cyber guidance - PSJoshi/Notes GitHub Wiki
Cyber attacks prevention measures
- Restrict use of RDP and ensure that RDP is accessed in secured way
- Deployment of Endpoint monitoring solutions
- Enable Windows powershell logging
- Enable command-line logging
- No network sharing/printer sharing
- No FTP. Make use of sfp or scp for file transfers
- Limit access to DMZ network segement that host active directory servers and other important servers by deploying firewalls(host-based as well as network based)
- Up-to-date anti-virus signatures and monitor anti-virus logs in SIEM
Securing remote desktop protocol (RDP)
RDP should always be disabled unless it is necessary. If the organizations like NPCIL wants to use RDP for some diagnostic/maintainence issues, the following best practices may be useful for securing RDP against brute-force attacks.
- Use a VPN: As noted, serious security risks arise when RDP is open to the Internet. Instead, organizations should use a VPN to allow remote users to securely access the corporate network without exposing their systems to the entire Internet.
- Use strong passwords: Most RDP-based attacks rely on cracking weak credentials. As such, organizations must enforce the use of strong passwords on all RDP client and server terminals. Passwords should be long, unique and random.
- Use multi-factor authentication: Even the strongest passwords can be compromised. While not infallible, multi-factor authentication (MFA) offers an extra layer of protection by requiring users to provide at least two forms of authentication (such as a one-time-use code or biometric notification) to log in to an RDP session.
- Use a firewall to limit access: A firewall can be used to limit RDP access to a specific IP address or range of IP addresses.
- Use an RD gateway: An RD gateway server, a feature available on all versions of Windows Server since Windows Server 2008, is extremely useful for simplifying RDP deployment and security management.
- Block IPs that fail multiple login attempts: A high number of failed login attempts in a short period of time usually indicates a brute-force attack. Windows Account Policies can be used to define and limit the number of times a user can attempt to login to RDP. There are many security solutions available that automatically alerts administrators when it detects multiple failed login attempts.
- Restrict remote access: While all administrators can use RDP by default, there’s a good chance that many of these users do not need remote access to do their job. Organizations should always abide by the principle of least privilege and restrict RDP access to only those who genuinely require it.
- Change the RDP listening port: Attackers typically identify potential targets by scanning the Internet for computers listening on the default RDP port (TCP 3389). While changing the listening port via Windows Registry does help organizations “hide” vulnerable connections, it does not provide protection against RDP attacks and should, therefore, be used only as a supplementary technique. Security through obscurity works only upto some extent and you have to have other mechanisms in place.