Monthly Archives: March 2012

Remote Desktop Protocol Vulnerability

I don’t usually bother to write about Microsoft patches. After all, they happen every month, and we all are in the habit of patching (updating) moderately regularly. However, the update in MS12-020, described in this post, is both serious, and very likely to be a target in the very near future, though there aren’t any known exploits. Yet.

First, download and install the patch. That’s the obvious fix. However, if there is some particular reason why you can’t install the patch immediately, then you should configure all clients and servers that have Remote Desktop enabled to require Network Level Authentication (NLA). Microsoft has even made it easy for you. At the bottom of the TechNet post are links to apply a registry change to enforce Network Level Authentication. If you’ve got Windows XP or Windows Server 2003 clients, there’s even a Fix-It to turn on CredSSP so that they can connect using NLA.

Finally, you can configure group policy to require NLA on your network (and really, isn’t it about time you did?) Instructions are here:

I know I was lazy about it for a long time, even after pretty much all my downlevel clients were long gone. But now that GPO is set and enabled. And my SBS WSUS server is sending that patch to every computer in my network. No playing around with this one, folks.