cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ITProJeff
Newcomer II

Cybersecurity Insurance denied due to RDS Gateway

I recently had a client get denied Cybersecurity Insurance due to their RDS Gateway being exposed to the internet (this is RDS Gateway on port 443/3391, not Remote Desktop port 3389). Their claim was that "Current threat actor activity on the internet is focusing on targeting this technology to deploy ransomware and other malware." We had GeoIP filtering restricting access to USA only, MFA, and a brute-force detection/IP blocking software installed. Their only solution was to put it behind a VPN or disable it altogether. We're currently pressing them to find out if that's also required for Citrix Netscaler or VMWare Horizon since they're exposed to the internet as well and can (and have) had vulnerabilities. 

 

I have not heard of any "threat actor activity" actively exploiting RDS Gateway and am wondering if the new standard is not exposing it to the internet and I missed that? Is everyone else putting it behind a VPN and praying for no or low vulnerabilities on that?

12 Replies
KPA
Viewer

I agree - VPN is being phased out by many organizations. Attacks do come from remote users over the IPSEC tunnel - I have seen that happen to companies we have assisted.

 

Anyhow, SASE is good for securing RDP. Azure App Proxy and TruGrid SecureRDP are two good products for securing RD Gateway.

 

Peter

chozn
Viewer

@ITProJeffCould CVE-2020-610 be what they were thinking about? "A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP. The update addresses the vulnerability by correcting how RD Gateway handles connection requests."

denbesten
Community Champion


@choznwrote:

@ITProJeffCould CVE-2020-610 be what they were thinking about?


CVE-2020-610 was mitigated with routine monthly patches in Jan 2020. If the single vulnerability were the target of concern, I would think the finding would have been "failure to promptly apply patches", not "we hate RDP gateway".