03-16-2018 10:05 AM
Hi,
I was wondering if Duo for RDP mititgates any risk from CredSSP Flaw in Remote Desktop Protocol (CVE-2018-0886). The Microsoft fix requires both the server and the client to have the update installed. That update is responsible for messing up NICs on Windows 7 and 2008R2 machines (KB4088875/KB4088878). If Duo mitigates this vulnerability, it give MS some time to get their things together, and for clients to update the person devices.
Thanks!
03-19-2018 02:28 PM
Hey @UniqueUsername The CredSSP vulnerability affects an underlying protocol so it’s invoked before Duo Winlogon. We have tested the Microsoft patch and it does not interfere with Duo once patched.
It is unfortunate to hear the MS Patch wass causing issues with VMXNET3 adapters, but it looks like there is now a workaround for that issue: https://support.microsoft.com/en-us/help/3125574/convenience-rollup-update-for-windows-7-sp1-and-windows-server-2008-r2
03-20-2018 11:47 AM
Hi Patrick,
Thanks for the information. MS still doesn’t quite have their act together with this update. See https://support.microsoft.com/en-us/help/4088878/windows-7-update-kb4088878 for a long list of problems and their duct tape fixes. I might have to ride this out until April updates come along.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide