From the desk of: Sam C. Chan

Advisory:   RDP Vulnerability - Critical & Urgent

March 15, 2012    FAQ & Tech Tips added Mar 21 see bottom of page

This is a particularly critical and urgent IT security event. While there has always been numerous similar ones with high severity, this is directly applicable to your site.

What is it?

  • On March 13, 2012, Microsoft issued Security Bulletin MS12-020 see also cached page
    • A flaw has been discovered in Remote Desktop Services and was cooperatively disclosed to MAPP.
    • There are currently no known in-the-wild attacks, but are expected within 30 days.
    • In short, it potentially allows external parties to achieve code execution on the host, without RDP authentication, provided all prerequisites are met.
  • Affected platforms:
    • XP, Vista, Windows 7, Server 2003, Server 2003 R2, Server 2008, Server 2008 R2, SBS 2003/2008/2011  (both x86 & x64 in all cases)
    • All Service Pack levels are affected. Of course, no patches are available for EOL SPs, thus forcing upgrade decisions on legacy installations: XP SP2, Vista SP1, 2003 SP1, 2008 SP1.
    • The issues are within host-side. RDP clients & gateways are not at risk.

Bravo Tiered Response (per SLA):

  1. next-day emergency response (already completed last night): dedicated servers (domain/workgroup), for sites within our IT jurisdiction, with standing authorization and unfettered access.
  2. guaranteed 5-day priority scheduling: for tier-1 site workstations, private notices already sent, appointments scheduled
  3. best-effort scheduling within 10 days: tier 2 sites
  4. recommended 30-day window for tier-3 sites to address this issue
  5. upon request on time/resource-permitting basis, subject to schedule bump

Implementation Items:

  1. install critical patch for the exact platform (KB2621440, KB2667402)
  2. implement & activate Network Location Authentication (NLA)
    • native built-in feature of Vista/Windows 7 (host + client)
      • require enabling via UI, registry, or group policy
    • it is now acceptable & necessary to demand NLA for inbound RDP
    • naturally, this triggers corresponding upgrade of inbound XP RDP clients
      • upgrade XP RDP clients to version 6.1
      • activate Credential Security Support Provider in XP SP3 via policy/reg
    • XP RDP host does not support NLA
  3. move to non-standard WAN-side NAT port forward (hiding)
  4. as a strategic last-resort: disable RDP on selected stations in the interim
  5. post-deployment network scanning & patch status verification
  6. exception handling & strategic decisions for complex legacy installations

In Summary

  • high severity of consequences upon successful breach
  • high probability of occurrence (virtual certainty)
  • urgency: exploit code in-the-wild expected within days to weeks
  • exact applicability: infrastructural scenario & conditions at your site
  • highly effective & comprehensive suite of remedy strategies formulated & apparatuses in-place, ready to deploy

Bravo Security Response Sequence:   Monitor * Research * Assess * Mobilize * Deploy * Post * Notify

SEE ALSO:

Visions * Integrity * Perspectives Solutions, not products. Expertise, not hype. Rationales, not ideologies.

Copyright @2005-2006   Bravo Technology Center  *  Bravo:GO  *  Contact Us