{"id":6970,"date":"2023-06-08T09:16:43","date_gmt":"2023-06-08T09:16:43","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=6970"},"modified":"2024-07-22T04:43:29","modified_gmt":"2024-07-22T04:43:29","slug":"rate-limiting-remote-desktop-service-gateway","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/rate-limiting-remote-desktop-service-gateway","title":{"rendered":"Rate Limiting Remote Desktop Service Gateway"},"content":{"rendered":"\n

Recently had an issue where the RDweb Gateway was being brute forced locking out Accounts<\/p>\n\n\n\n

The client did not want to hide the RDGateway behind the AppProxy due to issues with a shortcut not working \ud83d\ude41<\/p>\n\n\n\n

Unfortunately RDWeb Gateway proxy’s RDP Traffic over HTTP so normal WAF’s done work well with RDGateways ( WAFs usually have protection for Rate Limiting Connections ) <\/p>\n\n\n\n

But we can do this with IIS \ud83d\ude42 <\/p>\n\n\n\n

Install this Role on IIS<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Enable Default Dynamics Restrictions on Logging Only Mode<\/p>\n\n\n\n

\n
\"\"<\/a><\/figure>\n<\/figure>\n\n\n\n

<\/p>\n\n\n\n

With enable logging only mode, request status as 200 and substatus code 501 or 502. <\/p>\n\n\n\n

With enable logging only mode off , request status as 403 substatus code 501 or 502. <\/p>\n\n\n\n

E.g. per below<\/p>\n\n\n\n

  #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken  \n( log for normal dynamic restriction)  \n    2018-01-08 04:30:34 192.168.2.50 GET \/ - 80 - 192.168.2.50 HTTP\/1.1 Mozilla\/4.0+(compatible;+MSIE+7.0;+Windows+NT+10.0;+WOW64;+Trident\/8.0;+.NET4.0C;+.NET4.0E;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+.NET+CLR+3.5.30729) - 403 501 0 15  \n( log entry for log only mode)  \n    2018-01-08 05:37:11 192.168.2.50 GET \/a.aspx - 80 - 192.168.2.50 HTTP\/1.1 Mozilla\/4.0+(compatible;+M<\/code><\/pre>\n\n\n\n
Let make it easier for us to monitor this <\/p>\n\n\n\n
Find and download Log Parser and Studio<\/a> on webserver<\/p>\n\n\n\n
How to emulate BruteForce<\/strong><\/p>\n\n\n\n
Open Chrome or Edge \\ Developer tools , open network tab \\ navigate to site , do a test login then copy the process login.aspx as fetch <\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Paste it into the Console , press enter and keep repeating 10 times!<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Go to Log Parser Studio<\/p>\n\n\n\n
Import Logs<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
C:\\inetpub\\logs\\LogFiles\\W3SVC1<\/p>\n\n\n\n
Create a new Query<\/p>\n\n\n\n
SELECT c-ip,cs-uri-stem as Uri,\n\nsc-status as HttpStatus,\n\nsc-substatus as SubStatus,\n\nsc-win32-status as Win32Status,\n\n       COUNT(*) AS Total\n\nFROM '[LOGFILEPATH]'\n\nWHERE (sc-substatus = 501) OR (sc-substatus = 502)\n\nGROUP BY Uri, HttpStatus, SubStatus, Win32Status, c-ip\n\nORDER BY Total DESC\n<\/code><\/pre>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Then Execute ! We should see the blocks<\/p>\n\n\n\n
Keep this on for a week then turn logged off for it to start blocking<\/p>\n\n\n\n
You can see the IP List here for any blocks<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Doing this on Fortigate<\/strong><\/p>\n\n\n\n
1) Look at Geoblocking first of all as this will minimise the noise<\/p>\n\n\n\n
2) Look at Session Limiting https:\/\/community.fortinet.com\/t5\/FortiGate\/Technical-Tip-Limit-connections-to-a-specific-destination-IP\/ta-p\/244968<\/a><\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
RDWeb.Brute.Force.Custom<\/strong><\/p>\n\n\n\n
Change SSL Inspection certificate to > deep-inspection
2.1 Enable the \u201cDecrypted Traffic Mirror\u201d > Create the profile for \u201cNew Decrypted Traffic Mirror\u201d
2.2 Name : whatever name
2.3 Destination MAC: leave it default
2.4 Decrypted Traffic Type: Both
2.5 Decrypted Traffic Source: Both
2.6 Interface: select one interface never use before<\/p>\n\n\n\n
use it and Apply on the Policy.<\/p>\n\n\n\n
Go to Network > Diagnostics > select the interface we configure from the \u201cNew Decrypted Traffic Mirror\u201d
4.1 Enable Filter > Host enter your testing IP\/Internet IP
4.2 Start capture > all process have to start at testing machine begin open browser, enter wrong password and close the browser session.
4.3 Save the file and send to the Fortinet IPS team.
4.4 change the SSL inspection certificate for your original one.<\/p>\n\n\n\n
This is the whole process what I did for the capture packet on the Fortinet.<\/p>\n\n\n\n
IPS Signature<\/p>\n\n\n\n
F-SBID( --attack_id 3402; --name \"RDWeb.Brute.Force.Custom\"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type http_post; --pattern \"\/RDWeb\"; --context uri; --no_case; --pattern \"\/login.aspx\"; --context uri; --distance 0; --no_case; --pattern \"DomainUserName=\";)\n<\/code><\/pre>\n\n\n\n
If you want to capture this IPS\/IDS logs for the RDS https brute force attack, you also have to enable the \u201cdeep inspection\u201d and Enable the \u201cDecrypted Traffic Mirror\u201d.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
An addition to the great recommendations in this post, you can also leverage the “rate based signatures” section in the IPS Sensor. FortiGate has a signature specific for Microsoft Remote Desktop specifically (MS.RDP.Connection.Brute.Force). <\/p>\n","protected":false},"excerpt":{"rendered":"
Recently had an issue where the RDweb Gateway was being brute forced locking out Accounts The client did not want to hide the RDGateway behind the AppProxy […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4238,1401,4237,2509,207,3992],"class_list":["post-6970","post","type-post","status-publish","format-standard","hentry","category-research","tag-edit-dynamic-restriction","tag-iis","tag-logging-mode-only","tag-logs","tag-rdp","tag-web"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6970","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=6970"}],"version-history":[{"count":7,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6970\/revisions"}],"predecessor-version":[{"id":8148,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6970\/revisions\/8148"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=6970"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=6970"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=6970"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}