Vulnerabilities in MS Remote Desktop--SEP Acting as Crisis Manager!
Recently, major vulnerabilities in Microsoft remote desktop protocol (RDP) is identified and patch by Microsoft is released. These vulnerabilities are categorized as 'critical' by all security forums. All organizations, whether small, medium or large are sensitized and working on patch deployment and/or workaround for fixing the same.
Patch deployment (especially in desktops) is a substantial activity. This may take days or even weeks or more to get completed.
So, the question arises that- what to do to immediately re-mediate the threat while keeping the business as usual? Answer lies in the fact that how to identify the users using RDP and patching those users' machine on priority. And rest all machines can be taken care of in due course.
There could be many workaround. One of them could be using SEP host based firewall. Using SEP host based firewall policy, incoming RDP connection can be blocked. This policy can be applied to all clients in almost the fastest possible way. For couple of days, this could be done in log only mode, so that there is no impact on business as usual. After analyzing the logs, we can identify the users who uses RDP. These users can be asked to get the patch applied pro-actively on immediate basis. This way a group of users who uses RDP can be made safe. Since, RDP is not enabled by default, so maximum users are anyway safe. Using this workaround involving SEP, may not provide hundred percent protection but majority of the users who are vulnerable, can be made safe in timely manner.
Other workaround may include using SNAC or using Symantec CCS for identifying machines with RDP enabled, OR even the crude way of pinging port 3389 using ping utility or using batch file.
Complete protection involves applying patch. Details of patch and that of vulnerability is provided at Microsoft's website. URL is pasted below.