minvws · underdarknl · Nov 28, 2024 · Oct 4, 2024 · Oct 7, 2024 · Oct 7, 2024
@@ -132,6 +132,13 @@
     "impact": "System administrator ports should only be reachable from safe and known locations to reduce attack surface.",
     "recommendation": "Determine if this port should be reachable from the identified location. Limit access to reduce the attack surface if necessary."
   },
+  "KAT-REMOTE-DESKTOP-PORT": {
+    "description": "An open Microsoft Remote Desktop Protocol (RDP) port was detected.",
+    "source": "https://www.cloudflare.com/en-gb/learning/access-management/rdp-security-risks/",
+    "risk": "medium",
+    "impact": "Remote desktop ports are often the root cause in ransomware attacks, due to weak password usage, outdated software or insecure configurations.",
+    "recommendation": "Disable the Microsoft RDP service on port 3389 if this is publicly reachable. Add additional security layers, such as VPN access if these ports do require to be enabled to limit the attack surface."
+  },
   "KAT-OPEN-DATABASE-PORT": {
     "description": "A database port is open.",
     "source": "https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers",

@@ -30,6 +30,12 @@
       "pattern": "^(\\s*(,*)[0-9]+,?\\s*)*$",
       "default": "1433,1434,3050,3306,5432"
     },
+    "microsoft_rdp_ports": {
+      "description": "Comma separated list of (Microsoft) RDP ports",
+      "type": "string",
+      "pattern": "^(\\s*(,*)[0-9]+,?\\s*)*$",
+      "default": "3389"
+    },
     "aggregate_findings": {
       "description": "Do you want to aggregate findings into one finding of the IP? Answer with true or false.",
       "type": "string",

@@ -26,7 +26,6 @@
     21,  # FTP
     22,  # SSH
     23,  # Telnet
-    3389,  # Remote Desktop
     5900,  # VNC
 ]
 DB_TCP_PORTS = [
@@ -36,6 +35,9 @@
     3306,  # MySQL
     5432,  # PostgreSQL
 ]
+MICROSOFT_RDP_PORTS = [
+    3389  # Microsoft Remote Desktop
+]
 
 
 def get_ports_from_config(config, config_key, default):
@@ -53,6 +55,7 @@ def run(input_ooi: IPPort, additional_oois: list, config: dict[str, Any]) -> Ite
     common_udp_ports = get_ports_from_config(config, "common_udp_ports", COMMON_UDP_PORTS)
     sa_tcp_ports = get_ports_from_config(config, "sa_tcp_ports", SA_TCP_PORTS)
     db_tcp_ports = get_ports_from_config(config, "db_tcp_ports", DB_TCP_PORTS)
+    microsoft_rdp_ports = get_ports_from_config(config, "microsoft_rdp_ports", MICROSOFT_RDP_PORTS)
 
     for ip_port in additional_oois:
         port = ip_port.port
@@ -66,7 +69,8 @@ def run(input_ooi: IPPort, additional_oois: list, config: dict[str, Any]) -> Ite
                 yield Finding(
                     finding_type=open_sa_port.reference,
                     ooi=ip_port.reference,
-                    description=f"Port {port}/{protocol.value} is a system administrator port and should not be open.",
+                    description=f"Port {port}/{protocol.value} is a system administrator port and "
+                    f"should possibly not be open.",
                 )
         elif protocol == Protocol.TCP and port in db_tcp_ports:
             ft = KATFindingType(id="KAT-OPEN-DATABASE-PORT")
@@ -79,6 +83,18 @@ def run(input_ooi: IPPort, additional_oois: list, config: dict[str, Any]) -> Ite
                     ooi=ip_port.reference,
                     description=f"Port {port}/{protocol.value} is a database port and should not be open.",
                 )
+        elif (protocol == Protocol.TCP or protocol == Protocol.UDP) and port in microsoft_rdp_ports:
+            open_rdp_port = KATFindingType(id="KAT-REMOTE-DESKTOP-PORT")
+            if aggregate_findings:
+                open_ports.append(ip_port.port)
+            else:
+                yield open_rdp_port
+                yield Finding(
+                    finding_type=open_rdp_port.reference,
+                    ooi=ip_port.reference,
+                    description=f"Port {port}/{protocol.value} is a Microsoft Remote Desktop port and "
+                    f"should possibly not be open.",
+                )
         elif (protocol == Protocol.TCP and port not in common_tcp_ports) or (
             protocol == Protocol.UDP and port not in common_udp_ports
         ):

@@ -29,7 +29,7 @@ def test_port_classification_tcp_22():
     assert len(results) == 2
     finding = results[-1]
     assert isinstance(finding, Finding)
-    assert finding.description == "Port 22/tcp is a system administrator port and should not be open."
+    assert finding.description == "Port 22/tcp is a system administrator port and should possibly not be open."
 
 
 def test_port_classification_tcp_5432():