Microsoft: RDP Vulnerability Should Be Patched Immediately

wiredmikey writes "Microsoft is urging organizations to apply the sole critical update in this month's Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of Tuesday's release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon's AWS, need to patch as quickly as possible, said Qualys CTO Wolfgang Kandek. Besides the RDP bugs, this month's Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio."

Not worrying

[hcs_$reboot]

I'm feeling well. I'm on Linode (Linux). Not a flamebait. It could happen to Linux as well. But it doesn't.

Re:Not worrying

Safe, unless you are running bitcoin operations there.

Re:Not worrying

[bertok]

It could happen to Linux as well. But it doesn't.

Linux does have comparable remote-access protocols to RDP, all of which have had plenty of remote exploits in past. For example have a look at CERT advisories on SSH and X11. Don't even get me started on VNC, which is often not updated automatically because it's an installable add-on instead of a system component.

Re:Not worrying

[nzac]

I think all of those have happened in Linux at some stage, with the exception of privilege escalation exploits in an IDE.
It just happens less and the number of exploits is reduced due to rapid updates, on average much better admin and version fragmentation from different distros.

Re:Not worrying

What do you mean it "COULD" happen to linux. don't you follow the latest patch releases. IT DOES happen to linux every month as well, or did you think those patches we download and install every month are just for the fun of it?

Re:Not worrying

I'm feeling well. I don't own a computer. Not an irrelevant comment. It could happen if i bought a computer. But I won't.

Re:Not worrying

I've had trouble with a VNC bug in the past. I was using a boot CD to copy Windows security updates so I wouldn't have to hook up the unsecured freshly installed Windows to the net, and suddenly the mouse started moving in a very mechanical fashion and it started to type (exactly one character per second) a command which was obviously intended to go into a console window (but fortunately ended up in an open text document). I pulled out the ethernet cable to get my mouse and keyboard back and killed the VNC daemon; that solved the problem, but it was still freaky.

Re:Not worrying

[hcs_$reboot]

Yes, but Linux people are used to SSH and text based commands, at least for servers. What I mean is that Linux admins are much less used to / tempted to enjoy the luxury of a windowed environment to perform the administration of their servers, than Windows admins who learn from day 1 that administration goes through the nice and easy to understand GUI. I'm happy with a restricted SSH access, and this is not likely to change soon.

Re:Not worrying

[bloodhawk]

Me thinks you need to do a little more research before posting. CERT or maybe secunia may be enlightening for you.

Re:Not worrying

[hcs_$reboot]

Ok, so there are some weaknesses / bugs and patches to be applied to Linux. There are, there were, and there will be. Always. But are we on the same scale here? We are talking about a remote administration GUI security hole ; that nice graphics and windows based environment that allows almost any brainless geek to damage the system from any angle, visually, like a game.

Re:Not worrying

WTF does SSH vs. GUI have to do with security? If anything, once exploited SSH would be less secure, because its easier to inject commands into a command prompt than it is to automate a GUI.

Re:Not worrying

[philip.paradis]

I believe the GP was referring to this story.

Re:Not worrying

[hcs_$reboot]

It's not the same thing. The problem is the tool in the first place. A GUI to perform admin of a remote server is dangerous. It makes the tool usable to a larger audience. Windows people are used to windowed environment. That has always been the case (at least in the 2000s). This makes the administration more comfortable, and easy to perform. When you don't know what to do, go through the menus and find what you need. That system has some drawbacks - the RDP problem is part of the price to pay.

Re:Not worrying

[bloodhawk]

???? and what the hell does a CLI vs GUI have to do with security in this case?

Re:Not worrying

And having a vulnerability in a GUI (RDP) protocol is somehow worse than having vulnerabilities in SSH how exactly?

Re:Not worrying

[bertok]

Nothing stops you from using Windows Remote Management to do exactly the same thing with Windows.

Re:Not worrying

[jaymemaurice]

So you are trying to tell me a system where many admins cannot write firewall rules and file ACLs is better then a system with a GUI for the same?

Windows has all the same security functions linux does and then some and can be made to be highly secure. It also has a command line that is more useful then the majority of inexperienced know. Admins who don't know how to/or care to maintain some of their systems exist on both camps. It is not the tool.

What you are saying is the same as saying impact wrenches are bad tools for mechanics because they are easy to use and strip bolts and all mechanics should all use torque wrenches instead.

Re:Not worrying

[hcs_$reboot]

RDP is a GUI, SSH (for instance) is not. From wiki:

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer

Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?

Re:Not worrying

[TheInternetGuy]

And having a vulnerability in a GUI (RDP) protocol is somehow worse than having vulnerabilities in SSH how exactly?

Any fool can use the GUI, but with SSH at least you can be sure that you are being hacked and exploited by a fellow geek.

Re:Not worrying

We are talking about people using exploits to abuse a protocol bug, whether it is a command line or a gui is irrelevant (regardless of how much I hate GUI based management). All a CLI offers is a little more obscurity and if that is something you think helps you during vulnerability exploits then step right this way I also have a bridge to sell you.

Re:Not worrying

[lucm]

RDP is a GUI, SSH (for instance) is not. From wiki:

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer

Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?

