none
Control Scan for credit card security fails on Windows 2008 if terminal services are turned on RRS feed

  • Question

  • Is "Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure" still not fixed?

     

    I am setting up a credit card processing application, and I am running a third party security scan, as required by the credit card company.  I have been forced to turn off terminal services in order to pass the test.  I had assumed that by now this problem, after all of these years, had been addressed in Windows 2008.

     

    Does anyone know if this was actually fixed in Windows 2008, and perhaps the scanning application is just out of date?  I'm hoping this is the case.

     

     

     

    Tuesday, March 25, 2008 7:11 PM

Answers

All replies

  • Hi Kevin,

     

    As of now I haven’t come across any information which says that “Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure" problem is fixed in Windows Server 2008.

     

    However, I am trying to find out information for you regarding this issue and will get back to you at the earliest.

     

    Thank you.

     

    Leena

     

    Thursday, March 27, 2008 9:19 PM
  • This issue was fixed by adding SSL support to TS in W2K3 SP1 and CredSSP to Vista/W2K8.

     

    In W2K3 this was:

    BUG: 806509 - APPROVED DCR: ETA: 8/6 WS2003SP1: RDP is vulnerable to man-in-the-middle attack

     

    It was a well-known TS security issue. The private key used to sign a proprietary certificate (which contains the generated TS public key) is hardcoded in the code (see MS-RDPBCGR section 5.3.3 for more details).

     

    Take a look at (this discuss SSL in W2K3 SP1):

    http://technet2.microsoft.com/WindowsServer/en/library/a92d8eb9-f53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true

     

    Thursday, April 24, 2008 1:31 PM