Updated: May 23, 2019
On May 14, Microsoft announced a vulnerability in their Remote Desktop Protocol (RDP) component in many Windows operating systems. RDP is used extensively for remote access to University servers and desktop devices. This vulnerability carries a critical risk of being exploited. The impact of such an incident would potentially affect thousands of University devices. Information Security is considering the following response.
Detect and identify all University RDP services, notify department faculty, staff and systems owners who can be identified to patch immediately, and monitor for effectiveness.
Patching is the best remediation option and must be prioritized. There is currently no mechanism to scan for vulnerable systems. Information Security is actively monitoring for detection tools and will update procedures and share tools as they become available.
Install a temporary network perimeter block of RDP traffic inbound to the University.
This block was implemented on May 16 at 1:30 PM. The block should drastically reduce the threat of internal device compromise while other mitigating options are implemented. These are the recommended options for using RDP:
- Use a U of T Virtual Private Network (VPN) service
RDP services can run over a VPN service with the perimeter block in place. Information Security recommends that departmental VPN services be used to support RDP services. UTORvpn, the University’s institutional service can also be used.
To install, run UTORvpn and use RDP client, see:
- Use a U of T Remote Desktop Gateway (RDG) Service
RDG services are offered by departments. There is a central RDG service which can be used and requires an eToken. For detailed information, see:
- Request an exception for patched/not-vulnerable systems
If RDP service is not available using the above workarounds and the system is patched or not vulnerable, contact Information Security for assistance in configuring a whitelist exception. Due to technical limitations, this can only be done on a case-by-case basis and only on a limited number of hosts. Send email to security.response at utoronto.ca, providing your network and contact information.
Current Known Affected Versions
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for Itanium-Based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows XP SP3 x86
- Windows XP Professional x64 Edition SP2
- Windows XP Embedded SP3 x86
- Windows Server 2003 SP2 x86
- Windows Server 2003 x64 Edition SP2
Recommended actions
- Install the latest updates for the vulnerable operating systems.
- Disable Remote Desktop Services if not required. If required, closely monitor network traffic and the logs of any vulnerable systems for suspicious activity.
- Enable Network Level Authentication (NLA) on systems running Windows 7, Windows Server 2008, and Windows Server 2008 R2. This is a partial mitigation which will prevent the spread of malware.
- Block TCP port 3389 at your perimeter, if possible.
Contact
security.response at utoronto.ca
Please check back to this document for updated information.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
- https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/