[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] RDP Security Alert - should we be concerned? - THE OFFICIAL BLOG OF THE SBS "DIVA"
Sun, Jul 17 2005 18:46 bradley

RDP Security Alert - should we be concerned?

Microsoft released a Security Advisory regarding a Denial of Service on Remote Desktop Protocol and for me, I'm not freaking out over this for a couple of reasons.

For one, it's 'just' a denial of service and I'd much rather have that than a “run code of attackers choice' which is slang for 'oh you are soooo owned'.

And for two, the port that this will primarily bang on is the TS ports of 3389 and not our Remote Web workplace ports of 4125 and 443.  So if you read that advisory and thought it might cause a concern for our remote web workplace, me.... I'm not worrying.  I honestly don't use port 3389 in my network.

Workaround:  Block port 3389 at the firewall

This port is used to initiate a connection with the affected component. Blocking it at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Additionally, on Windows XP and Windows Server 2003, the Windows Firewall can help protect individual machines. By default, the Windows Firewall does not allow connections to this port.

Filed under:

# re: RDP Security Alert - should we be concerned?

Sunday, July 17, 2005 7:14 PM by bradley

any info whether this is an exploit specific to rdp's default configuration of port 3389, or whether this affects rdp on any port? if it's the latter, then it will only be a matter of time before the exploit tools are modified to try other ports.

if it's the former, you can always change rdp's default port (here's one spot with this info: http://www.sanx.org/tipShow.asp?articleRef=80).

don't forget to update any firewalls to reflect the new port.

# re: RDP Security Alert - should we be concerned?

Monday, July 18, 2005 3:30 PM by bradley

Just keep in mind that Denial of Service occurs when someone hasn't quite figured out how to swing a code execution exploit. Generally when working towards a remote code execution exploit, you find multiple remote DOS exploits.

I once heard it said slightly more informally as "A DOS exploit is simply an attack vector from someone who wasn't bright enough to figure out the code execute exploit."

At the very least a DOS highlights code that is not properly handling unexpected conditions (i.e. it is failing insecurely), definitely protect against them.

joe

# Terminal Server / Remote Desktop DoS Issue

Monday, July 18, 2005 11:06 PM by TrackBack

Via TonySo:
http://www.microsoft.com/technet/security/advisory/904797.mspx
Our initial investigation...