Ever wondered what would happen if you accidentally created a VM with a Public IP without any additional security measures in place? Well, I thought I would give it a go over the weekend, and the results were rather interesting.
It’s worth noting that I am only looking at failed RDP requests. I am not counting any other scans or attempts to access the VM.
For the test, I used an isolated environment. I created a Windows 2019 Datacenter VM with a public IP address; I removed the NSG and allowed ICMP on the VM’s firewall. I wanted to make the VM as easy as possible to find. I ran the VM for about 30 hours in total.
During this time, I had a total of 11602 Failed Login Attempts.
I was interested to see what usernames the bad actors were attempting to use; as you can see below, Administrator and similar names are still the most popular.
Some of the less common usernames included:
I exported the IP addresses and used the IP Geolocation lookup to see where the attempted access originated; as you can see, most of it is from the usual suspects.
Microsoft offers numbers security features to prevent this, which include:
- Create a policy ensuring NIC’s cant have a public IP address
- Conditional Access
- Multi Factor Authentication
- Best practice for IAAS Workloads
- Microsoft Defender for Cloud
- Microsoft Sentinel
I must admit this was a bit of fun, but on a serious note, make sure you have the necessary security in place. It’s a scary world we live in.