New Batch of XP SP2 Holes

terap writes "Microsoft has acknowledged that it is working on a patch for a potentially serious security hole in the 'Remote Desktop' feature. It affects fully patched versions of Windows XP Service Pack 2, even with the integration firewall turned on. There is a possibility this could lead to code execution attacks."

Hardware Firewall

[ForumTroll]

Seriously people they're cheap as hell and much superior to anything you're going to get from Microsoft on a software level. Just close all ports on the hardware firewall, except the few that you need, and try to keep your computer updated. It's really a very simple process and can save you tons of time in the end.

Re:Hardware Firewall

[awkScooby]

A hardware firewall is good advice for a home user, but isn't as good a solution for a big company or university where Remote Desktop is used as a support tool. Sure, there will be corporate firewalls which protect desktops from the Internet, and maybe even from some other internal networks, but all it takes is one worm on someone's laptop to bypass the corporate firewall(s).

I'm curious as to whether 3rd party software firewalls for windows are impacted by this or not. If not, then this hole (and others which are likely to follow) would provide a good justification for purchasing and deploying a 3rd party solution.

Re:I Never Use Remote Desktop

[KiloByte]

Good advice.
I'll go and scrap ssh, vnc and X then.

Re:don't use the standard RDC Port

[lheal]

That's not even a first line of defense. OK, so you get past people scanning your whole /16 for open port 3389. But

nmap -v -sV -O your.box.net

will reveal that port running RDC on your.box.net the same as if it were on the default 3389.

Keep in mind that unusual results draw more attention. You want to be invisible, or at least, to look like as many others as possible.

Re:don't use the standard RDC Port

[tyler_larson]

That's not even a first line of defense.

Actually, it's a wonderful first line of defense. In fact, it's a wonderful procedure to follow for all remote access (if possible) because of two main reasons:

First, you're safe from worms. That's not an insignificant thing. The vast majority of all attacks (especially against Windows boxes) are perpetrated through some automated process--worms or other malware. These programs generally don't waste time doing in-depth scans of computers. If you're configured differently than the rest of the flock, you're not worth the time.

Second, you're safe from casual portscans. My own servers are scanned at least 20 times a day, and often over a hundred. To save time, these scans only hit the "interesting" ports. If you don't look immediately interesting, you'll just be passed by.

That whole bit about keeping the default setup to avoid extra attention is a bunch of BS. There's nothing terribly suspicious about running a service on a non-standard port. Furthermore, it doesn't matter how interesting or uninteresting a host appears. If you're configuration is exploitable, you'll be exploited when discovered. And if you look just like everyone else, well then everyone else will be exploited too.

There is no strength in numbers, and there is no real strength in solitude. But if you can avoid detection, then you've avoided an attack. That's like hiding your valuables to avoid theft: It's not a reliable defense, but it's simple and works often enough to make for a reasonable precaution.