Security Advisory

Microsoft Security Advisory 2861855

Updates to Improve Remote Desktop Protocol Network-level Authentication

Published: August 13, 2013

Version: 1.0

General Information

Executive Summary

Microsoft is announcing the availability of updates as part of ongoing efforts to improve Network-level Authentication in the Remote Desktop Protocol. Microsoft will continue to announce additional updates via this advisory, all aimed at bolstering the effectiveness of security controls in Windows.

Available Updates

The update released on August 13, 2013:

  • Microsoft released an update (2861855) for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update is available on the Download Center as well as the Microsoft Update Catalog for all affected software. It is also offered via automatic updating and through the Microsoft Update service. For more information, see Microsoft Knowledge Base Article 2861855.

    Synopsis of functionality added by the update
    The update adds defense-in-depth measures to the Network Level Authentication (NLA) technology within the Remote Desktop Protocol in Microsoft Windows.

Affected Software

This advisory discusses the following software.

Operating System
Affected Software
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Non-Affected Software
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows 8 for 32-bit Systems
Windows 8 for 64-bit Systems
Windows Server 2012
Windows RT
Server Core installation option
Windows Server 2012 (Server Core installation)

Frequently Asked Questions

What is Network Level Authentication (NLA)?
Network Level Authentication (NLA) is an authentication method that can be used to enhance Remote Desktop Session Host server security by requiring that the user be authenticated to the Remote Desktop Session Host server before a session is created. Network Level Authentication completes user authentication before you establish a remote desktop connection and the logon screen appears.

What is defense-in-depth?
In information security, defense-in-depth refers to an approach in which multiple layers of defense are in place to help prevent attackers from compromising the security of a network or system.

Other Information

Feedback

Support

  • Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
  • Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (August 13, 2013): Advisory published.

Built at 2014-04-18T13:49:36Z-07:00