On May 14, Microsoft announced a vulnerability in its Remote Desktop Protocol (RDP). The event caused quite a stir in the global information security community: the vulnerability made it possible for unauthenticated attackers to connect to an organization’s computer systems that use RDP. Once connected, the attacker could then execute code, install programs, create new accounts and view, change or delete data.
What does this mean for members of the University of Toronto (U of T) community? If you are a staff or faculty member who uses a managed Windows device in your workspace, you have likely used a Remote Desktop service. The service makes it possible for staff and faculty to log into their work computers from devices such as home computers or laptops.
The University has already taken action against the vulnerability by restricting RDP service from the internet, protecting potentially thousands of devices. Information Technology Services (ITS) staff ask you to take the following measures if you use Remote Desktop. If you don’t use Remote Desktop, following these measures on a regular basis is an excellent way to maintain the security of your workplace and personal information.
“Our security program is about partnership. We recognize that there is a shared responsibility and it is not always about technology—we can all do something to help.” says the University’s Chief Information Security Officer Isaac Straley. “In this case, we want to make sure community members know to update their personal Windows computers because the risk can impact not only institutional data but them directly.”
1. Update your devices. If your workplace device is managed by IT staff, they will ensure that patching/updating is completed. If you manage your own device, you must ensure it is updated.
For Windows devices:
In the bottom left hand corner of your computer click on the Windows icon. Then enter ‘Windows Update’ in the search bar and run. If your device is up-to-date, you will be informed. If not, please follow the instructions, re-booting if necessary.
2. If you use RDP to connect to University services remotely there are two use cases to address:
If your device is managed by IT staff and you are connecting to an RDP ‘gateway’ service, then your remote access should continue to work.
If you are using your own personal device for work and you RDP into it directly, your service may be blocked soon. To work around this block, please refer to: https://isea.utoronto.ca/advisory-remote-desktop-protocol-vulnerability/ or seek assistance from your local IT support staff.
For additional answers to frequently asked questions about the RDP vulnerability, please access this announcement from ITS: http://main.its.utoronto.ca/news/remote-desktop-protocol-blocked-due-to-vulnerability/.