What is “Dedic”?

2012.08.17

Well, if You speak Russian and in computer crimes world from any side, You know what  I am talking about. If not – here are brief look at what it is, what purposes and why named this way.

Read more…

Windows 2008: Get RDS grace period status

2012.05.01

Server Windows 2008 Remote Desktop Services have a grace period of 90 days from installation till day it lock access to users. Suddenly, there is no big red screen with countdown, or even small announce in Server Manager about expiration date. It somehow hidden, so eventually expiration date is usually not expected 🙂 Now – Your business is down.

How You can connect locked Server? Run RDP client in Admin mode: mstsc /admin – to connect to locked server. Here You can configure licensing and add licenses.

By the way – You can see Days left by few ways:

1. in CMD (Run as Administrator) – paste and run:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TerminalServiceSetting WHERE (__CLASS !=””) CALL GetGracePeriodDays

From Here – thx Ovi Borrero

2. Or You can use PowerShell script or VB to have this info – see MSDN

 

CVE-2012-0002 attack vector

2012.03.20

“I have no RDP listhener, available from Internet” – this somehow became excuse and way to feel safe. Dan Kaminsky scanned Internet for RDP ports, found about 5 million of hosts available via RDP, so all others suddenly feel more comfortable.
Really?

Let’s see attack vector. Let’s assume RCE is available:

1. Infecting Internet-available not-patched RDP servers (both 3389 and different ports)

2. From them – scan local networks and spread exploiting further.

3. For each new network connection – try RDP access to available subnet

Well, in this two-three step access even laptop in protected LAN with VPN access to secured server with no Internet Access became a must-be-patched machine.

So – please have time to patch not only internet-available server, but all internal network (domain clients in windows network available via RDP in default config for XP).

 

MS12-020 aka CVE-2012-0002 by Luigi Auriemma

2012.03.16

Well, here is the moment – at 16.03.2012 Luigi Auriemma, the researcher who discovered (or made it public) RDP RCE flaw in Microsoft Remote Desktop protocol, released the technical info.

There were few comments here and there, that strictly elite exploit for this flaw was known, but since no proof were released, lets assume this is a new threat.

Paper

Code

According to Mr. Auriemma, bug was discovered at 16.03.2011 (!) – wow, this is example of temper. About a year with critical all-modern-platform  MS bug in pocket, waiting for vendor to fix it. White Hat of the year 2011 – indeed.

Now – we can just wait for worm to come… And let’s hope it will not be like Sandworm from Duna 🙂

Patch CVE-2012-0002: Microsoft RDP Remote Code Execution Vulnerability

2012.03.14

Reported by Luigi Auriemma vulnerability in RDP till now was not widely exploited, but patch released, that mean it can be reversed. Since tomorrow,all Your Windows machines should be patched, otherwise You in trouble? List of vulnerable systems literally include all Windows machines, who can be reached via RDP, both clients and servers.

Best way – run Windows Update.

If You prefer manual patching, here is the list:

Clients:

Microsoft Windows 7 for x64-based Systems SP0

KB2621440

KB2667402

Microsoft Windows 7 for x64-based Systems SP1

KB2621440

KB2667402

Microsoft Windows 7 for 32-bit Systems SP0

KB2621440

KB2667402

Microsoft Windows 7 for 32-bit Systems SP1

KB2621440

KB2667402

Microsoft Windows XP Professional x64 Edition SP2

KB2621440

Microsoft Windows Vista x32 SP2

KB2621440

Microsoft Windows Vista x32 SP2

KB2621440

Servers:

Microsoft Windows Server 2003 Datacenter x64 Edition SP2

KB2621440

Microsoft Windows Server 2003 x64 SP2

KB2621440

Microsoft Windows Server 2003 x32 Standard Edition SP2

KB2621440

Microsoft Windows Server 2003 Itanium SP2

KB2621440

Microsoft Windows Server 2008 for 32-bit Systems SP2

KB2621440

Microsoft Windows Server 2008 for x64s SP2

KB2621440

Microsoft Windows Server 2008 R2 x64 SP1

KB2621440

KB2667402

Microsoft Windows Server 2008 for x64 SP2

KB2621440

Microsoft Windows Server 2008 for x64 R2

KB2621440

KB2667402

 Microsoft Windows Server 2008 R2 Itanium SP0

KB2621440

KB2667402

Microsoft Windows Server 2008 for Itanium SP2

KB2621440

Microsoft Windows Server 2008 R2 Itanium SP1

KB2621440

KB2667402

“Windows presentation foundation terminal server print w” error

2011.07.27

On Windows Server 2008 Standard Terminal Services (or as they call it -Remote Desktop Services)(both x32 & x64) some major error that caused printing problems:

“Windows presentation foundation terminal server print w”

Windows pop-up on WinXP clients, on Vista\Win7 no error at all, just – not printing. Well? What to do?

1.there is KB from MS: http://support.microsoft.com/kb/2021394

Checked – Not helped.

2. there are workarounds with replacing TsWpfWrp.exe on clients with server version

Checked – Not helped.

3. then – forums recommend reinstall server 🙂

Almost done, but not 🙂

So, solution that worked for my few servers, was partially mentioned by Jeff Pitsch in his post about EasyPrint. So, as in all previous versions of Windows – just to reinstall EasyPrint driver.. Yeah?

Guess what – no Printer Drivers console by defaults (Server Properties in older versions ) so from where to delete? Aha! 🙂 Server Manager – Add Roles – Printer … Role – Next – Ok.

Now You have Printer Servers – Server Name – Drivers

Here You actually can manage installed printer drivers. 🙂 Remove EasyPrint drivers and XPS drivers. Reboot. Check that drivers reappeared in list. Check You can print successfully.

Have a great day!