A new critical vulnerability exists in RDS (Remote Desktop Service), and Microsoft released a software patch to fix older versions of Windows. Windows 7, XP, Server 2008 and Server 2003. These devices are all extremely vulnerable and potentially exposed to worm-type attacks.
The vulnerability risk is so great that Microsoft even released updates for platforms no longer supported. No active exploits are known to be being utilized at this point, but diligence in patching systems external facing systems is recommended.
This is a high-level overview of the RDS rick and protection options you can take.
Microsoft Remote Desktop Service Risk: What you need to know
* Extremely dangerous if enabled on Internet facing and poorly segmented hosts
* An unauthenticated attacker connects to a vulnerable system using RDP (also known as Terminal Services) using specially crafted requests.
* This vulnerability is pre-authentication and requires no user interaction
* May result in malicious code being executed on the system with full user rights
* Potentially “wormable” similarly to other ransomware
* Can be used by attackers to move laterally exploit other systems or install backdoors to maintain access even if this gets patched in the future…
* Often used for ease of access or left enabled by default…
Microsoft Remote Desktop Service Risk: Solutions to Remediate
* Patch on supported platforms (including Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows XP, Windows XP Embedded and Windows Server 2003)
* Consider improved host isolation, network segmentation, perimeter firewalls and multiple zones/conduits to reduce exposure
* Use alternative technologies such as VPNs for secure remote access to provide extra layers of protection
Microsoft Remote Desktop Service Risk: Other workarounds
- Block inbound RDP traffic (TCP 3389)
- Enable NLA (Network Level Authentication)
- Disable Remote Desktop Protocol (RDP) services where patching is not possible