I would suspect that someone who has the skill set required to "hack a computer" would not be slowed down much in his mischievous activity by an austere text based prompt..

Re:Not worrying

[hcs_$reboot]

a system where many admins cannot write firewall rules and file ACLs is better then a system with a GUI for the same

Fortunately, "admins" who don't understand iptables or chmod (there are graphical aides anyway) are usually using something else, like Windows. I'm not saying Linux is safer, always and forever, I'm saying the way Linux is to be apprehended makes it more likely to be operated by skilled professionals. There are of course brilliant people Windows side, and both systems complexity is similar, but the thing is that the GUI layer makes it accessible to more people who think they understand the system since the graphical tool is visually convenient. It's like Javascript and C/C++. Some people program in Javascript - more accessible since the interpreter takes care of many things - and only know JS. They think they master programming. Do they? I don't think so - at least most of them.

Re:Not worrying

No, I don't think it is easier. Why do you think windows and menus make things any more hackable?

Re:Not worrying

[flyingfsck]

Microsoft bought RDP from Citrix. Microsoft doesn't develop software, they buy/steal and redistribute it. For example Internet Explorer and Stax...

Re:Not worrying

[hcs_$reboot]

Ok, so let's take the problem from another angle: an admin installs a GUI to perform administration of his high value system from the Internet. Yes, the hack requires some strong knowledge, I must agree. But an admin who decides to install such convenient graphical tool is wrong in the first place. Such a RDP protocol is obviously more complex than a simple ssh, and is more likely to get cracked. What I'm trying to say, and this is the real problem, is that Windows admins are so used to GUIs that they miss other more secure alternatives. You said you hate GUI based management. The regular Windows admins hate the console based management.

Re:Not worrying

[jaymemaurice]

I know you are not correct in that many web developers who develop on Linux try and maintain the equipment on their own. What they previously did on Windows they can no longer do. Linux is mainstream now and you no longer need to have any intelligence to run a LAMP server... and many of them run linux because they feel it makes them seem more "elite" then the windows server users they once were. Sadly, they install the complete CD with compiler and all and don't do the updates because they can't resolve the dependancy hell of their distribution.

Re:Not worrying

Is this sarcastic or is this somehow really supposed to be reassuring?

You do know that they have point-and-click exploit kits, right? Ever heard of the term 'script kiddie'? Countless UNIX vulnerabilities have been packaged up into various graphical tools that non-experts can use to take advantage of vulnerable systems.

Re:Not worrying

[lucm]

No, I don't think it is easier. Why do you think windows and menus make things any more hackable?

I know: someone using WinRunner or AutoHotKey could do brute-force hacking on a GUI!

This is brilliant, I must immediately check IRC (or Experts-Exchange) to see if there are scripts available to do that.

Re:Not worrying

[Collapsing+Empire]

Wow. Just wow.

Please don't tell me you're in any way shape or form responsible for IT security.

I hope you understand that graphical exploit kits do exist that target UNIX systems. This commenter pointed it out.

An attacker who knows what he is doing will attack both Windows and UNIX systems. One that doesn't will just use a tool that a skilled person wrote to "point and click" his way into a box regardless of what OS it is running.

Re:Not worrying

[leenks]

The vulnerability is in the protocol, not that it is a remote GUI protocol. The fact it is a gui protocol is moot in this case - the attack allows someone (using a terminal, a gui, whatever) to send crafted packets to the RDP service (note, service) on a Windows machine that may allow them to run arbitrary code remotely, in just the same way that someone (using a terminal, a gui, whatever - see the consistency here?) to send crafted packets to XYZ service (note service) on a Linux/BSD/whatever machine that may allow them to run arbitrary code remotely.

The nice thing with this attack failed attempts supposedly result in a BSOD too :-)

Re:Not worrying

[qu33ksilver]

Actually you are wrong. I am from Citrix so I know, RDP is developed by Microsoft, Citrix has its own proprietary protocol called ICA(Independant Computing Architecture) which is just a wrapper around RDP. Its true that RDP came from WinFrame which was a Citrix product but you are wrong in saying that Microsoft bought RDP from Citrix.

Re:Not worrying

[Millennium]

Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?

Only to the extent that GUIs are easier to use in general. They are not inherently more hackable than text prompts: text may give you a little extra obscurity, but that's not something that should be relied on in a security context.

Re:Not worrying

[dwywit]

+1 Testify, Brother! Too many non-windows admins IMHO have little idea of the capabilities of Powershell

Re:Not worrying

[Tuan121]

How insightful. I'd never have imagined to see a comment like this on Slashdot, thanks for contributing to the discussion!

Re:Not worrying

[Ihmhi]

Well, it's honestly not worth finding exploits for Linode or most other forms of Linux. (Not a flamebait.) Why bother trying to break into the computers of less than 1% of people.

(See, others can do it too!)

Can we get a "Macs don't get viruses!" guy to chime in? And maybe someone from Amiga or BSD?

Re:Not worrying

[Richard_at_work]

Microsoft developed the original RDP technologies (before someone jumps in, not *all* RDP tech, just the ones involved in this timeline), and sold it off to Citrix, who dramatically improved it. MS then licensed it back from Citrix as an independent product and included it into Windows.

