Included in this month’s Microsoft monthly software update releases are fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Wall Street Journal and Fox News have quoted Microsoft and described this as a in their article and points to Microsoft who has said that this vulnerability could be used as a cyber weapon similar to the WannaCry outbreak. In Part 1, Ed Higgins has provided a writeup which explains the vulnerability and why it is important and how Catapult Spyglass services are taking steps to get ahead of the vulnerability.
In this blog post we will look on how to avoid vulnerabilities like this and discuss some methods we are using in Windows 10 and Windows Server Lifecycle Management (Launch) to get ahead of this vulnerability.
Focus on the basics:
The key to avoid a security vulnerability like this one, is to focus on the basics – keep your Windows operating system versions current and keep your systems patched (get secure and stay secure).
Migrate to a current Windows operating system: One of the key points that we can see from this vulnerability is how important it is to keep your Windows operating system versions up to date. This vulnerability impacts Windows 7, Windows Server 2008 and Windows Server 2008 R2 (and older operating systems). While many organizations still have these operating systems in place Windows 7, Windows Server 2008 and Server 2008 R2 all leave extended support on January 14, 2020. Organizations which do not have these operating system versions in place are not at risk for this vulnerability. The graphic below shows the benefits of solutions like Windows as a Service where more frequent operating system releases provide a way to minimize the protection gap which occurs when operating systems are released on a less frequent basis.
Implement an effective patch management strategy: Effective patch management is essential to mitigating security vulnerabilities. This requires a patch management approach in place which effectively deploys patches throughout the environment initially to development and test systems and then into production systems. Patch management needs to include not only operating system patches (Windows, Linux, etc.) but also considers driver patches and 3rd party application patching. For situations like this one, you also need to have a method to handle out of cycle items which may occur beyond the standard “patch Tuesday” type releases as occurred with Meltdown and Spectre. Based on our research of major breaches which have occurred in the last 2 years, approximately 80% breaches of these could have been avoided if they had an effective patch management strategy in place which kept systems up to date with the latest patches. The average cost of a security breach is $4 million USD!
How to get ahead of this type of security vulnerability:
As part of Launch Catapult provides our customers with notification of patches which occur on a monthly basis and for out-of-band situations like those which occurred for Meltdown and Spectre. Beyond this, we recommend the following actions:
Identify systems that are at risk to the security vulnerability.
This information is straightforward to gather through systems management tools such as System Center Configuration Manager (SCCM) or Intune.
Deploy operating system patches and updates as soon as possible.
Falling behind on updates increases the odds that you will be subject to a data breach (current statistics show that 1 in 4 organizations will experience a data breach).
Reduce your attack surface by uninstalling or disabling unused operating system roles, services, and protocols.
For the RDP security vulnerability mentioned in this post, disable RDP on the systems which are at risk where this service is not mandatory (this can be done by using SCCM, Intune, Group Policy, PowerShell, or 1E’s product Tachyon). This is especially important on systems which are externally facing and have RDP enabled.
Monitor your systems for suspicious behavior.
Bad actors can infiltrate your systems before you can detect them (the average time to detect breaches in the US in 2017 was 206 days). Start closely monitoring at-risk systems immediately. Continue to scrutinize these systems after updates are installed to ensure that an attacker didn’t get a foot-hold in your network.
Staying current on your operating systems and having an effective patch management strategy can help you significantly mitigate risks like this from new vulnerabilities as they occur. If Catapult can help you migrate to new operating systems (Windows 10, Windows Server 2019), patch and manage your operating system versions, or secure your systems we would be glad to assist.