Terminal Services at Risk for DoS Attack

Microsoft Corp. issued a fix Wednesday night to patch a Terminal Services bug that makes Windows servers vulnerable to a Denial-of-Service (DoS) attack.

The vulnerability affects systems running Windows NT 4.0 Terminal Server Edition as well as Windows 2000 Server and Windows 2000 Advanced Server, both of which incorporate integrated Terminal Services.

According to a bulletin that Microsoft sent to the subscribers of its security mailing list, the vulnerability can be exploited in a DoS attack by an attacker who sends a malformed packet to port 3389 on a server.

Microsoft’s Terminal Services implementation in both Windows NT 4.0 Terminal Server Edition and in Windows 2000 leverage a protocol, dubbed the Remote Data Protocol (RDP), which listens for requests on port 3389.

Each time a host system processes a malformed RDP packet, Microsoft says, system memory is depleted. It's possible that an attacker could send enough malformed RDP packets to exhaust the resources of a server and to cause it to stop responding to other (legitimate) requests.

The software giant cautions that an attacker does not have to successfully log into a Windows server in order to take it down. Instead, officials say, she has only to bombard port 3389 with malformed RDP packets.

Microsoft claims that IT organizations can safeguard against external attacks by blocking traffic intended for port 3389 on their firewalls or routers. To do so, however, would also restrict the ability of legitimate users outside of an organization to access terminal services.

The problem is serious, says Edward Ko, a network coordinator with the Pennsylvania State University, because the Terminal Services deployment options in Windows 2000 Server and Windows 2000 Advanced Server are among the most popular features of the operating system.

"Even if you don't have an 'Application Server' license to support a lot of users on Terminal Services, you can deploy [Terminal Services] in 'Remote Administration' mode," he explains, noting that IT managers commonly enable "Remote Administration" mode on Windows 2000 servers in order to let them manage these systems remotely.

"There are still a lot of things that you can't do in Windows 2000 with a command line," he says. "Because of this, integrated Terminal Services were a godsend."

The patch can be found here.

The vulnerability disclosure comes one day after Microsoft issued a fix for a memory leak vulnerability in its Services for Unix 2.0 that affected SFU's implementations of Telnet and the Network File System. Stephen Swoyer

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Clarifies Project Cortex's Scope, IT Controls and Product Delivery in Q&A

    Microsoft recently offered a Q&A session on Project Cortex, its emerging "knowledge network" solution for Microsoft 365 users.

  • How To Use .CSV Files with PowerShell, Part 2

    In the second part of this series, Brien shows how to import a .CSV file into a PowerShell array, including two methods for zooming in on just the specific data you need and filtering out the rest.

  • Windows 10 Preview Adds Ability To Display Linux Distro Files

    Microsoft on Wednesday announced Windows 10 preview build 19603, which adds easier access to installed Linux distro files using Windows File Explorer.

  • Microsoft 365 Business To Get Azure Active Directory Premium P1 Perks

    Subscribers to Microsoft 365 Business (which is being renamed this month to "Microsoft 365 Business Premium") will be getting Azure Active Directory Premium P1 licensing at no additional cost.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.