Port 3389 Exploit: Prevent another WannaCry

On Patch Tuesday (14 May 2019) Microsoft offered an RDP patch for legacy Windows and outlined the details here:

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

The most immediate steps your organization should pursue are the following:

  1. Disable port 3389 from being publicly visible as it is only a matter of days, or perhaps hours, before the patch is reverse-engineered into a wormable exploit. To test if you are publicly visible, check out grc.com/shieldsup to show not just RDP but any other ports you may be exposing to the public Internet.
  2. Turn off Remote Desktop everywhere it isn’t absolutely needed. If you’re part of a corporate network, your IT administrators can do this with a Group Policy. Otherwise, on each Windows computer, disable Remote Desktop.
  3. Update Windows immediately using Windows Update.

It is important to note that even if you have egress control and a strict firewall, this type of attack, when it materializes, can move laterally in an organization without going over a firewall, so it is important to take all of the above precautions regardless of the strength of your gateway security.