Part of our work, the hidden job that many of our customers don’t like or even understand is keeping the systems they host with us running on the most current, secure version available. This is part of the service offering we consider “managed services”.
Microsoft people frequently refer to this joyous day as “Patch Tuesday” (Second Tuesday of each month) but actually we end up doing the work testing, deployment, remediation and support from Tuesday – Thursday.
This week the news brings an urgent matter, Microsoft systems that have “Remote Desktop” enabled, which is nearly all of the Windows machines hosted on the internet directly have a bad, bad security hole. Microsoft released a patch but I can’t help think that they are downplaying the matter significantly. This, in my book, is considered a very dangerous point of attack.
Qualys has published the following recommendations for the RDP vulnerability:
1. Within the week apply the patch on your Windows machines that are running the RDP service and are internet-facing (you can scan for port 3389 on your perimeter if you do not have an updated map). Note that the patch requires a reboot to become active. If you cannot apply the patch or reboot your machines, take the following countermeasures:
– Configure the firewalls on the machines so that only trusted IPs can access port 3389;
– Activate the Network Layer Authentication (NLA) protocol, which does not have this vulnerability. NLA is available on Vista and above on the server side and client side, and Windows XP can be made NLA compatible by installing a software package from Microsoft.
2. Within the month patch the rest of your systems – both external and internal. While the main attack vector is directly through the internet, it is likely malware will be equipped with the exploit for the RDP vulnerability and that it will be used for internal malware propagation.