Remote Desktop Protocol Vulnerability

I don’t usually bother to write about Microsoft patches. After all, they happen every month, and we all are in the habit of patching (updating) moderately regularly. However, the update in MS12-020, described in this post, is both serious, and very likely to be a target in the very near future, though there aren’t any known exploits. Yet.

First, download and install the patch. That’s the obvious fix. However, if there is some particular reason why you can’t install the patch immediately, then you should configure all clients and servers that have Remote Desktop enabled to require Network Level Authentication (NLA). Microsoft has even made it easy for you. At the bottom of the TechNet post are links to apply a registry change to enforce Network Level Authentication. If you’ve got Windows XP or Windows Server 2003 clients, there’s even a Fix-It to turn on CredSSP so that they can connect using NLA.

Finally, you can configure group policy to require NLA on your network (and really, isn’t it about time you did?) Instructions are here: http://technet.microsoft.com/en-us/library/cc732713.aspx.

I know I was lazy about it for a long time, even after pretty much all my downlevel clients were long gone. But now that GPO is set and enabled. And my SBS WSUS server is sending that patch to every computer in my network. No playing around with this one, folks.

Author: Charlie Russel

A chemist by education, an electrician by trade, a UNIX sysadmin and Oracle DBA because he raised his hand when he should have known better, an IT Director and consultant by default, and a writer by choice, Charlie is the author of more than 2 dozen computer books on operating systems and enterprise environments, including Microsoft Windows Server 2008 Administrator's Companion(MS Press), Microsoft Windows Server 2003 Administrator's Companion(MS Press), Windows Small Business Server 2011 Administrator's Companion(MS Press), Windows Essential Business Server 2008(MS Press), Introducing Windows Server 2008 R2(MS Press), Microsoft Windows XP Resource Kit, 3rd Edition(MS Press), and Oracle DBA Scripting Quick Reference(Prentice-Hall PTR). He has also written numerous white papers and case studies on Microsoft.com, most recently around Windows HPC Server, and RDS Licensing.

One thought on “Remote Desktop Protocol Vulnerability”

  1. I wish Windows Server 2003 clients supported credssp..

    Windows 2003 and Windows XP 64 are NOT supported as they dont have a service pack 3 :(

Comments are closed.