In recent months, the Sophos X-Ops Managed Detection and Response (MDR) team has been responding to multiple incidents involving exposed Microsoft Remote Desktop Web Access portals lacking multi-factor authentication (MFA) protection. These incidents have shed light on the vulnerabilities associated with these portals and the potential risks they pose to organizations.
The Microsoft Remote Desktop Services architecture consists of several key roles, including the Remote Desktop Connection Broker, Remote Desktop Gateway, Remote Desktop Licensing, and Remote Desktop Web Access. The RD Web Access portal serves as the entry point for users to authenticate and access resources hosted on the Remote Desktop Session Host (RD Session Host).
When the RD Web Access portal is exposed to the internet without adequate protection, threat actors can exploit it to gain unauthorized access to an organization’s networks and resources. Common tactics include brute-forcing login credentials, creating persistence, escalating privileges, and moving laterally within the network.
In response to these incidents, the MDR team has developed a series of investigative queries to help organizations identify and mitigate the risks associated with RD Web Access abuse. These queries can be used to detect exposed RD Web Access portals, identify RD Gateway servers, review RD Gateway logs, analyze IIS logs for signs of compromise, and track compromised account activity across the network.
In cases where an organization suspects RD Web Access abuse, prompt action is essential to contain the threat and protect critical resources. The MDR team typically isolates impacted hosts, disables compromised domain users, blocks malicious IPs, and implements additional security measures to prevent further unauthorized access.
To mitigate the risks associated with RD Web Access, organizations are advised to implement multi-factor authentication, review application configurations, restrict internet access to the login portal, and consider protecting the portal behind a VPN. These measures can help reduce the attack surface and enhance the security of remote desktop access.
In conclusion, the prevalence of RD Web Access abuse underscores the importance of implementing robust security measures to protect against unauthorized access and data breaches. By following best practices and taking proactive steps to secure remote desktop access, organizations can mitigate the risks posed by exposed RD Web Access portals and safeguard their networks from potential threats.