Connect with us

Hi, what are you looking for?


Network Security

Netting Out a Response to the Microsoft RDP Vulnerability

Microsoft made lots of news recently with the disclosure that a key vulnerability (MS12-020) involving the RDP protocol had been leaked, apparently from Microsoft’s Active Protections Program (MAPP).

Microsoft made lots of news recently with the disclosure that a key vulnerability (MS12-020) involving the RDP protocol had been leaked, apparently from Microsoft’s Active Protections Program (MAPP). MAPP enables Microsoft to share information with select security vendors so that security products can have protections ready when the vulnerability is disclosed to the public. In spite of some criticism, I believe MAPP is a good program that the industry needs. Without something like MAPP, every time a vulnerability is disclosed, your security vendor will be in a race to write and distribute a protection before a hacker can hit your network. With MAPP, multiple layers of defense can be at the ready before hackers can exploit it.

The Risks and Responses

Network Security RDP VulnerabilitySo enough about the leak; lets talk about what you actually need to know to protect yourself from the vulnerability and others like it. First and foremost, everyone needs to apply the patch for MS12-020 as soon as possible, full stop. Even though an exploit has yet to be seen in the wild, if successful it would instantly provide system level access on any device with RDP enabled and listening on the default port of 3389. As has been discussed widely, this creates a very “wormable” scenario where infections could quickly spread from machine to machine.

Patching is a great start, but what where do we go from there? One of Microsoft’s recommendations is to block port 3389 at the firewall to prevent access to vulnerable devices. This is probably not a very viable solution, given the overwhelmingly popularity of RDP in the enterprise. The latest results from the Application Usage and Risk Report show that RDP is the leading remote access technology in enterprises, with over 80% of companies using RDP. Thus it’s probably not one of the services that enterprises can simply turn off.

A Move to Non-Standard Ports

As an alternative, a growing number in the industry have begun to recommend moving RDP (link) and other network facing services off of their default ports. The idea being that a large percentage of external exploits will be launched and delivered by automated scripts and tools that are simply looking for vulnerable machines on default ports. Thus if you move RDP to a different port, you at least obscure your vulnerable devices from worms and script-kiddies. This seems like a pretty sensible approach as long as one understands the limitations and ensures that other security layers aren’t compromised in the process.

The key here is that to do this sort of thing safely, you will need a network security layer that truly understands traffic independent of port and protocol. The stark truth is that the vast majority of network security solutions continue to rest on port-based controls as the bedrock of their analysis and enforcement. For instance, IPS solutions will apply signatures to traffic on a certain port based on what traffic it expects to see on that port. Running all signatures on all ports would become a performance bottleneck very quickly. Additionally most solutions marketed as next-generation firewalls will only recognize a particular application on its default port and the web ports (port 80, and 443). True next-generation firewalls and their embedded threat preventions should recognize and decode any traffic on any port to avoid this problem, and save the headache of reconfiguring the network security layer. The key here is to make sure that you don’t compromise your defense in depth in order to gain additional obscurity. Demand both.

Beware the Lateral Move

Advertisement. Scroll to continue reading.

Thus far, we have been thinking of the RDP vulnerability in terms of a traditional externally driven attack. However, modern targeted attacks typically begin by infecting a few users with stealthy malware, which will then enumerate the local network environment for further exploitation. This is where the RDP vulnerability gets really scary. In this scenario, running RDP on an alternative port will provide little protection if any. It’s a trivial exercise to enumerate machines and discover which service they have running on which ports, and it’s a quite common technique in modern malware and targeted attacks. This makes the RDP vulnerability a perfect escalation tool. Once the attacker compromises a host, he can look for a privileged user, and take control of that system using the RDP exploit. The attacker could quickly hop from machine to machine until he finds the information he wants.

This illustrates the imperative need to bring network security and analysis inside the perimeter. Advanced attacks depend on their ability to move laterally within a network, and rely on the fact that internal visibility and controls are rarely on par with those found at the perimeter. Jon Kindervag of Forrester has championed the concept of the Zero-Trust Architecture for just these sorts of reasons. At a bare minimum, enterprises should monitor traffic of their core switches in order to maintain visibility into their internal traffic, lest they allow one owned client to spread to the entire enterprise.

Vulnerabilities are a fact of life. MS12-020 is a bad one, but there will be more. It may sound trite, but patch management and defense in depth continues to be the best medicine. As a security professional, the hard part is making sure we take a realistic, unflinching look at our defense in depth to make sure that its really providing what we intended.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...