A Simple (and I believe Secure) Way to Remotely Trigger Windows Actions (For Example SHUTDOWN)

[emgeep]

First some Background:
I use microsofts RDP (Remote Desktop) feature regularly to use my PC from remote locations. I was alarmed to discover that from time to time my system was being attacked by repeated attempts to logon. The attacks generally come from IP addresses in Europe ... I am in Australia. In one instance over a period of several hours the Windows event log recorded about 12 thousand failed logon attempts, all from one ip address, using a long list of userids. I have always configured my RDP access to use a non standard port in the belief that random attempts to hack via RDP would have troble finding me so discovering this was fairly alarming.

First Ideas
My first ideas were to use the failed logon events to trigger Windows background Tasks that would create firewall rules to block these rogue attacks. The solution proved complex and in the end I abandoned it as "not possible" using the security package I use. Next was a similar idea using failed logon events to trigger a routine to turn off remote access and also email me that an attack was probably in progress .. this worked OK but meant leaving RDP active until a problem occurred. What I really needed was a generic way to trigger events from a remote location. A way that could be used to control remote access plus other aspects of Windows .. eg shutdowns and restarts etc. etc.

Cloud Control Switches
My next (and so far final) idea was to use what I think of as as "cloud control switches".
With the various cloud services your PC usually includes an "offline" copy of your cloud data.
Whats more changes to data in the cloud are normally synced back to any offline copies on your various devices.
As a Office 365 user I had Microsofts OneDrive I used that for my switches but DropBox or most other cloud services should be OK as alternatives.
A cloud control switch is literally an empty file or folder exists in your cloud space. Its only important characteristic is its name.
For example the name could be ShutdownOFF.
A couple of lines of powershell code that can test for the existence of ShutdownON and if found issues a windows SHUTDOWN
The little powershell script can be scheduled using Windows Task Scheduler to run every few minutes.
To activate a shutdown from anywhere with an internet connection simply access OneDrive and rename ShutdownOFF as ShutdownON
The new name will be synced back to the PC, almost instantly in most cases, and on the next scheduling cycle windows will shut down.
The only other thing in the script I tested was to write a timestamped message to an activity log and to again rename the file to the OFF version to ensure that shutdown did not become a 5 minute repeated event

More Info
If anybody would like some notes for setting up a remote command using a specific example (eg SHUTDOWN or perhaps RESTART) please let me know and I could add to this thread.

Pros Cons

• This approach uses standard features and does not introduce any third party services or protocols
• Security seems sound given that all activity is executed within your own PC securiy and your own cloud space, Naturally if you have shared your cloud space in such a way that others can access and modify the files you create as cloud contrl swithes you would be exposed to them issuing the associated commands.
• The commands that are executed in this way do not happen instantly .. they wait for the next iteration of their script so this may be an issue for some requirements.
• The example above implies one scheduled event and one action action per requirement. If you find multiple uses for this technique you could have one schedule and one script that handles and actions multiple cloud control swithces.
• The repeated time interval scheduling is not very elegant as an IT technique. Ideally I would have liked the scheduling to be triggered by some type of system level event that I am sure is raised when the names changed. However this would need code to test for specific names to be detected for probably every rename event performed in my system. Therefore opted for the looping approach. I am sure the actual scheduling that windows dose is very efficient and the name tests are less than trivial so the overheads of this approach must be hard to measure

 

[Trouble]

I have always configured my RDP access to use a non standard port in the belief that random attempts to hack via RDP would have troble finding me so discovering this was fairly alarming.

IF you've abandoned port 3389 (great idea by the way) and are using random higher ports to facilitate your RDP connections then your problem might be less with your RDP client then with your router.
Many consumer based routers provide very poor protection from would-be attackers, so discovering your pinhole that you've configured to use for port forwarding (including the port number as well as the internal IP address) would be a relatively simple task for a determined hacker.

Popular home routers plagued by critical security flaws

A recent study of 127 home routers from seven, mostly large vendors has found that nearly all tested routers are affected by scores of unpatched and often severe security flaws that leave the devices – and their users – at risk of cyberattacks.

www.welivesecurity.com

 

[emgeep]

Hi Trouble, Thanks for your advice about router weaknesses, that is something to keep in mind. My approach to avoiding 3389 is not to translate it as it passes through the router. I modify the port number used by RDP in the Registry of the host machine and allow it through the firewall. I choose port numbers that are not associated (by standards or conventions) with any other port using application. The port number is then specified to the RDP client connection (ie phone, tablet or computer clients) and this passes through the router for external connections without translation. My router is configured to pass traffic for this port to the LAN IP of a specific PC but this is anonymous in respect of RDP. Each PC within the LAN that requires RDP is configured with its own RDP port number. Is this enough to avoid the problems you mention ?

 

[Trouble]

My router is configured to pass traffic for this port to the LAN IP of a specific PC

Yep.... that's what we used to call a pin-hole, which supports port forwarding.
You configure that within the router through its' admin interface, generally through the inside edge.
Now imagine if I had that same admin interface, to remotely administer that same router, only through the outside edge.

Probably wouldn't take me long to figure out what protocols were being passed, using which port and to what inside LAN IP address, since all those things need to be defined when configuring the router for forwarding.

 

[emgeep]

Ahhh well .. thanks again .. so be it .. with my new cloud triggers I remotely switch on RDP and turn it off again when I have finished. This limits exposure dramatically and with the "assistance" of my provider who tends to change my external IP randomly and often I am now feeling more secure. The changing IP used to be pretty annoying but the PC detects that and publishes it to a secure cloud location. As a final protection failed login events are detected and immediately disable RDP.

 

[Bighorn]

Just for another idea, I worked in a computer shop in the late '90s and we had Servers and an ISPs Dial-Up Modems. A fairly secure to reset a Server used an APC Rack PDU, could log into it from a computer over the Internet and manage power to any machine connected to it. Passwords were required.

https://www.amazon.com/APC-AP7901B-Switched-Power-Distribution/dp/B06XBDTFLP/ref=asc_df_B06XBDTFLP?tag=bngsmtphsnus-20&linkCode=df0&hvadid=80127027724184&hvnetw=s&hvqmt=e&hvbmt=be&hvdev=c&hvlocint=&hvlocphy=&hvtargid=pla-4583726553624515&psc=1

​