[21 May Edit - Added reference to McAfee Labs for details on the vulnerability]
Here we go again? On May 14th patch Tuesday, Microsoft issued security updates for critical vulnerability CVE-2019-0708 in the remote desktop protocol (RDP) for Windows.
Security update availability for systems long out of support, such as XP and 2003, hasn’t gone unnoticed. Like many high profile security issues this one has been named “BlueKeep” as a follow on to “EternalBlue” RDP exploitation in 2017 by nation state and criminal activity groups.
Impact potential for another internet worm was no doubt a factor in Microsoft backporting fixes to Windows versions well beyond the official support lifecycle. The concern seems legitimate based on Shodan search engine results identifying millions of devices with RDP exposed to the internet. A related concern is that a single exploited system at your perimeter could open the door for a worm to spread throughout an enterprise network and deeper into protected OT systems. Yikes!
Many PI System managers use RDP because it comes out of the box with the operating system as the 'defacto' interactive Windows remote administration experience. This convenience (and power) is compelling but not entirely necessary to manage a PI System.
PI System Management Tools and PI System Explorer are the official tools for remote management of the PI System and do not require use of RDP. Furthermore, the trend to manage large fleets of PI Systems is use of scripting approaches such as PI Powershell.
Until recently however, avoiding RDP seemed moot to PI System Managers. Many preferred RDP because they are also responsible for managing the underlying Windows Operating System. If this sounds like your organization, read on – we have good news for you!
Microsoft’s Windows Admin Center (WAC) is a web front end application that provides an interactive remote administration experience for Windows. While it seemed a long wait for Microsoft to coalesce all the management functions into WAC the results are impressive and simple as you would expect for support of interactive use cases.
WAC eliminates the waste of installing and servicing of desktop experience GUI on Windows Servers. Microsoft credits accelerated adoption of Windows Server Core on the backend servers to WAC. It appears even Windows administrators prefer using a browser for interactive remote access now that one is available.
More people are taking notice as WAC is a year old now. My advice for PI System managers is to start planning for WAC and say goodbye to RDP. BlueKeep could be the last time you need to be concerned about RDP on your PI System servers!
OSIsoft security partner, Dragos, blog has a nice table about RDP exposure to the BlueKeep vulnerability.
Checkout Microsoft’s “Hello, Windows Admin Center” documentation and video.
McAfee Lab's RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708