Remote users are a part of every organization and the need to provide external access can be a real problem. For the bigger organizations, they will most likely implement several security controls in order to isolate their users from the rest of the internet.
For some, they may want to go for the cheaper option to provide remote access.
Normally when you think remote access, you think RDP (3389) but in this case, the remote access portal is done through the browser, meaning it’s remote access on https (443). Once passed the login screen, you can use the connecter tool to RDP.
“Remote Web Access in Windows Server Essentials, or in Windows Server 2012 R2 with the Windows Server Essentials Experience role installed, provides a streamlined, touch-friendly browser experience for accessing applications and data from virtually anywhere that you have an Internet connection and by using almost any device.”
Microsoft do their best to assist on getting this setup by allowing users to get a personalized domain from them:
This allows users to register an account with them and set a prefix on the default domain:
The problem is, if everyone does this, there becomes a common pattern. This access, is secured by an SSL certificate.
Inside that certificates there will two fields; Subject and Subject Alternative Name that will have a DNS entry and a Common Name (CN). This will be: [Userdomain].remotewebaccess.com.
Attackers can use this information on services like Shodan, Censys and ZoomEye.
As you can see above, I can find around 3000 servers online. If we hit the top site, we see the following.
Attacks could brute force their way in or obtain the credentials using other means. Depending on your setup, this could be a huge concern. It’s not only RDP that Web Access allows you to publish. You can also access email and shared folders.
So what can you do to secure your connections. Microsoft offer this advise
” Users who use Remote Web Access from public locations or other untrusted computers should ensure that they log off the website before leaving the computer unattended or when they are finished with their session. “
But obviously there is a lot more you can do.
- Secure and limit the accounts which have access.
- Apply a least privilege access approach.
- Remove old accounts if no longer in use.
- Isolate the server on the network. If the server was compromised, this could further exposure your enviroment and malware could pass east, west. A DMZ approach is common.
- Enable MFA. For example, RDS could point to an NPS server which has the Azure extension installed.
Another step would be to use a custom domain. This would at least move you away from the crowd and be less of a target. If someone is directly targeting you, having a custom domain won’t save you. This is where the other controls come into play.
If you are running the service it may be worth reviewing your setup, just in case.