Re:Not worrying

[jaymemaurice]

The worst thing about SSH vunerabilty exploits is you can sucessfully issue a batch of commands rooting the box... and even make ssh tunnels to remote resources like printers and DVRs and root them too... at least with an RDP exploit, its a PITA to script a large scale attack.

Re:Not worrying

Yeah, except for linode divulging the master admin password. That's a pretty awesome VPS provider you have there.

Re:Not worrying

[zyzko]

SSH has had several bugs - both design flaws and implementation flaws. Heck, even things like ntp servers have been exploited. Ssh is in no way "simple" (though it has been getting better at not having remote code execution flaws) and it can be misconfigured and used in very creative ways.

The "hate" here seems to be that it is actually possible to administer Windows conveniently using RDP and that there is something inherently wrong with that. Administering IT systems should not be black magic done in deep dungeons where mere mortals can't enter. Sure, it is wise to implement policies so that people are not going to easily screw up. GUI doesn't make any administration more secure on less secure, you can fail in unthinkable ways with or without gui tools...

By the way, X11 predates RDP and running graphical programs over network on UNIX machines has been common (including administration tools).

And btw, I do systems administration - on Linux and using console (and a few graphical tools like firefall builder) and on Windows using RDP to do stuff that is easily handled through GUI (one-time settings etc.) and through Powershell when automation is needed or tasks that would be hard or impossible in GUI. And I do not see my RDP usage no more a security risk than running ssh is (both environments have defined security policies with access rules / control, roles are used to separate privileges and users are not given unneeded privileges). I am screwed if my internet-facing sshd implementation has remote root exploit, as I am with RDP server. Or Apache. Or PostgreSQL.

Re:Not worrying

[hairyfeet]

Insightful? For what? bragging your on an OS lower than the margin for error and therefor not worth a criminal's time. hey you should brag you are on OS/2, I bet it ain't needed a single patch in years! Meanwhile you can enjoy such fun recreational activities as 1.-hunting for fixes on forums every 6 months when the latest update deathmarch craps on 1 or more of your drivers, 2.- Having such wonderful documentation that is at best just a pile of CLI use flags, at worse a 'todo" file, 3.-having an "OS" that is just a hodge podge of programs written by a bunch of groups that have nothing to do with each other, so some follow Windows conventions, some mac, and some unix, 4.- having such wonderful QA that Dell has to run their own repos just to keep the OS from going "LOL I made a stinky!" on itself and killing the wireless, need i go on?

As for your much vaunted security? might want to look at some things, ready?

Get ready, here they come! BTW if you'd like a little more food for thought, what OS was 3 of the 4 CAs running that were compromised? take a look and see. Maybe they just had bad configs? Surely someone with knowledge would be safe right? Guess again and its not a fluke by any means.

Re:Not worrying

Script kiddie? You mean most so-called IS/IT security analysts after about 1995 or so?

Re:Not worrying

[SuricouRaven]

Windows: So awkward to use, even the hackers will get mired in in the GUI.

Re:Not worrying

[X.25]

Linux does have comparable remote-access protocols to RDP, all of which have had plenty of remote exploits in past. For example have a look at CERT advisories on SSH and X11. Don't even get me started on VNC, which is often not updated automatically because it's an installable add-on instead of a system component.

You didn't get a chance to look at years on those advisories, eh?

In year 2002 everything was vulnerable. Literally.

In year 2012, one would expect that such critical component like RDP would be audited 100 times by Microsoft. Seemingly not.

Re:Not worrying

[water-and-sewer]

Although they might get gummed up by the new ribbon interface in the menus. "Dammit, where did that button go?"

Re:Not worrying

Seems to have a lot more dependencies than SSH.

You basically need the admin to set up so many things correctly (so that stuff works) AND at the same time not secure it properly so that you can pwn them.

Re:Not worrying

Windows has all the same security functions linux does...

Educate yourself before making silly statements such as this.

The average Windows admin is a clickie-clickie fool who doesn't understand the why's... they just know how to clickie-clickie. That's why they're $15 an hour and you can throw a rock and hit one almost anywhere... it's something you can get "certified" on with little knowledge or expertise. A joke, really, to the industry. And an insult to competent admins everywhere.

You want a car analogy? It's like bringing your brand-new bike to a race -- training wheels and all -- and the ensuing raucous laughter you will be subjected to because you're too green to understand there's a whole larger world you're missing.

Re:Not worrying

[jd2112]

Windows 8: Security through "where the hell did the Start menu go?"

