One of my networks has received multiple attacks of the kind ID 1-49040 and the wording "compromised windows computer located behind a Firewall" and "It will require already access to a compromised computer inside the target network" makes me think this attacker is already inside my network wich bothers me quite a bit.
Any advice on this?
Microsoft Windows Terminal server RDP over non-standard port attempt
Solved! Go to solution.
1:1 NAT is similar to port forwarding from a technical standpoint. Like @jdsilva said, it's sufficient for someone to try RDP-ing to a random port on which you have a service running to trigger an event like this.
Generally speaking you should limit access to the 1:1 NATed IP-address(es) using the firewall. But even then, you can't avoid people trying to hack systems so security events will come up. That's not bad, at least that way you know and the firewall is doing its job blocking the attempts.
Do you have any ports opened inbound?
Under threat protection are you set to detect or prevent?
It is not uncommon to see messages about attacks like this, but you would need to have RDP open to the public Internet for someone to compromise you.
Threat protection is set to prevention
If I understand correctly, this is an external attacker trying to open an RDP connection over a non-standard port. It relies upon you having allowed Internet traffic to a Windows machine, such as through port forwarding or NATting.
If you've got RDP enabled on a public-facing device, you should disable that right now, in my opinion. Find another way to remotely manage that device.
Lot of folks think RDP on a non-standard port is "safe" and uh... no. This is why it's not.
This rule can also be triggered if someone is attempting to exploit RDP, over a non-standard port, even if the service listening on that port is not RDP. I have a port 45454 forwarded on an MX to a service that is not RDP (but is TCP) and it fairly regularly is triggering this non-standard RDP port rule. This is almost certainly people just scanning large swathes of IP's and trying RDP exploits on every open port they find.
As a precaution maybe block outbound RDP traffic. Does the report you are getting point to a specific client device?
Yes, to the storage devices for the security cameras
Might want to set the ruleset to security setting while you are learning and tracking this down. Also if out of country threat you might try blocking all traffic by that country. Temporarily IP block might be good too.
1:1 NAT is similar to port forwarding from a technical standpoint. Like @jdsilva said, it's sufficient for someone to try RDP-ing to a random port on which you have a service running to trigger an event like this.
Generally speaking you should limit access to the 1:1 NATed IP-address(es) using the firewall. But even then, you can't avoid people trying to hack systems so security events will come up. That's not bad, at least that way you know and the firewall is doing its job blocking the attempts.