Port 3389 Exploit: Prevent another WannaCry
On Patch Tuesday (14 May 2019) Microsoft offered an RDP patch for legacy Windows and outlined the details here:
The most immediate steps your organization should pursue are the following:
- Disable port 3389 from being publicly visible as it is only a matter of days, or perhaps hours, before the patch is reverse-engineered into a wormable exploit. To test if you are publicly visible, check out grc.com/shieldsup to show not just RDP but any other ports you may be exposing to the public Internet.
- Turn off Remote Desktop everywhere it isn’t absolutely needed. If you’re part of a corporate network, your IT administrators can do this with a Group Policy. Otherwise, on each Windows computer, disable Remote Desktop.
- Update Windows immediately using Windows Update.
It is important to note that even if you have egress control and a strict firewall, this type of attack, when it materializes, can move laterally in an organization without going over a firewall, so it is important to take all of the above precautions regardless of the strength of your gateway security.