Re:Not worrying

[hcs_$reboot]

I'd never have imagined to see a comment like this on Slashdot

You must be kidding, or you must be new, or you must suffer from the Memento syndrom. There are plenty of posts like this one. They're usually from AC, and don't survive in the >-1 universe more than a couple of minutes. Or maybe you were looking after some karma? My post being an easy target, and you expected some recognition from your criticism, like the schoolboy proud to blame another student in front of the teacher, for something the teacher disapproves. Frankly, after a few hours of work, I look back at it and I agree that it may sound plain stupid. Or maybe because some readers took it that literally, I feel sad. My post was funnier than insightful. Or maybe more interesting than funny. Or, even, more informative than interesting. Because I still believe what I said, not meaning any flamebait or whatever. I have been a long time, and still am, in the computers business, and I meet, interview and work with IT people in different companies, various countries. I see how they behave. I see how they perform, and take a guess on how they will perform. There is a difference between the staff used to Windows and the staff used to Unix (same position). I'm not saying one is more clever than this other. Certainly not. I just believe that the Linux/Unix staff - I mean in companies, not the student at home - is usually more opened to different systems (including Windows) than the Windows staff. That "openess" allow them to find solutions either in engineering or in development faster and usually better. This is actually a general rule. The more you see/travel/visit/meet/eat/read/learn, the more likely you are to find interesting alternatives to a given "idea/problem". A neural network needs a lot of various information to be performant. Some Unix people go work on Windows, and they produce a valuable output. But the majority of the Windows staff has never worked on a Unix based OS. My post was establishing the base for that: Windows people are usually less keen to work on Unix, than Unix people on Windows. Yes, some Unix geeks are reluctant to work on Windows. But they could. Many of the Windows staff cannot (or don't want to) stand in front of a console, or have to deal with the network interfaces file, or the iptables. Why deal with iptables when a GUI does it for you? Right. Agreed. And the GUI is less likely to make a mistake (iptables is pretty complex after all). But someones who makes the effort of understanding iptables will stand better in front of other technical problems. This is merely an observation. You can take that the positive side: Windows people prefer a clean and nicely made GUI.

Re:Not worrying

[slashgrim]

Nothing stops you from using Windows Remote Management to do exactly the same thing with Windows.

Windows applications may support a subset of remote management, but unfortunately there is often the case that one needs a desktop application to fully configure an app. On Linux the default is text file configs modifiable via CLI, whereas Windows' applications _expect_ you to have a GUI. Until that expectation changes, RDP will be the most powerful remote management available on Windows.

Re:Not worrying

[toadlife]

Now that your screed is over, would you care to address the actual statement you replied to; that Windows has the same security functions Linux does?

Re:Not worrying

[hobarrera]

Anyone who cares about security, would use vnc over SSH, and properly configure SSH as well.

Re:Not worrying

[shutdown+-p+now]

No, that's not how it works. Instead, the place where the Start button used to be serves as a kind of honeypot - the attacker reflectively clicks there within the first few seconds after entering the system, and then spends the rest of the session trying to figure out how to get out of Metro. ~

Re:Not worrying

Absolutely a flamebait (and modded as such). Why the fuck are you posting? You have nothing valuable to add, and no one gives a shit about your stupid Linux system.

Re:Not worrying

[TheNinjaroach]

The bitcoin incident wasn't related to a vulnerability in SSH, some root account at Linode had its credentials leaked. SSH was simply the protocol used by hackers to authenticate with genuine credentials.

Re:Not worrying

[tendrousbeastie]

So what if the users are less competent, doesn't make the software any worse just cos its used by less competent people.

Re:Not worrying

[TheInternetGuy]

Is this sarcastic or is this somehow really supposed to be reassuring?

I was aiming for +5, Funny - with a faint smell of insight-fulness while masquerading as informative
I think, I did rather well?

Re:Not worrying

Depends on the app. Exchange administration, for example, is PowerShell first. Anything the UI does is built on top of PowerShell cmdlets that can be called manually, and some settings don't even have UI.

Of course, there are a good many apps that are UI first, as well.

Re:Not worrying

[darkpixel2k]

WTF does SSH vs. GUI have to do with security? If anything, once exploited SSH would be less secure, because its easier to inject commands into a command prompt than it is to automate a GUI.

This: I've spent all damn day doing roughly the following procedure for each of my Windows clients:
* Connect into the client's WSUS server, enter username and password, get to desktop
* For Windows 2003, go to start, admin tools, WSUS
* Click the link for security updates and approve all, then click the link for important updates and approve all
* If they have multiple sites, repeat the first two steps for each site and then click the 'sync now' link
* Wait while the WSUS server(s) download the updates
* Once updates have downloaded, connect in to each internet accessible server that has RDP enabled and enter the username and password
* If it's a 2003 server: go to Start and click run. Type in 'wuauclt /detectnow' and click OK.
* If it's a 2008 server: click the Start orb, search for 'Update', wait while it searches, click 'Windows Update', click 'check now'
* Wait for a few minutes for the Windows Update client to sync updates
* Click 'install' or whatever to start the install process
* Wait forever
* Reboot
* Wait longer
* Reconnect to all the servers, manually comb through the event logs to find out what failed.

Contrast that with my ability to patch my ~75 linux boxen during the SSH fiasco:
* cssh -c file_containing_my_list_of_servers
* Type 'apt-get update && apt-get dist-upgrade && logout' and hit enter
* Wait a few moments while updates are downloaded and installed using a single command
* Look at any terminal windows that remain open as the && logout won't run if there were errors
* Done
(If there's a kernel update or something, && logout can be replaced with && shutdown -r now)

I can easily spend all day updating and patching 50 Windows servers. I spend about 10 minutes in the morning patching 75 Linux boxes while the coffee brews.

