You might want to rethink enabling RDP unless you have NLA set up

Subject: General Tech | March 14, 2012 - 12:36 PM |
Tagged: remote desktop protocol, patch tuesday, fud, rdp, security

Remote Desktop Protocol is a very handy tool, as the name suggests it allows you to take remote control of a desktop and is commonly used for everything from logging into a remote server to change settings to helping a long distance friend to get their printer installed to logging onto your home machine to start a Steam download and install so your game will be ready for you when you get home from work.  Unfortunately it does open up a way into your PC for attackers, though thanks to the Network Level Authentication feature which was added into Vista and later versions of Windows, PCs on an authenticated network are much safer than they would be without it.  Unfortunately NLA will not exist on home workgroups, nor is it supported by versions of Windows previous to Vista.  That is why The Register warns of a RDP vulnerability that Microsoft will be patching next patch Tuesday, as older machines as well as home machines could be at risk if someone launches an attack before the patch is released and installed.  For the mean time you might want to disable RDP unless you actually use it regularly.

View Full Size

"The critical flaw covers all versions of Windows and is found in the Remote Desktop Protocol (RDP). It allows attackers to run code remotely behind the firewall, although Vista users and above can activate the Remote Desktop’s Network Level Authentication (NLA) to trigger an authentication request. RDP is disabled by default, but is often activated."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register
March 14, 2012 | 02:15 PM - Posted by JSL

Another extra precautionary measure would be to change the default port from 3389 to anything else.

you cant find it in 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'

do not forget to add an exception for the new port in whatever firewall you're using (windows/3rd party) and disable the default RDP port rule for 3389.

Cheers :)

March 14, 2012 | 03:25 PM - Posted by Wolvenmoon (not verified)

I use OpenVPN to VPN in to my LAN - 3389 is not forwarded and to access my systems to RDP one would have to break in to my network first. Is this attack still a threat?

March 14, 2012 | 06:25 PM - Posted by JSL

The fact you're using OpenVPN gives you that secure tunnel... but 3389 is still the default listening port that initiates an rdp connection, vpn or not.

You're pretty safe using a vpn tunnel.

March 14, 2012 | 03:37 PM - Posted by Jeremy Hellstrom

Good tips both of you.

If you aren't even using RDP then just disable it, but sounds like you are safe with OpenVPN

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.