Remote Desktop Detection

by Michael Willison
August 1, 2014

Tenable SecurityCenter Continuous View (SC CV) with Nessus, PVS, and LCE provides information on Remote Desktop vulnerabilities, exploits, events, and network traffic flow. Microsoft developed its own graphical remote control technology called Remote Desktop Connection, which uses Remote Desktop Protocol (RDP) to help with some of the limitation and security issues with Virtual Network Connection (VNC), and to replace Microsoft Terminal Service. RDP allows for access to a remote computer to access files and applications. RDP is known to have a variety of exploitable security flaws and vectors of attack. Man-in-the-middle attacks, memory harvesting attacks used to capture passwords in memory, and the Win32/Filecoder.NAH Trojan used to encrypt files and extort users are just a few examples of these flaws. 

The Remote Desktop Detection dashboard has six components that report on RDP vulnerabilities, exploits, and RDP traffic flow. By understanding the vulnerabilities and their severities, SecurityCenter Continuous View (SC CV) users can better assess risk prioritize mitigations to discovered vulnerabilities.  Furthermore, knowing which vulnerabilities are exploitable helps security professionals to resolve threats before attacks occur. Understanding the normal network traffic flow and the direction of RDP communications allows for anomaly analysis and increases the likelihood breach detection.  This dashboard provides the tools to monitor RDP vulnerabilities and their associated risks. 

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category Discovery & Detection, and then selecting tags remote desktop, inbound, outbound, and trending.

The dashboard requirements are:

  • SecurityCenter 4.8.1
  • LCE 4.2.2 
  • Nessus 5.2.7
  • PVS 4.0.2

Listed below are the included components:

  • Remote Detection - Vulnerabilities by IP  Address: By understanding the vulnerabilities and their severities, SC CV users can better assess risk and prioritize mitigations to discovered vulnerabilities. This component provides a table of the top 20 vulnerable Remote Desktop systems. The table is sorted by vulnerability weight score. The columns displayed are IP Address, OS, Score, and vulnerability severity (info, low, medium, high, and critical). The severity columns will have a total vulnerability count in each severity cell.  
  • Remote Desktop Detection - Directional Event: Understanding the normal network traffic flow and the direction of Remote Desktop (RDP) communications allows for anomaly analysis and increases the likelihood of breach detection.  This component provides a table of RDP network traffic directional flow by nine event types. The event types used are: Intrusion, Login, Logout, Failed Login, Connection, Continuous, Networks, Errors, and System. SecurityCenter Continuous View defines network traffic flow as internal, inbound and outbound. The Total Event Types column displays a count of all of the respective events, while the remaining three columns show the percentage of events according to directional flow.
  • Remote Desktop Detection - Normalized Events: Analyzing both the normalized event and the trending of these events will help SC CV users understand Remote Desktop (RDP) activity on the network and detect anomalies. This component displays normalized events from SC CV over the past seven days. The fields displayed are: normalized events names, total events, and a trend graph for events collected over the past 7 days.
  • Remote Desktop Detection - Vulnerability with Exploits by Severities: By detecting exploitable Remote Desktop vulnerabilities, SC CV can mitigate exploits before a compromise can occur.  This component displays the top exploitable Remote Desktop (RDP) vulnerabilities for both servers and clients. The table columns are: vulnerability name, family, severity, and total vulnerabilities, which are sorted by severity level.
  • Remote Desktop Detection -Total Number of Events per Day over 7 Days: This event-by-day component is useful for understanding the total amount of Remote Desktop (RDP) events being seen each day over a period seven-day period of time. By viewing the total amount of RDP events each day, an IT team can quickly recognize when anomalies are happening in the network. This component displays the total number of RDP events per day over a seven-day period. Any substantial increase or decrease in RDP events indicates a change in the normal RDP activity.
  • Remote Desktop  Detection - Network Traffic Directional Event Trending: Monitoring for inbound and outbound Remote Desktop (RDP) traffic will vary based on network configuration.  Network administrators should review network traffic trends to determine if traffic is following normal usage patterns. This component displays a RDP network traffic directional event trending flow over 25 days. The traffic flow is represented using the directional filters of internal, inbound, and outbound.