And yes, I know there are all sorts of programs I can *buy* that make patching Windows easier--but try convincing people they need to pay more money for something in this economy. cssh is free.

I'm sure Microsoft will fix this soon by adding the incredibly-easy-to-remember powershell command: Windows-Updates -DownloadListNowFromMicrosoft -AlsoInstallThemUpdates -GetListOfServersFromLDAP -IMeanLDAPWithProprietaryExtensions -NoWaitIMeanActiveDirectory -YesIAmAuthorizedToAgreeToAllTheLicensesWithoutLookingAtThem -PleaseRebootTheServersWhenDone | ReportOnUpdatedServers -OutputToDOCX report.docx -YesIPaidForAnOfficeSuite -MaybeEmbedSomeActiveXStuffForOldTimesSake

Re:Not worrying

[darkpixel2k]

Anyone who cares about security, would use vnc over SSH, and properly configure SSH as well.

In case anyone's wondering, here's how you 'properly' configure SSH: apt-get install openssh-server

Done.

Re:Not worrying

[hobarrera]

Many distros enable password login by default. If posible, this should be disabled as well.

Quick...

[davester666]

Somebody finally fix the root of the problem and hack Microsoft's server to push out a Linux iso...

Re:Quick...

Right, so the average user gets treated to a random text based or any installer at boot and says "Hmm, never done that before...better throw it out and get one of those new Windows 8 computers!"

captcha: bricks
yes, bricks. what people will think of their computers after you put linux on it.
that's not an insult to linux...just most people don't even know it exists or wtf to do with it.

Re:Quick...

[hcs_$reboot]

just most people don't even know it exists or wtf to do with it

TFA is about admin management through RDP - not the lambda user around. Allowing a SSH (via a simple user) to connect to a server, and allow some text-based administration from the specialists is one thing, opening a GUI remote administration tool with menus and all that give hints on the howtos mess up with the machine is something else.

Re:Quick...

[philip.paradis]

Speaking as someone who's been doing this for fifteen years, your grasp of information security is appallingly bad. I operate a sizable deployment comprised of Linux, *BSD, and Mac systems. Judging by your last few posts, I sincerely hope you are not employed in a role where any of your duties are closely aligned with the protection of information assets.

Re:Quick...

[lucm]

Somebody finally fix the root of the problem and hack Microsoft's server to push out a Linux iso...

But if someone does hack the Microsoft server (I'm sure they have only one) and install Linux, Windows will disappear and wannabe geeks will have to find another easy target for their wannabe bashing

Re:Quick...

Who cares? I'm a over-smug Mac user!

RDP is Worthless

Who are all these admins doing stuff over RDP and why are they still employed? I've seen these installations myself but I simply cannot believe it. It's so dumb that it boggles the mind. Why would I need to login to a full display server to remotely administrate... anything? Oh, unless I'm on Windows where some applications cannot be used without the GUI. Lol. This is so pathetic. If you simply must use a GUI, just tunnel an X client over SSH and never worry about applying patches again- oh but wait, I forgot again that we're on Windows so you can't do that. Why anyone would rely on this backwards, insecure, cumbersome, and ultimately counter-productive bullshit is completely beyond me.

Re:RDP is Worthless

I've had a time or two at work where a remote admin needed desktop access to see what was wrong and correct it. Granted, if it were the linux box next to it they could have just SSH'd into it.

Re:RDP is Worthless

[DigiShaman]

WOW! Are you detached from reality. Microsoft products are used because of market share and industry momentum. Bitch all you want about design and implementation, but the world isn't going to stop and replace everything with Linux/Unix as though it was some grand Moon Shot program. It will not happen. Get over it.

Re:RDP is Worthless

Durrr yuh think? Great job retard, you figured it out. Of course it's because of market share. Yes I'm seriously proposing everyone switch to Linux overnight. Holy fucking crap, are you Steve Ballmer? I'm sorry your software is so shitty and Linux/Unix dominates market share everywhere but the desktop. Lol get over yourself dude.

Re:RDP is Worthless

Technology conforms to organizations and businesses, not the other way around. CLI has proven to suck absolute balls in consumer markets. It's why the GUI is so popular. People are *gasp* visual creatures.

Re:RDP is Worthless

[lucm]

Who are all these admins doing stuff over RDP and why are they still employed? I've seen these installations myself but I simply cannot believe it. It's so dumb that it boggles the mind. Why would I need to login to a full display server to remotely administrate... anything? Oh, unless I'm on Windows where some applications cannot be used without the GUI. Lol. This is so pathetic. If you simply must use a GUI, just tunnel an X client over SSH and never worry about applying patches again- oh but wait, I forgot again that we're on Windows so you can't do that. Why anyone would rely on this backwards, insecure, cumbersome, and ultimately counter-productive bullshit is completely beyond me.

The dangerous people are not the admins that are using RDP. The dangerous people are the idiots that think that because they use an X client over SSH they don't have to worry about applying patches again.

