Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Vulnerabilities in MS Remote Desktop--SEP Acting as Crisis Manager!

Created: 15 Mar 2012 • Updated: 21 Mar 2012 • 1 comment
AR Sharma's picture
+2 2 Votes
Login to vote

Recently, major vulnerabilities in Microsoft remote desktop protocol (RDP) is identified and patch by Microsoft is released. These vulnerabilities are categorized as 'critical' by all security forums. All organizations, whether small, medium or large are sensitized and working on patch deployment and/or workaround for fixing the same.

Patch deployment (especially in desktops) is a substantial activity. This may take days or even weeks or more to get completed.

So, the question arises that- what to do to immediately re-mediate the threat while keeping the business as usual? Answer lies in the fact that how to identify the users using RDP and patching those users' machine on priority. And rest all machines can be taken care of in due course.

There could be many workaround. One of them could be using SEP host based firewall. Using SEP host based firewall policy, incoming RDP connection can be blocked. This policy can be applied to all clients in almost the fastest possible way. For couple of days, this could be done in log only mode, so that there is no impact on business as usual. After analyzing the logs, we can identify the users who uses RDP. These users can be asked to get the patch applied pro-actively on immediate basis. This way a group of users who uses RDP can be made safe. Since, RDP is not enabled by default, so maximum users are anyway safe. Using this workaround involving SEP, may not provide hundred percent protection but majority of the users who are vulnerable, can be made safe in timely manner.

Other workaround may include using SNAC or using Symantec CCS for identifying machines with RDP enabled, OR even the crude way of pinging port 3389 using ping utility or using batch file.

Complete protection involves applying patch. Details of patch and that of vulnerability is provided at Microsoft's website. URL is pasted below.

http://technet.microsoft.com/en-us/security/bullet...

Comments 1 CommentJump to latest comment

Srikanth_Subra's picture

But..as u told SEP host based firewall will block other applications also?

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

+1
Login to vote