Check Point Advisories

Protect Yourself against Multiple Remote Desktop Protocol (RDP) Vulnerabilities

Check Point Reference: SBP-2006-07
Date Published: 14 Sep 2006
Severity: Medium
Last Updated: 8 May 2007
Source: Microsoft Security Bulletin MS05-041
Industry Reference:CVE-2005-1218
Protection Provided by:
Who is Vulnerable? Remote Desktop users
Vulnerability Description The Remote Desktop Protocol (RDP) lets users create a virtual session on their desktop computers, allowing remote users to access all the data and applications on their computers. As you interact with the client system, keystrokes and mouse events are sent over the connection to the remote system, which sends back screen information for the client program to display. The RDP protocol operates over any TCP/IP network and is implemented by Terminal services in Windows 2000, Windows Server 2003 and Remote Desktop Sharing services in Windows XP.

The Remote Desktop Protocol  is prone to multiple security threats coming from non-Windows clients such as Linux and Tarantella, connections attempted from other ports other than the default RDP port (TCP/3389), RDP connections that take a lot of bandwidth, threats inherent to certain versions of RDP (e.g. 5.x, 4.x) and more.

By sending a specially crafted RDP request, a remote attacker could trigger these vulnerabilities to gain sensitive information or cause a denial of service.

Vulnerability DetailsInterSpect NGX offers several protections for RDP including:

RDP Enforcement - This protection blocks malformed RDP traffic, preventing exploits attacking RDP servers. This defense is able to analyze RDP TCP streams, allowing for much more effective security than is possible by examining TCP packets one at a time.

Strict Protocol Enforcement - The protection enforces that the traffic be composed of a single message per packet. The default RDP handshake is comprised of a single packet per message. If the traffic does not look like this, it can indicate suspicious activity.

Session Resolution and Non-Standard Session Resolution - The protection allows you to specify the maximum screen width/height, as well as bits per pixel on the client side display window. This is used for bandwidth control. Remote Desktop connections can potentially take up a lot of bandwidth, because RDP sessions transmit picture, mouse, and keyboard data from the RDP server.

Version Control - This protection enables blocking a version if an exploit specific to the version has been detected. Several reasons account for blocking specific RDP versions:
There are vulnerabilities which are specific to a certain version.
'Block other RDP versions' can block older RDP versions, as well as specially crafted packets which contain a non-legitimate RDP version.

Block Non-Windows Clients - This protection blocks clients connecting to an RDP server from a non-standard Remote Desktop client (Linux rdesktop, Tarantella, or any other non-Windows environment). Users can connect to RDP servers using non-Windows clients, which could expose the network to security threats.

Block RDP over non-standard ports - This protection enables you to block RDP traffic on TCP ports other than 3389. If your organization runs RDP on a non-default port, ensur

Protection Overview