So it does not surprise me that the fact that people rely on technologies that you don't understand is completely beyond you. Once you get real work experience, other than maintaining that FTP server for a non-profit or that Drupal server for Uncle Bob's tackle and bait shop, we can have this discussion again.

Re:RDP is Worthless

[dwywit]

Cheap (free), secure, easy. Pick 2.

Re:RDP is Worthless

[dwywit]

Linux and its applications only dominate ANYWHERE because they're cheap/free. Granted, they work well enough for the market they're aimed at, but there's a lot more to the IT world than the internet.

Re:RDP is Worthless

[KiloByte]

Then why did you pick only 0.5 for Windows?

Re:RDP is Worthless

[ka9dgx]

Cheap, Secure, Easy, not Vaporware, pick any 2... ;-)

Capability based security systems could give cheap, secure, easy... but they are definitely vaporware at this point in time.

Re:RDP is Worthless

There are applications (XServers) for windows that will allow you to do the X11 over SSH just fine.. sorry to burst your bubble...

Re:RDP is Worthless

[StuartHankins]

Linux and its applications only dominate ANYWHERE because they're cheap/free

False. Many of us use Linux / UNIX for workloads and tasks that Windows won't run at all, or that run significantly slower using Windows. Scalability, downtime prevention, and consistent operation is unparalleled in the mainframe / mini segment which is *nix territory -- not Windows.

We spend a lot of money annually to keep our Linux systems supported, both from an employee cost as well as support / upgrades from the vendor, so I can assure you we haven't made this choice because it's cheaper software-wise. It's cheaper because we can do more with smaller systems, we have less downtime, and we spend less time tuning and maintaining Linux systems than we did using Windows.

Re:RDP is Worthless

[HideyoshiJP]

You don't. You use MMC or some custom vendor console (native and/or web). RDP is really only for special cases.

Re:RDP is Worthless

> Linux and its applications only dominate ANYWHERE because they're cheap/free.

No. The vast majority of companies I've worked with paid for Red Hat and nearly all of them also paid for MySQL. Red Hat and Oracle have been around a long time. They wouldn't have if, as you claim, people didn't pay for their products.

Re:RDP is Worthless

[David+Jao]

X over SSH is in fact easier to secure. It's obviously not easy to the point of never having to apply patches again, but it improves on RDP in a significant, nontrivial way: the GUI is decoupled from the network-facing service. The resulting small network-facing service is easier to audit and secure against attacks. It's important to appreciate the benefits provided by the Unix philosophy of one separate small program for each task.

Re:RDP is Worthless

[dwywit]

I think you've confirmed my argument - you could do all your stuff using Windows (except for software that has NO Windows equivalent) , but it would cost a truckload more $$$

Re:RDP is Worthless

[symbolset]

Yeah, I'm sure those supercomputer geeks are a bunch of incompetent tightwads incapable of understanding the Windows ROI. What would the physics nerds at CERN know about math?

I still don't get it

Why do companies keep purchasing and spending thousands of dollars to an operating system that obviously isn't secure, while Linux is stable, free, open and has become easier to use thanks to a plethora of GUIs.

Re:I still don't get it

[dwywit]

Post with your real name and we'll talk to you, troll

Re:I still don't get it

Shut up, you sweat from a baboon's balls.

VNC over SSH tunnels, public keys, no root login

[PolygamousRanchKid+]

Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.

Any other ports?

It's tunnels. All the way down.

cone crusher

[xiazhouchina]

mobile crusher http://www.xz-crusher.com/2011/1207/17.html Jaw Crusher http://www.xiazhouchina.com/2011/0910/2.html

Re:VNC over SSH tunnels, public keys, no root logi

True. I use it for IMAP as well. SSH replaces every VPN solution out there.

Out of the frying pan

[MicroSlut]

As if it isn't bad enough that an RDP worm is already spreading due to weak passwords. If users/admins are incompetent enough to use passwords fit for luggage you can only guess how many unprotected Internet facing RDP servers will be ravaged within the next few weeks. Don't get me wrong. I have seen situations that actually call for an Internet facing RDP, such as screaming sales execs behind third party firewalls that block egress GRE, 443, and 22, with the variety of IP addresses causing admins to play wack-a-mole in Webmin to allow individual IPs, but these admins have already patched. If a rogue Fawkes writes a worm for a Massive DDoS or particularly nasty payloads many of us will suffer. An exam should be required to run these services and it should be harder to get than a drivers license. Am I ranting?

Re:Out of the frying pan

[lucm]

If users/admins are incompetent enough to use passwords fit for luggage you can only guess how many unprotected Internet facing RDP servers will be ravaged within the next few weeks.

This is not a problem unique to Windows. At least once or twice a year I stumble upon machines where I can use SCOTT TIGER, toor or "secret" credentials.

Privilege escalation???

[Alex+Belits]

Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced.

Re:Privilege escalation???

[dkf]

Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced.

Why complain? It's exactly the right thing for Microsoft to be doing.

