Once again, a vulnerability has been discovered in older Microsoft Windows operating systems that will likely lead to some long nights and grumpy IT personnel. When a situation like this presents itself the first thing that should be done is to take a deep breath (seriously, calm down) and secondly to review the latest assessment of the hosts in your environment. Hopefully one has access to details about the operating systems in use, how many there are, what they are being used for etc. Without this highly necessary data there may never be complete resolution of the issue. This is why having the ability to do light assessments which use very little resources on the host is so paramount to the success of remediation/mitigation efforts. If you do not know whether the affected systems are in your environment, or how many there are you are likely to have a bad time of it.
There is both a patch and a configuration change that can address this vulnerability. Applying the patch is the best solution to the issue, however a partial mitigation can be had by ensuring that NLA or Network Level Authorization is enabled. This enforces an authenticated connection using the provided credentials which would avert the exploit coming from a malware or worm that is only looking for unguarded targets. However, a malicious actor could still execute remote code if they happened to gain access to the appropriate credentials. In truth the only way to be fully mitigated against this vulnerability is to upgrade the systems to newer versions (Windows 10, Server 16) which, due to their improved architecture, are not susceptible to the attack.
End of Life software always carries a high risk to an organization as it is no longer supported by the vendor but is likely fully “supported” by bad actors. The longer that a title has existed, the more knowledge about said title is available for nefarious uses. Therefore, staying on EoL software is not a recommended activity due to these inherent issues. Addressing this issue is easier said than done, however. With thousands of endpoints becoming the norm rather than the exception, maintaining visibility into even the OS loaded onto each is a herculean task, and that doesn’t even begin to address patch status. Many organizations have had success with deploying a Software Asset Management tool such as Flexera’s Data Platform to provide accurate and timely visibility into each asset in an environment.
Another tool that can assist in gaining the intelligence necessary in your environment to know exactly which systems are susceptible to this and other software vulnerabilities. Software Vulnerability Manager (SVM) has assessment, prioritization and remediation capabilities. The assessment is truly lightweight using approximately 20MB of RAM and ~3% processor clock for the ~4-minute assessment duration. Results are displayed using a series of custom filters to ensure the proper data is available for the intended user and the noise of unnecessary data is reduced significantly. Patches are only displayed if the assessment has discovered the need for them, and are 100% customizable. These are all tools that are helpful in properly maintaining visibility into your software spread. Know what you have and strive to keep it up to date, or spend tireless hours fighting an ultimately losing battle against highly motivated foe. Cheers and good luck!