From the desk of: Sam C. Chan

FAQ for RDP Vulnerability Advisory

March 21, 2012  

This is a plain English explanation for the March 15 Advisory.

What exactly is it all about?

  • A security flaw has been discovered in Remote Desktop Services (aka "RDP")
  • it may allow attackers to run programs on your system, without a successful login
  • RDP is used by all IT-managed sites for remote administration and support
  • RDP is also used by many remote workers

Does it affect me?

  • Yes, Your site is directly affected.
  • It affects all O.S.s from XP to Windows 7, and Server 2003 to 2008, and SBS 2011

Don't I already have protection?

Why can't we just automatically update/patch everything?

Bravo Tiered Response (per SLA):

  1. next-day emergency response (already completed last night): dedicated servers (domain/workgroup), for sites within our IT jurisdiction, with standing authorization and unfettered access.
  2. guaranteed 5-day priority scheduling: for tier-1 site workstations, private notices already sent, appointments scheduled
  3. best-effort scheduling within 10 days: tier 2 sites
  4. recommended 30-day window for tier-3 sites to address this issue
  5. upon request on time/resource-permitting basis, subject to schedule bump

Implementation Items:

  1. install critical patch for the exact platform (KB2621440, KB2667402)
  2. implement & activate Network Location Authentication (NLA)
    • native built-in feature of Vista/Windows 7 (host + client)
      • require enabling via UI, registry, or group policy
    • it is now acceptable & necessary to demand NLA for inbound RDP
    • naturally, this triggers corresponding upgrade of inbound XP RDP clients
      • upgrade XP RDP clients to version 6.1
      • activate Credential Security Support Provider in XP SP3 via policy/reg
    • XP RDP host does not support NLA
  3. move to non-standard WAN-side NAT port forward (hiding)
  4. as a strategic last-resort: disable RDP on selected stations in the interim
  5. post-deployment network scanning & patch status verification
  6. exception handling & strategic decisions for complex legacy installations

In Summary

  • high severity of consequences upon successful breach
  • high probability of occurrence (virtual certainty)
  • urgency: exploit code in-the-wild expected within days to weeks
  • exact applicability: infrastructural scenario & conditions at your site
  • highly effective & comprehensive suite of remedy strategies formulated & apparatuses in-place, ready to deploy

Bravo Security Response Priority:   Monitor * Research * Assess * Mobilize * Deploy * Post * Notify

SEE ALSO:

Visions * Integrity * Perspectives Solutions, not products. Expertise, not hype. Rationales, not ideologies.

Copyright @2005-2006   Bravo Technology Center  *  Bravo:GO  *  Contact Us