left running open to the Internet on a POS device, it happens far too often. During their research, Rapid7 scanned the Internet and discovered 11 million systems running RDP. It's impossible to estimate how many of those are POS systems without logging in them (which is illegal), but there is a high probability many of them are.
"I'm willing to bet when you sweep through the 11 million or so endpoints, you will have hundreds and hundreds of hits on these things. So you've got plenty of targets to work with at that point, particularly if they're point-of-sale systems," Beardsley said.
Top 12 tips to protect your Remote Desktop
- Block RDP connections over the open internet.
- Use complex passwords and Two-Factor Authentication.
- Block IPs that have too many failed login attempts.
- Use an RDP gateway.
- Limit Domain Admin account access.
- Reduce the number of local admins to the lowest possible number.
- Enable your Firewall.
- Enable restricted Admin mode.
- Enable network level authentication.
- Make sure that local administrator accounts are unique and restrict the users who can log on using RDP.
- Consider placement within the network.
- Use an account-naming convention that does not reveal organizational information.