August 17, 2017 By Mark Samuels 2 min read

Millions of ports are being left open online, and many of these are being exposed to potential attackers through the remote desktop protocol (RDP).

An internetwide scan by researchers at Rapid7 discovered that there were more than 11 million devices with open 3389/TCP endpoints. More than 4.1 million of these open ports were using the protocol to communicate in one form or another.

An Ongoing Risk

RDP is a proprietary protocol from Microsoft that gives users the opportunity to access a graphical interface so they can control computers over a network remotely. Support for the protocol has been a feature in almost every version of the Windows operating system (OS) since the introduction of Windows NT.

Its strengths make it a very popular management tool, but it is also a popular focus for cybercriminals. Microsoft has published 20 security updates for the protocol since 2002 and as many as 24 individual vulnerabilities, Rapid7 reported. Newer versions require network level authentication by default, which acts as a boon to security.

However, the protocol is often exposed in internal networks due to its ability to simplify administration and support issues. Its popularity to attackers was demonstrated in June last year when Kaspersky Lab researchers found a cybercriminal trading platform called xDedic that was selling access to more than 70,000 compromised RDP servers.

How Researchers Investigated RDP

Rapid7 researchers were keen to discover which protocols were putting potentially open endpoints at risk. The firm used its Sonar research tool and a series of scans, connections and exchanges to analyze the number of systems that exposed RDP across the internet.

Researchers counted responses that appeared to come from RDP-speaking endpoints, including error messages from possible configuration issues and success messages. Rapid7 suggested that the final tally of 11 million endpoints — with 4.1 million speaking via the protocol — is shockingly high.

Rapid7 said any of the exposed endpoints are not protecting their services through basic firewall rules or access control lists. This revelation highlighted uncertainties as to whether a range of basic security practices are being applied to the endpoints.

What Can IT Managers Do to Respond?

The good news, if there is any, is that Rapid 7 discovered that more than 83 percent of the endpoints were willing to authenticate through the secure CredSSP connection. Researchers suggested that it was impressive that more than four-fifths of exposed endpoints were using one of the more secure protocols to authenticate sessions.

However, the human factor is still a big concern, reported Bleeping Computer. The publication said that these endpoints are often left exposed because administrators rely on credentials that are easy to guess or allow access without authentication. Many of the ports are not protected by a firewall and would be cannon fodder for a malware outbreak.

News of the potential exposure will come as a concern to IT managers at enterprises, where admins often use the protocol to deal with support concerns remotely. The key to success or failure will be how users deploy the protocol to connect. IT managers should use a combination of passwords, firewalls and access control lists to help reduce risk.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today