Scheduled maintenance is currently in progress. We will provide updates as necessary.
Posted May 24, 2019 - 08:04 EDT
Scheduled
In response to recent and ongoing security issues identified with the Microsoft Remote Desktop Protocol (RDP), Duke will block RDP access from the Internet to machines on the Duke campus starting May 24 unless the Internet access is made via a VPN (Virtual Private Network) session. After May 24, RDP will continue to work if you are on the Duke network, or from off campus as long as you use the Duke VPN.
Microsoft announced a patch on May 14 for a critical vulnerability in RDP, which is widely used at Duke for remote access to Windows systems (desktops, laptops and servers). The vulnerability allows an attacker to remotely compromise the vulnerable machine without requiring authentication, leaving it totally unprotected against the vulnerability. Once on the machine, attackers can do what they want, including scan and spread to other machines running RDP, whether or not those other machines have networks addresses that are Internet-accessible (public) or have private network addresses. The extreme risk associated with this vulnerability necessitates this need for new protections in the immediate term. Moreover, our monitoring tools reveal that over 98% of traffic from the Internet attempting to connect to Duke machines running RDP is malicious in nature – a sign that attackers have already attempting to compromise the machine via a weak password or vulnerability in the RDP application, even before this latest vulnerability.
Due to the nature of this vulnerability, the Security Office is also taking an aggressive stance to immediately patch all impacted machines and are working with local IT staff to install those patches. Although we are requiring patches by May 24 and are instituting a campus-wide block of the RDP protocol from the Internet on May 24, the aforementioned provisions will ensure that users who need to RDP to their on-campus machines from off-campus may continue to do so by using the VPN. In addition, users with special circumstances that necessitate their campus machines that MUST remain available from the Internet may request an exception (details below).
Exceptions
There will be no exceptions granted for patches. The Security Office will consider exceptions on a case-by-case basis for machines that need to remain open to the Internet (i.e., accessible without the VPN, typically in cases where external use is legitimate but is not by Duke account holders). These machines will have to meet the following requirements:
• Exception must be requested by a departmental IT group. • Exception must have a compelling reason for remaining open to the Internet. • Machine must have a fully patched and supported OS. • Machine must have MFA enabled for RDP and be validated by the Security Office. • Machine must be enrolled in endpoint security program (BigFix/SCCM/JAMF, CrowdStrike).
Visit security.duke.edu to learn more about this vulnerability.
If you have questions about this update please contact the OIT Service Desk at (919) 684-2200.
Posted May 23, 2019 - 09:56 EDT
This scheduled maintenance affected: Security (Security Alert).