Their big problem is the massive overhang of software that's not been properly designed for security (e.g., too much is still default-allow) and which people continue to want to use. The various Unix-based OSes have an advantage here, even if it is one of happenstance: Unix apps have been designed for use in privilege-separated environments, and have been for many decades. Microsoft got with the program later, and that's always much harder. (Also, their commitment to supporting crufty older software, while generally pretty commendable, works against them a lot in this case.)

Re:Privilege escalation???

[msobkow]

So it took them a few decades to learn that a privilege escalation is only one step removed from a full intrusion. At least they did eventually learn.

Re:Privilege escalation???

Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced

No ! Don't let facts stop you from MS bashing ! What kind of a anti-ms troll are you? You need to undergo training buddy..

Step 1: Ignore all the thousands of security bugs that Linux developers introduce into codebase every year.
Step 2: Read more slashdot.

Re:Privilege escalation???

[Alex+Belits]

Oh, I am not complaining. I am just surprised after years of Microsoft shills screaming "Linux has a security bug in libpng but Windows does not!" and similar nonsense.

Re:Privilege escalation???

"Hey look LINUX comes with soo much free software by default.. look at all this good stuff. Haha.. windows is useless out of box"

"What ? What? A security bug in libpng? .. um.. no.. that is not LINUX. What are you talking about? LINUX is a kernel ! You fool.. this has nothing to do with LINUX .. lol you are such a moron for installing this ! Its your fault ! Why did you choose to install this software ?"

If you ship it, you're responsible for it. As usual Open Source cheerleaders choose to hide behind whatever argument suits them. No sane person would ever choose to use Linux if it was not free.

Re:Privilege escalation???

[Alex+Belits]

...and here they are, Microsoft shills.

Re:Privilege escalation???

[tibit]

Obviously, in your mind, people who pay for, say, RedHat EL, must not exist. Heck, even I pay for two RHEL self-support subscriptions, it's well worth the price in a business.

Re:VNC over SSH tunnels, public keys, no root logi

[Slashcrap]

Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.

Any other ports?

It's tunnels. All the way down.

Yeah, it sure is unfortunate that you can't do exactly the same thing with RDP. And MS should definitely think of adding IPSEC support one of these days (yes, I know). Of course people are probably less likely to bother, since unless you're French, RDP is fully encrypted (standard VNC only encrypts the password) and talking of passwords it allows them to be more than 8 characters long. You can even have a username too, if you use the right version and configure PAM (joke - there is no right version for that because it's a terrible idea security wise). It has also never had a bug where the client could tell the server it didn't support any of its authentication schemes and so the server simply let it connect without authentication.

In fact this is the first time I've heard of a potential serious vulnerability in Remote Desktop, so frankly this is not the area to be smug about.

Anyway this is a bit too MS positive for my liking, so I'll just add that TurboVNC + VirtualGL + VirtualBox = one fucking awesome free VDI implementation. Add SSH, OpenVPN or IPSEC to taste if you want (although VirtualGL handles SSH itself transparently if you want). Actually for remote admin purposes you only need the 1st part (unless it's a bunch of 3D workstations you're supporting). And possibly a new hobby to use to soak up all the time you used to waste waiting for the screen to refresh. I would also mention FreeNX, but a) I think it gets outperformed by the above and b) I am fucked if I'm setting that damned thing up again just to verify.

Oh yeah, one more neat trick - Virtualbox can run in headless mode on a box with no GUI (or with one, doesn't matter). In this mode it serves up the VM display using an extended version of RDP. The great thing is this doesn't just apply to Windows VMs - it can serve any OS it can run over RDP. Watch the look on your colleague's faces as you get them to fire up MSTSC and connect straight into Ubuntu. Or OS2, OSX, Win 3.1 etc.. etc.. You can even dump them into an EFI shell or the virtual BIOS. Literally minutes of laughs to be had. Oh yeah, you may need the non-open source extension pack for that. Also they're adding VNC in the next release. I have no fucking idea why.

And no, I have no idea why you're not allowed to use RDP encryption in France. I have no idea why they're not allowed to use deoderant either, come to think of it.

Re:VNC over SSH tunnels, public keys, no root logi

Yeah, it sure is unfortunate that you can't do exactly the same thing with RDP. ....

Actually you can:
- cygwin on the Windows box
- sshd service under cygwin
- connect via ssh into your windows box
- tunnel through the ssh into port 3389 on the same box
- open Terminal Services client, connect to localhost:XXXX
Works like a charm for me.

Re:VNC over SSH tunnels, public keys, no root logi

try nomachine.com

in other words...

it is once again the second tuesday of the month. so... same old, same old.

First real breach in Windows for a loong time

[fluor2]

Microsoft has been counting IE security holes as Remote Execution a long time, which actually requires user intervention at the client-side.

I'm rather surprised that it took this long before somebody found a possible breach in the RDP implementation.

Who does RDP over the internet?

[MrCrassic]

I would think that most people who absolutely needed to remote into their machines over the Internet would use some kind of tunnelling to a jumpbox or remote access appliance to RDP to an internal server...

Re:Who does RDP over the internet?

Never underestimate the stupidity of IT administrators.

Re:Who does RDP over the internet?

