Results from Qualys Scan
ISSUE:
-Windows Remote Desktop Protocol Weak Encryption Method Allowed
THREAT:
Remote Desktop Protocol is a protocol by which Terminal Service provides desktop level access to a remote user. It can be used to remotely login and interact with a Windows machine.
Since RDP transfers sensitive information about the user and the system, it can be configured to use encryption to provide privacy and integrity for its sessions. It is possible to configure RDP to use encryption algorithms that are considered insecure, such as RC4 40bit and RC4 56 bit.
IMPACT:
If an attacker has access to the network traffic with RDP sessions using weak encryption methods, then it will be possible for them to bruteforce the encryption parameters and compromise privacy of the RDP session.
SOLUTION:
RDP needs to be configured to use strong encryption methods or use SSL as the privacy and integrity provider. To configure RDP encryption methods 'Terminal Services Configuration' snap-in can be launched in mmc.exe. In 'Terminal Services Configuration' properties dialog box General tab for the Encryption Level 'High' should be selected.
LINKS:
http://technet.microsoft.com/en-us/library/cc770833.aspx
https://www.fishnetsecurity.com/6labs/blog/remote-desktop-protocol-security-creating-successful-implementation
Validating the Findings
In order to validate the findings, we use additional tools to see if we can get the same output as Qualys scan. In this case, Qualys detected that the encryption algorithm used are RC4-40bit and RC5-56bit, hence our objective is to use other tools to get that information.
Using NMAP
nmap -p 3389 --script rdp-enum-encryption <ip>
Using Perl Script
Download the package using wget
#wget http://labs.portcullis.co.uk/download/rdp-sec-check-0.8.tar.gz
Extract the package
#tar -xvzf rdp-sec-check-0.8.tar.gz
Run the script
#./rdp-sec-check-pl <IP address>
References:
