From the “Why use a VPN?” Department. Microsoft RDP flaw announced.

In the last decade, I’ve regularly had the discussion about why you need a VPN instead of making services directly available through a a firewall – the classic example is just putting Microsoft servers on the Internet with RDP enabled.

The discussion (if you can call it that) goes something like this:

Idiot: “We need to have remote access to our Windows Servers. We’ve enabled Terminal Server can you create a firewall rule to let it through”
EtherealMind: “No, that’s not secure. We need to use a VPN”
Idiot: “Yes, it is. Microsoft says it’s encrypted. And it’s never been exploited before”
EtherealMind: Just because it hasn’t been exploited until today doesn’t mean it won’t be exploited tomorrow.
Idiot: “Look, we don’t need the hassle of the VPN client”
EtherealMind: “I don’t need the hassle of cleaning up your infected servers and performing a rush deployment of VPN servers without planning or design to fix an exploit that will certainly come.”
Idiot: “Oh come on, Microsoft is doing a much better job of security”
EtherealMind: “The world will adapt and develop a better idiot”

Microsoft says CVE-2012-0002: A closer look at MS12-020’s critical issue

This issue is potentially reachable over the network by an attacker before authentication is required. RDP is commonly allowed through firewalls due to its utility. The service runs in kernel-mode as SYSTEM by default on nearly all platforms (except for one exception described below). During our investigation, we determined that this vulnerability is directly exploitable for code execution. Developing a working exploit will not be trivial – we would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days.

In short, within 30 days Microsoft believes someone will create a worm that will directly exploit MS Windows™ servers with Terminal Services enabled via RDP protocol that will compromise and exploit those servers.

I hope you are using VPNs for all remote access. Any Microsoft Terminal Servers now directly connected to the Internet, whether using a firewall or not are __compromised__ and should be shutdown immediately. RDP is not, and has never been, a secure protocol. Nor are Microsoft servers ever regarded as secure with so many proven exploits being announced regularly.

Have a nice day!

  • Justin Other :-)

    “Any Microsoft Terminal Servers now directly connected to the Internet, whether using a firewall or not are __compromised__ and should be shutdown immediately.”

    Are they in fact compromised or compromises? 

  • Chris Murray

    I’m expecting to get flooded with firewall change requests as MS admins move RDP to alternate port #’s. le sigh….

  • Guest

    …Or just select the “Network Level Authentication” option on your Windows Server RDP properties and not be affected by this.