Geek alert: Found out today that our probably 10 year old firewall ruleset was allowing public RDP to our workstations
Posted by
oblique (aka kkuphal)
Dec 11 '24, 10:19
|
Got a bunch of alerts from Defender about password spray/login attempts two 3 of our machines in our new Houston office. Traced it down to incoming RDP connections but couldn't figure out how they were being accessed via public IPs since 99% of the world sits behind a router/firewall and this should be no difference
Turns out the AT&T fiber router was set up in passthrough mode with a block of IP addresses. Our Meraki firewall hasn't arrived yet so they were using it just like a home internet setup except in this case they were handed live public IPs
Sure, no problem, except we had a VERY old firewall rule that had the default Public/Private/Domain checkboxes enabled instead of just Private/Domain so they were basically hanging their asses out on the public internet and got sniped. Luckily no access was made and we found the offending rule but what a crazy combination
- Router/modem in passthrough mode
- Public access RDP rule
Never came up before because even users on "Public" networks were always behind another firewall and never subject to attacks (other than potentially from other network users which obviously never happened)
|
Responses:
|
