With a sudden surge in people scanning for RDP ports that are exposed to the internet, one can assume they are building lists of possibly vulnerable hosts waiting for the chance to spring once exploit code comes on board. This of course got me thinking about profiling people most likely running RDP. Several people have been portscanning TCP 3389 but a quick list method is much easier.
Microsoft Small Business Server = RDP Pain. I came to his conclusion as;
It's designed to run all critical and sensitive data on one server
- Has an internet facing design touted by MS
- Core of most SMB's operations
- Slower to patch the server possibly, given the liklihood to not have a dedicated IT team.
- There is 6,000 of them indexed by Google.
Thats right "Google Dorking" for inurl:/Remote/logon.aspx gives a little over 6,000 entries. Which is a nice way to start a list of vulnerable hosts.
Please go patch your SBS Server.
Changing the default RDP Port from 3389
Terminal Services by default listens on port 3389 (but can be changed by editing the registry).
If you want to change the listening port, edit this registry key:
\HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389