The RDP Vulnerability

From Provider Wiki

Jump to: navigation, search


Hackers, Soapboxes and Harry Potter

Alright, I'm sensing a conspiracy afoot here. The SANS diary reports rumblings of a 0-day exploit affecting the Windows Remote Desktop Client? That's fine, I can live with that. But they report it on [a] a Friday, and [b] the day before the sixth Harry Potter novel (that I've had pre-ordered from Amazon for 9 months) is due to be delivered to my doorstep. I swear, these hacker people have no manners whatsoever.

So. The much-ballyhooed RDP vulnerability. This one's a bit unusual, in that the person who found it is withholding the release of any Proof of Concept code until MS can create a patch. (At least, that's the scuttlebutt right now - but I'm not going to bet the farm on it staying that way.) Some actual good news is that the Remote Desktop service that's affected by this vuln is disabled by default in every relevant OS: 2000, 2003, XP Pro and XP Home.

So what are the recommendations for folks who have enabled Remote Desktop for remote access and tech support? There are a few options:

  1. Block TCP port 3389 at your perimeter firewall. Remote Desktop relies on 3389 to function, so blocking this port at your firewall will prevent any malicious traffic on this port from reaching the computers behind the firewall, even if they're listening for incoming Remote Desktop connections. However, we all know that firewalls are the Maginot Line of network defense, so you should still take additional steps to protect the machines inside the limits of your firewall.
  2. Disable Remote Desktop/Terminal Services. If you're in a domain environment, this is fairly simple to configure. To prevent client connections to the Remote Desktop, set the following Group Policy node to Disabled:
  • Computer Configuration\Administrative Templates\Windows Components\Terminal Services: Allow users to connect remotely using Terminal Services.

To disable Remote Desktop connections through the Windows Firewall, set the following two GP nodes to Disabled:

  • Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Remote Desktop Exception


  • Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\Windows Firewall: Allow Remote Desktop Exception


    • For an individual machine, you can disable Remote Desktop quickly at the command line by issuing the following command:

    netsh firewall set service type = REMOTEDESKTOP mode = disable profile = all

    So how do you protect Remote Desktop without disabling it outright? In a domain environment, your best bet is to use a VPN connection or IPSec[1] to encrypt and mutually authenticate your RD traffic.

    Another band-aid option I'm seeing advocated is changing the port that Remote Desktop/Terminal Services uses to communicate away from its default of TCP 3389. The theory on this one, I think, is that an exploit is going to focus its attention on the default RD port; by changing the port number you'll be out of danger. Only, this is "security by obscurity" at its finest (sic). Changing to a non-default port will probably protect you from a script kiddie who's using a downloaded script to hammer away at only TCP port 3389, but all it takes is one person running netcat to realize that you've just taken the vulnerable service and moved it to port TCP 1109 or something.

    So am I saying not to do it at all? I suppose not – security by obscurity is at least a few microts better than no security at all. Just remember that changing the port number isn't a panacea; you're still going to be vulnerable until MS releases a patch or unless you disable TS/RD functionality.

    That said, to change the default RD/TS port as a temporary measure, here's how it goes:

    (Note: improperly editing the Windows Registry can have adverse affects on your computer, your mental health, and will potentially lead to an increase in global warming and the proliferation of nuclear weapons world-wide. There, I think that covers me.)

    1. Open your Registry editor of choice.
    2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP (that's all one line, watch for wrapping.)
    3. Find the PortNumber Reg_DWORD setting. By default this is set to 'd3d', which is the hex equivalent of 3389. To easily change this to another value, switch the radio button to Decimal to change the view to a more readable format, then change the value to another number.
    4. Click OK 'til you're done, and either reboot the box or else delete and re-create the RDP connector.

    Once you've restarted the box, just modify the connection string in your Remote Desktop client to point to hostname:port-number, such as foo.mycompany.com:1212.

    (To simplify your administration, be sure to change back to the default TS/RD port once we've gotten a patch for this little bugger.)


    [1] I'll write up something separately on this when I get a second.
Retrieved from "http://prowiki.isc.upenn.edu/wiki/The_RDP_Vulnerability"
Personal tools