![]() ![]() Best practice for any secure network is to limit all external ports. Some sharp-eyed observers might notice that the recently announced CVE-2020-0609 is a pre-authentication attack on RDGW! Yes, unpatched RDGW deployments are vulnerable, but they are smaller in number and easier to manage patches for than a larger number of other machines. And internally, that transforms to connections from the RDGW to the remote VMs via TCP 3389. Instead, the only port open for remote connections is HTTPS which requires authentication. Now the malware that is on the WAN cannot probe any machines in the remote network there is no opening across the network to TCP 3389 or TCP 22. Once the connection is authenticated by the RDGW, it reverse proxies the connection through to the desired virtual machine, further protected by firewall/NSG rules. When an administrator/developer/operator needs to log into a remote VM, their Remote Desktop client is configured to connect to this gateway using HTTPS instead of RDP. My preferred solution is to deploy a Remote Desktop Gateway (RDGW) as the bastion host – this does not require RDP licensing for administrative access to the remote virtual machines! The Bastion Host is deployed as one virtual machine or 2+ load-balanced virtual machines that allow in HTTPS connections via firewall/NSG rules. What we need is some kind of transformation. And that means once that machine is compromised, it can attack further into the remote network. And from that machine, you will remote further into the network through the isolation of the firewall/NSGs.īut that’s still not perfect, is it? If we do simple SSH or RDP to the Bastion Host, then it is vulnerable to pre-authentication attacks. Now to connect to the remote VMs, you must first remote into the Bastion Host. In Azure, that could be a firewall appliance, such as Azure Firewall, and/or Network Security Groups. The valuable remote virtual machines are placed behind a firewall. ![]() They’re an old concept that allows you to isolate valuable machines and services behind a firewall but still have a way to remote into them. However, the terms Bastion Host or Jump Box are far from new. You might have heard the term “bastion” in the Azure world recently. It does not require the user of the PC to SSH or RDP into the remote VM, or to even have any guest OS access! You can put a firewall in front of the remote virtual machines, but it will do no good it’s still allowing TCP 3389 or TCP 22 directly into the virtual machines and all it will offer is logging of the attack. That means that if malware gets onto your network, and that malware scans the network for open TCP 22 or TCP 3389 ports, it will attempt to use the vulnerability to compromise the remote VM. If that PC has the ability to communicate with a remote VM, such as an Azure Windows/Linux VM, via SSH or RDP then that remote machine is vulnerable to a pre-authentication attack. Let’s say that you have a PC on your WAN that is infected by malware that leverages a known or zero-day pre-authentication remote desktop vulnerability. Over the last few months, I can think of 3 security alerts that have been released about pre-authentication vulnerabilities that have been found in Remote Desktop. I can’t comment too much on SSH because I’m allergic to penguins. Since JIT VM Access was changed, it moves the last rule (if necessary) and puts in the allow-RDP or all-SSH (or whatever) rule after the DenyAll rule which is useless. That means that the last user-defined NSG rule is Deny All from * to *. In my work, every subnet is micro-segmented. That was until they changed how the allow (RDP, SSH, etc) rules were added to an NSG. There are still many times when you need to directly log into a machine and do something that’s real life, and not some blogger’s lab life. ![]() “You should be using Windows Admin Center”. “This is why you should use remote Bash|PowerShell scripting” Some people are going to make some comments like: And this advice also includes machines that you run in a cloud, such as Microsoft Azure. This post will explain why you should use a “Bastion Host” or a “Jump Box” to securely remote into Linux (SSH) or Windows (Remote Desktop) virtual machines. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |