We have a firewall protected RDP server, however, using an unknown (to me) method, someone was able using Remote Desktop, login interactively on the server.
I noticed the break-in by chance: only one user allowed access at a time and trying to get in, found someone else inside.
We have MalwareBytes (recomended) and it stop a known ransomware download.
It's important to notice that ILS_ANONYMOUS_USER is a password-less account.
I contacted the Microsoft Security Response Center [email protected], however their answer is hard to believe:
Subject: RE: Windows - SecurityFeatureBypass - Remote RDP login using
ILS_ANONYMOUS_USER VULN-098797 CRM:0450000683
Hello,
Thank you for contacting the Microsoft Security Response Center
(MSRC). What you're reporting appears to be a bug/product suggestion,
but does not meet the definition of a security vulnerability.
As such, this thread is being closed and no longer monitored. We
apologize for any inconvenience this may have caused.
....
However, the security vulnerability is present and Microsoft is not taking any action.
The solution is on each server restrict login to this account using GPEDIT.MSC:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny Logon locally.
You can check a potential 'visit' by looking for C:\Users\ILS_ANONYMOUS_USER if the folder is there, you are out of luck. Give yourself permission as administrator, change the ownership if needed and look at the 'Downloads' folder, hopefully no bad files are there. On my case, I have scanners, multiple files with usernames, others with thousands of passwords, also a few old Microsoft's decommissioned apps known to have elevation issues.
