March 2012 Security Bulletin Webcast Q&A
Hosts: Pete Voss, Senior Response Communications Manager
Dustin Childs, Senior Security Program Manager
Chat Topic: March 2012 Security Bulletin ReleaseDate: Wednesday, March 14, 2012
Q1: Is there a Microsoft Terminal Services Client (MSTSC) for Windows Server 2003 that supports Network Level Authentication?A1: No, there is not a MSTSC client available for Windows Server 2003 that supports Network Level Authentication (NLA).
Q2: In regards to MS12-020, we do not use the default RDP port of 3389 for ALL our Windows systems. We also block 3389 on all firewalls. Should we still be concerned about deploying MS12-020immediately?A2: Yes. An attacker could still find the service that RDP listens on, so we continue to recommend that customers prioritize the deployment of this security update.
Q3: For Microsoft Expression Design 2 (MS12-022), does the installer 'KB2667725.exe' support quiet installations? From our test it does not appear to support any of the documented switches such as silent mode. We tried the documented deployment switches and it always displays the License Agreement pop-up window. We tried /q, /qn, /quiet, /s, /silent, and /? But nothing works.A3: We don’t support silent installs with that installer. Obviously, we do MU and WSUS—so, that would be the route for corporations. The bulletin will be amended to correct this information.
Q4: Again about MS12-020, can the Remote Desktop service running on Windows (Server) XP/2003/Vista/2008 be changed from system to an account with lower rights, or does the update also do this?A4: The RDP service cannot be changed from system to a user with lower rights.
Q5: What are the supported operating systems -- the system requirements -- for Expression Design 2?A5: Microsoft Windows XP with Service Pack 3, Windows Vista, Windows 7 or Windows Server 2008 operating system.
Q6: Should MS12-020be applied to Terminal Servers?A6: Yes, Remote Desktop Services was formerly known as Terminal Services. Please see the security bulletin for the appropriate security update for your supported platform.
Q7: If the RDP service is set to Manual but is not started, would a system still be vulnerable? Or must the service be actively listening on 3389 to be affected?A7: Yes, the system is still vulnerable. However, there is no attack vector for attackers to exploit if the service is not listening. The machine could be exploited if the service is started. Customers are recommended to still apply the security update.
Q8: Does Microsoft have any tools/procedures to scan a network to find RDP servers? A8: You can use the Port Query utility. The basic syntax is:
portqry -n MyServer -p tcp -e 3389 -
For more on using this tool please refer to "KB832919 - New features and functionality in PortQry version 2.0"
Q9: For Citrix servers, does the RDP vulnerability have an impact on ICA? In other words, if I am accessing via a Citrix client, is that vulnerable or just RDP sessions?A9: This vulnerability is specific to the Microsoft implementation of RDP. Citrix clients have their own implementation of the RDP protocol. Microsoft is only certain that this vulnerability affects RDP.
Q10: Can VPN authentication be used to allow NLA for RDP on Windows XP clients?A10: VPN can provide some general protection from this vulnerability by requiring the attacker to be authenticated prior to exploiting the vulnerability. VPN does not specifically block NLA. Even though VPN solutions can provide some mitigations against this vulnerability, customers are recommended to apply this security bulletin.
Q11: Since you can remote to any server, wouldn't all servers be vulnerable to MS12-020?A11: RDP is not enabled by default, but it is commonly enabled by server administrators, and any server where RDP is enabled is vulnerable.
Q12: I just entered. Is RDP gateway vulnerable?A12: Servers providing Terminal Services Gateway service are not directly vulnerable to this issue. The reason is that external users connect to the TS Gateway by using RDP encapsulated in RPC over HTTPS via port 443. The TS gateway computer removes the SSL encryption from the RDP traffic and then forwards the traffic to port 3389 of the destination computer on the internal network. The Terminal Services session is then established with that destination computer, not with the TS Gateway system. However, a TS Gateway server that also has RDP Server enabled, in order to allow RDP to the Gateway server itself, is vulnerable.
Q13: Re MS12-019, the bulletin specifically mentions Windows Live Messenger as an attack vector. Are other Microsoft IM products, like Office Communicator or Lynx, impacted by this vulnerability in DirectWrite?A13: No, other Microsoft Instant Messenger products are not affected.
Q14: Is there a Group Policy Object (GPO) to enable NLA on all Windows 7 clients within a Windows 2008 domain?A14: Yes, please see the workarounds section of the bulletin for details or the SRD Blog. Here is the link specifically: http://technet.microsoft.com/en-us/library/cc732713.aspx