Blog du Tristank

So terrific that 3 of 4 readers rated it "soporific"

Terminal Server / Remote Desktop DoS Issue

Via TonySo:

Our initial investigation has revealed that a denial of service vulnerability exists that could allow an attacker to send a specially crafted Remote Desktop Protocol (RDP) request to an affected system. Our investigation has determined that this is limited to a denial of service, and therefore an attacker could not use this vulnerability to take complete control of a system. Services that utilize the Remote Desktop Protocol are not enabled by default, however if a service were enabled, an attacker could cause this system to restart.

Sounds like a low-value attack, but an attack nonetheless. Check out the advisory article for mitigation details while we work on a fix; an additional workaround might be to temporarily adjust the port you’re using for RDP from the default (security through obscurity – if an attacker took the time to scan all available ports, they’d still probably be able to easily identify the RDP port) – you can do this without modifying a back-end server if it’s done with ISA 2004 (ignore the TSWeb bits, it’s the port numbering we’re interested in), and/or to filter that port based on known/trusted incoming IP addresses.

Update: Noticed Susan had a similar thought about it – the RDP proxy used for RWW in SBS 2003 runs on a different port (*speculation with little-or-no-merit warning* who knows, might not even be affected by the same issue…).