RDP Exploit is Coming - Patch All Windows Now
I'm posting this info to do "my part" to ensure the word gets out on this Windows OS Internet-exploitable vulnerability. I can count on one hand the times I've had to care this much about a Windows patch in the last 15 years. Please read and react. This has the potential to be a larger issue then SQL Slammer.
What is the Impact?:
MS12-020 - Critical - Vulnerabilities in Remote Desktop Could (*cough* will *cough*) Allow Remote Code Execution
In the last 7 days Microsoft has announced a vulnerability, and predicted an exploit in Windows Remote Desktop service (TCP 3389) on all Windows versions, released a patch (and a workaround) and yesterday it was confirmed that a exploit is quickly putting on the finishing touches. Screens shots are circulating of a chinese made .exe that instantly gives you a system command prompt of a remote server. Even bounties are being set for hackers to release open source exploits for Metasploit. It's just a matter of time before every unpatched host with an RDP port on the Interwebs is rooted.
The simple thing to do is patch all computers with Windows Update, which we all should be doing, but if business policies, planned reboots, ignorance, or politics get in the way, you can also do the following to protect your systems temporarily:
- Enable NLA in RDP (the default) for all servers and clients (Vista/2008 or newer)
- 2003 Servers don't support NLA, so change (or disable) their RDP to a high port. (reboot required)
- If you need to RDP from a XP machine to a NLA-enabled box, you need to install a patch to connect using NLA http://support.microsoft.com/kb/951608
Note that you can use Group Policy to enforce NLA, which would require the attacker to have a Windows account and authenticate before using an exploit. This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that the Group Policy setting will take precedence over the setting configured in Remote Desktop Session Host Configuration or on the Remote tab.