16 March 2012

MS12-20 - How to implement the work around

The MS12-20 Vulnerability is described as follows:

Pre-auth, network accessible, service running as SYSTEM

This issue is potentially reachable over the network by an attacker before authentication is required. RDP is commonly allowed through firewalls due to its utility. The service runs in kernel-mode as SYSTEM by default on nearly all platforms (except for one exception described below). During our investigation, we determined that this vulnerability is directly exploitable for code execution


For more information check out.



Essential turning on Remote Desktop with Network Level Authentication prevents the issue (RDP NLA) resolves the problem.  This option is available from Vista / Windows Server 2008 on wards.

To implement the work around is actually quite simple, and should actually be the default the enabling remote access.  The advantage of making this change is that there is no need for a reboot.  Once the setting is applied it is active.  In the case of using GP this has no affect on machines that do not have RDP enabled.


Manual
The simplest way of doing this is to log onto the machine and changing the setting manually



  • Select Computer - Properties
  • Remote Settings
  • Select "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)




Group Policy
Manually changing every machine is just not practical especially since you might not know which machines need to be changed.  You can use a group policy to apply these changes for you.

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\
"Require user authentication for remote connections by using Network Level Authentication"  needs to be enabled.

One nice thing about setting this through Group policy is that all future deployed machines will have enforced.

The only reason I can think of that would require you to use the less secure configuration is to support older Remote Desktop clients, such as the default one from Windows XP.   There is an updates version and can be found here: 




Other ways of implementing the NLA setting
Using cscript to make bulk changes to remote desktop.

Using a  free custom Powershell cmdlet called set-remotedesktop



Getting the hotfixes
The table below show the affected systems and has links to download tghe relevant hotfixes

  
Operating System
Bulletins Replaced by this Update
KB2570222 in MS11-065replaced by KB2621440
KB2570222 in MS11-065replaced by KB2621440
KB2570222 in MS11-065replaced by KB2621440
KB2570222 in MS11-065replaced by KB2621440
KB2570222 in MS11-065replaced by KB2621440
No bulletin replaced by KB2621440
No bulletin replaced by KB2621440
No bulletin replaced by KB2621440
No bulletin replaced by KB2621440
No bulletin replaced by KB2621440
No bulletin replaced by KB2621440


No bulletin replaced by KB2667402
No bulletin replaced by KB2621440



No bulletin replaced by KB2667402
No bulletin replaced by KB2621440



No bulletin replaced by KB2667402
No bulletin replaced by KB2621440



No bulletin replaced by KB2667402




No comments:

Post a Comment