Apply your monthly patches just as soon as you can

There are only six patches in this month’s edition of Patch Tuesday, and only one of them is critical, but it’s a big one.

The critical patch fixes a flaw in Remote Desktop Protocol, something typically only present in the business-oriented flavors of Windows. But if you don’t know whether you’re affected, it behooves you to let Windows update whatever it wants to update.

And if your job is patching servers–and I don’t envy you if it is, because I spent half my career being that guy–start working this month’s updates through whatever bureaucratic mess your organization requires in order to get it done. Because once malware appears that uses this vulnerability, it could potentially be headline-seizing. Hopefully not as big as Nimda or SQL Slammer, but this is the first thing I’ve seen in a very long time that even has the potential to be that big. The more people who apply patches before it happens, the smaller it will be. Let’s make this a non-event.

Microsoft thinks it will take about 30 days for the bad guys to get some code on the streets, so Microsoft itself is saying to deploy this patch immediately.

If you can’t patch immediately, disabling remote desktop and only keeping it enabled when you’re using it is a potential workaround. It’s not ideal, since the machine will be vulnerable for as long as you’re using RDP, but it’s better than nothing.

To disable remote desktop, make sure the registry key HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections is set to 1. Be aware the change requires a reboot in order to take effect. If you’re going to reboot anyway, you might as well patch, especially if you have some automated way to deploy it. (Microsoft WUSS WSUS isn’t nearly as good as tools like Shavlik Netchk or Update Expert, but it’s free.)

If I had a network of machines to hit, here’s how I’d go about blasting the change out to everything.

net view >> network.txt

Now create a batch file with this line in it:

for %i in (list) do reg add \\%i\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\ /v fDenyTSConnections /t REG_DWORD /d 1

Take the file network.txt, load it into Excel as a delimited file, delete all but the first column, re-save it, load the file into a word processor or text editor, and get all of the machine names on a single line, separated by a space. You could use Word with my join single lines macro. Once you have the list consolidated on a single line, copy that line and paste it into your batch file in between the parenthesis.

Run the batch file to carpet-bomb your network with the change. It’s much faster than manually connecting to every machine and verifying its setting. I’ve used tricks like this to accomplish a week’s worth of manual work in more like an hour.

And yes, I highly recommend saving the file, with the network list. Then the next time something like this comes up, you can get the job done even faster.

If you found this post informative or helpful, please share it!
%d bloggers like this: