As cyber attacks using remote desktop protocol (RDP) ports become more common, one would think developers would be diligent about keeping these ports secure. As it turns out, that isn’t the case. Microsoft has been notified of a security gap found within RDP ports of Windows 10 starting version 1803 and Server 2019 or newer.
What is the Flaw?
The security flaw can be exploited to bypass the lock screen of a Windows machine, even when multi-factor authentication mechanisms are in place.
Therefore, if a user locks a Windows machine while connected remotely through an RDP session, if the session is temporarily disconnected, automatic reconnection will restore the session to an unlocked state.
The Stream of Attack
First, the user connects remotely to Windows 10 1803, Server 2019, or newer system using RDP. Then, when necessary, they lock the remote session. From there, an attacker could interrupt the network connection of the RDP client. This will cause the device to automatically reconnect and bypass the Windows screen lock. This could then allow a local attacker to gain access to the unlocked computer and all connected networks.
According to BleepingComputer, Microsoft was notified of the issue on April 19 and replied by saying that the ” behavior does not meet the Microsoft Security Servicing Criteria for Windows.” Therefore a patch will not be issued.
So, what can you do? Since patch management isn’t an option, users are encouraged to do the following:
- Disable unused RDP ports
- Deploy a security solution that utilizes application whitelisting — therefore, if a hacker does get in and tries to install malware, it will be blocked
- For enterprise users, finding a security solution that minimizes the risk of hackers uninstalling the program would be best.
