FAQ for RDP Vulnerability
Advisory
March 21, 2012
This is a plain English explanation for the
March 15 Advisory.
What exactly is it all about?
- A security flaw has been discovered in
Remote Desktop Services (aka "RDP")
- it may allow
attackers to run programs on your system, without a successful login
- RDP is used by all IT-managed sites for remote administration
and support
- RDP is also used by many remote workers
Does it affect me?
- Yes, Your site is directly affected.
- It affects all O.S.s from XP to Windows 7, and Server 2003 to
2008, and SBS 2011
Don't I already have protection?
Why can't we just automatically update/patch everything?
Bravo Tiered Response (per SLA):
- next-day emergency response (already completed last night):
dedicated servers (domain/workgroup), for sites within our
IT jurisdiction, with standing authorization and unfettered access.
- guaranteed 5-day priority scheduling: for tier-1 site
workstations, private notices
already sent, appointments scheduled
- best-effort scheduling within 10 days: tier 2 sites
- recommended 30-day window for tier-3 sites to
address this issue
- upon request on time/resource-permitting basis, subject to
schedule bump
Implementation Items:
- install critical patch for the exact platform
(KB2621440, KB2667402)
- implement & activate Network Location Authentication (NLA)
- native built-in feature of Vista/Windows 7 (host + client)
- require enabling via UI, registry, or group policy
- it is now acceptable & necessary to demand NLA for inbound
RDP
- naturally, this triggers corresponding upgrade of inbound
XP RDP clients
- upgrade XP RDP clients to version 6.1
- activate Credential Security Support Provider in XP SP3 via
policy/reg
- XP RDP host does not support NLA
- move to non-standard WAN-side NAT port forward (hiding)
- as a strategic last-resort: disable RDP on selected stations in
the interim
-
post-deployment network scanning & patch status verification
- exception handling & strategic decisions for complex legacy installations
In Summary
- high severity of consequences upon successful breach
- high probability of occurrence (virtual certainty)
- urgency: exploit code in-the-wild expected within
days to weeks
- exact applicability: infrastructural scenario &
conditions at your site
- highly effective & comprehensive suite of remedy strategies
formulated &
apparatuses in-place, ready to deploy
|
Bravo Security Response
Priority:
Monitor * Research * Assess * Mobilize * Deploy * Post * Notify
SEE ALSO:
|