Terminal Services at Risk for DoS Attack

Microsoft Corp. issued a fix Wednesday night to patch a Terminal Services bug that makes Windows servers vulnerable to a Denial-of-Service (DoS) attack.

The vulnerability affects systems running Windows NT 4.0 Terminal Server Edition as well as Windows 2000 Server and Windows 2000 Advanced Server, both of which incorporate integrated Terminal Services.

According to a bulletin that Microsoft sent to the subscribers of its security mailing list, the vulnerability can be exploited in a DoS attack by an attacker who sends a malformed packet to port 3389 on a server.

Microsoft’s Terminal Services implementation in both Windows NT 4.0 Terminal Server Edition and in Windows 2000 leverage a protocol, dubbed the Remote Data Protocol (RDP), which listens for requests on port 3389.

Each time a host system processes a malformed RDP packet, Microsoft says, system memory is depleted. It's possible that an attacker could send enough malformed RDP packets to exhaust the resources of a server and to cause it to stop responding to other (legitimate) requests.

The software giant cautions that an attacker does not have to successfully log into a Windows server in order to take it down. Instead, officials say, she has only to bombard port 3389 with malformed RDP packets.

Microsoft claims that IT organizations can safeguard against external attacks by blocking traffic intended for port 3389 on their firewalls or routers. To do so, however, would also restrict the ability of legitimate users outside of an organization to access terminal services.

The problem is serious, says Edward Ko, a network coordinator with the Pennsylvania State University, because the Terminal Services deployment options in Windows 2000 Server and Windows 2000 Advanced Server are among the most popular features of the operating system.

"Even if you don't have an 'Application Server' license to support a lot of users on Terminal Services, you can deploy [Terminal Services] in 'Remote Administration' mode," he explains, noting that IT managers commonly enable "Remote Administration" mode on Windows 2000 servers in order to let them manage these systems remotely.

"There are still a lot of things that you can't do in Windows 2000 with a command line," he says. "Because of this, integrated Terminal Services were a godsend."

The patch can be found here.

The vulnerability disclosure comes one day after Microsoft issued a fix for a memory leak vulnerability in its Services for Unix 2.0 that affected SFU's implementations of Telnet and the Network File System. Stephen Swoyer

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.