Last updated on March 20, 2012 at 4:58PM
Please take note of the following urgent security message. Where possible, please help to make affected users aware of this change and support them in using the VPN service.
Last week, Microsoft announced a very serious vulnerability with the Microsoft Remote Desktop Protocol (MS RDP), a protocol that provides remote display and input capabilities over network connections for Windows-based applications running on a server. Though Microsoft has also issued a patch for the primary vulnerability, the severity of the potential impact related to unpatched systems at Penn State is significant. As a result, Penn State will begin blocking incoming port 3389 on Wednesday, March 21, 2012.
MS RDP, by default, uses port 3389, and this port is open at the University and is continually scanned by attackers. Normally attackers are attempting to guess a valid username and password on the machine. This is of particular concern because a working exploit could turn into a self spreading worm that infects all unprotected Windows systems running Remote Desktop.
While users can still use MS RDP after the block, he/she will need to use the Penn State\'s Virtual Private Network (VPN) in order to do so. See: http://kb.its.psu.edu/node/891
Additional information about this vulnerability is found in the ITS Alert at: http://alerts.its.psu.edu/alert-2262/
Inquiries and requests for assistance regarding this vulnerability should be directed to email@example.com.
On March 13, 2012, Microsoft released Advisory 2671387 which stated
that Microsoft has fixed a vulnerability in Microsoft Remote Desktop
Protocol (RDP) that if exploited could grant complete control to an
On a computer running Microsoft Remote Desktop in a default
configuration, an attacker without credentials can send a specially
crafted sequence of data to the computer and gain complete control
of the vulnerable computer.
This affects all supported versions of Microsoft Windows.
By default, RDP uses TCP port 3389. This port is open at the
University and is continually scanned by attackers. Normally the
attackers are attempting to guess a valid username and password on
the machine. ITS Security Operations and Services Office has not
observed a major increase in traffic as of March 16, 2012.
However, as of March 16, 2012, a bounty of almost $1500 USD has been offered
for a working exploit. While SOS believes attackers attempt to
develop exploits after every vulnerability announcement, this
vulnerability is of particular concern because a working exploit could turn into
a self spreading worm that infects all unprotected Windows systems
running Remote Desktop.
Microsoft Security Bulletin MS12-020 included a patch that should be
applied as soon as possible. Microsoft expects working exploits to
be in use within weeks (if not sooner).
The suggestions below will not fix the underlying vulnerabilty, but
provide defense in depth against possible attacks. Detailed
explanations of each workaround can be found in the Microsoft
Disable Remote Desktop
Best practice is to disable unnecessary services on a machine.
If Remote Desktop is not needed, disable it.
Limit Access to TCP Port 3389 via a Firewall
Only allow connections from trusted IP ranges. For example, limit
TCP 3389 to only the University and require users to connect to the
University VPN service before using RDP.
Enable Network Level Authentication on Modern Windows Systems
If you only use Windows Vista, Windows 7, Server 2008, and Server
2008 R2, as RDP clients, you can enable Network Level Authentication
and force a user to authenticate before being allowed to use RDP.
CVE-2012-0002: A closer look at MS12-020\'s critical issue
Strength, flexibility and the March 2012 security bulletins
For more information, please contact firstname.lastname@example.org (814.863.9533).