It's not always the IT dept. Never underestimate the stupidity of the check writers, who don't feel the need to pay for a VPN solution, or don't want to be encumbered by a couple of extra mouse clicks.

Re:Who does RDP over the internet?

The cloud servers I know (EC2, Rackspace, Azure) all provide RDP over the internet ("cloud") to manage them

Re:VNC over SSH tunnels, public keys, no root logi

You don't even need cygwin, you can use something more userfriendly, like putty.
That's what i do

Re:VNC over SSH tunnels, public keys, no root logi

Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.

FYI, there have been security flaws found in ssh servers in the past.

Maybe you're too inexperienced to know that.

The end is near

[ka9dgx]

This marks the end of the internet, as there are surely millions of Windows 2000 servers out there with RDP enabled in business critical roles. You linux fan boys can laugh all you want at the stupidity of it, but this will eventually take out everything as it interrupts supply chains all over the world.

If you have any Microsoft stock, sell it now, the implications of their policies on older software are about to come rocketing back at them in a tsunami.

I hope the fsck I'm wrong about this... we'll know in about a month.

Re:The end is near

[Yunzil]

Crack is a hell of a drug.

Questions and Observations

[EmagGeek]

First, I've never once seen a best practices document that says "put RDP on the Internet." Maybe one exists, or maybe there are special cases somewhere that allow for it, but to me it just seems stupid to connect a Windows machine directly to the Internet, or port-forward directly to one from the edge device.

Second, has anyone heard of an exploit for this that involves a prior uncovered exploit - basically you get some malware that "phones home" to an SSH server and opens a reverse tunnel back to the local RDP server? It seems to me that this would be one way they would do it.

Re:Questions and Observations

[drinkypoo]

The really sad thing is that there's ipsec in Windows and it's a trivial matter to create a policy that requires all connections to a particular service to be encrypted.

Re:Questions and Observations

[theprofessor102]

your the first to hit it on the head! Why would anyone put a window box any where close to the internet. Where is the vpn! No vpn no connection. VPN then RDP problem solved.

Re:Questions and Observations

[PlusFiveTroll]

Well, with the low number of RDP holes over the years, statistically speaking, it's just as likely your VPN will have an exploit and get hacked.

Remember, it's turtles all the way down. All a hacker needs to find is the weakest link in the chain.

Re:Questions and Observations

[DigiShaman]

I've never seen an official best practice document that says not to make RDP open over a public IP. Where did this myth and misconception that RDP is inherently more insecure than any other protocol out there? Is it because now that you can visually see the Windows sign on screen via GUI that it's too close for comfort? In other words, is it just psychological? The way understand RDP, is that it's just another service that streams data back and forth between the server an client.

Just how did this FUD get started? What was the impetus to have the fear to begin with? I really want to know.

Re:VNC over SSH tunnels, public keys, no root logi

[MiG82au]

You can't log into Putty, it's a client not a server. I've used Copssh as an ssh server on a Windows machine. Am I unaware of a way to use PuTTY as a server?

Re:VNC over SSH tunnels, public keys, no root logi

[gotpaint32]

You can definitely tunnel RDP, its built right into Windows and called Terminal Server Gateway. With that you can use client cert validation and tunnel in over SSL. Add some nice middleware and it will even allow you to use hardware password tokens (if you can afford them).
What people seem to be forgetting is that RDP alone is not really a "secure" communications channel for public networks. If you need high security, users should be VPNing into your LAN and then RDPing over that tunnel.

Re:VNC over SSH tunnels, public keys, no root logi

[Pieroxy]

http://www.putty.org/

The page is simple enough, I'll let you figure it out.

Note: I've never used it - yet.

Re:VNC over SSH tunnels, public keys, no root logi

I thought the page would be simple enough that you could figure it out...

The SSHD program listed on that page is NOT related to the PuTTY project, it's managed by BitVise and has a $100/license cost associated with it for non-personal use.

So, PuTTY is still not a server.

None of this would be happening if we all ran OS/2

[jpvlsmv]

The subject has become somewhat of a catchphrase in my org.

The hidden subtext is that "None of this" would include the Internet, our business, or my paycheck.

--Joe

Re:VNC over SSH tunnels, public keys, no root logi

[Pieroxy]

You are correct, my bad. Two other SSH servers for windows (that appear to be free) :

http://mobassh.mobatek.net/ - never heard of it

http://sshwindows.sourceforge.net/ - Based on Cygwin but doesn't require a full blown cygwin install.

RDP provides more than just a GUI

[nuckfuts]

RDP can optionally make the client's local drives and printers accessible on the server. This is quite convenient if you need a local copy of a file (that's too large to e-mail), or a printed report while on the road.

Re:VNC over SSH tunnels, public keys, no root logi

[jgoemat]

Or winsshd, which is free for personal use. Their Tunnelier client is is always free and sets up a forwarded port and lets you rdp to the server you're connected to with a click.

Re:VNC over SSH tunnels, public keys, no root logi

[darkpixel2k]

http://www.putty.org/

The page is simple enough, I'll let you figure it out.

Note: I've never used it - yet.

I'd double-check that URL. The official site is and has always been: http://www.chiark.greenend.org.uk/~sgtatham/putty/