|Check Point Reference:||SBP-2006-07|
|Date Published:||14 Sep 2006|
|Last Updated:||8 May 2007|
|Source:||Microsoft Security Bulletin MS05-041|
|Protection Provided by:|
|Who is Vulnerable?||Remote Desktop users|
|Vulnerability Description||The Remote Desktop Protocol (RDP) lets users create a virtual session on their desktop computers, allowing remote users to access all the data and applications on their computers. As you interact with the client system, keystrokes and mouse events are sent over the connection to the remote system, which sends back screen information for the client program to display. The RDP protocol operates over any TCP/IP network and is implemented by Terminal services in Windows 2000, Windows Server 2003 and Remote Desktop Sharing services in Windows XP.
The Remote Desktop Protocol is prone to multiple security threats coming from non-Windows clients such as Linux and Tarantella, connections attempted from other ports other than the default RDP port (TCP/3389), RDP connections that take a lot of bandwidth, threats inherent to certain versions of RDP (e.g. 5.x, 4.x) and more.
By sending a specially crafted RDP request, a remote attacker could trigger these vulnerabilities to gain sensitive information or cause a denial of service.
|Vulnerability Details||InterSpect NGX offers several protections for RDP including: |
RDP Enforcement - This protection blocks malformed RDP traffic, preventing exploits attacking RDP servers. This defense is able to analyze RDP TCP streams, allowing for much more effective security than is possible by examining TCP packets one at a time.
Strict Protocol Enforcement - The protection enforces that the traffic be composed of a single message per packet. The default RDP handshake is comprised of a single packet per message. If the traffic does not look like this, it can indicate suspicious activity.
Session Resolution and Non-Standard Session Resolution - The protection allows you to specify the maximum screen width/height, as well as bits per pixel on the client side display window. This is used for bandwidth control. Remote Desktop connections can potentially take up a lot of bandwidth, because RDP sessions transmit picture, mouse, and keyboard data from the RDP server.
Block Non-Windows Clients - This protection blocks clients connecting to an RDP server from a non-standard Remote Desktop client (Linux rdesktop, Tarantella, or any other non-Windows environment). Users can connect to RDP servers using non-Windows clients, which could expose the network to security threats.
Block RDP over non-standard ports - This protection enables you to block RDP traffic on TCP ports other than 3389. If your organization runs RDP on a non-default port, ensur