As a very quick recap, OVAL199 for CAN-2002-0863 involves a
vulnerability with RDP 5.0 in Microsoft Windows 2000. The following
information was sent to me by OVAL Board member Bill Wall of the Harris
Corporation. (Thanks, Bill!) I felt that it was important to share this
valuable data with the discussion list.
~ Tiffany
Microsoft Technical Lead, MITRE's OVAL Team
-------- Original Message --------
Subject: RE: [Fwd: Re: [OVAL-DISCUSSION-LIST] OVAL for CAN-2002-0863
[Edited by Woj]]
Date: Mon, 3 Feb 2003 16:01:39 -0500
From: "Wall, William (wwall)" <
wwall@...>
To: "'Tiffany Bergeron'" <
tab@...>
For this check, I would think all you need is to check the version of
rdpwd.sys
in the ADMIN$ (windir)\system32\drivers
folder. This file does not exist on workstations. Also, the service
does not
exist on workstations and there are
no registry entries such as entry name or start or TSEnabled for
hklm\system\currentcontrolset\terminal server\.
Also, there is no termsrv.exe on a workstation. This file is necessary
if
terminal services is running.
It would be located at admins$\system32 folder.
To see if terminal services is running, check
hklm\system\currentcontrolset\services\termservice and if the start key
is
anything but 4, it has started
(4 is disabled).
This service comes by default on W2K server and I have not seen a case
where
someone uninstalled it. Don't think
you can.
I have never seen rdpwd.sys in any location but drives and don't think
it will
work if it is located
anywhere else.
RPDWD does not appear to be a separate service to turn or off in the
Services
area. It seems to have
its own setting in
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\
The two values there are RdDLL = rdpwd and WdName = Microsoft RDP 5.0
Bill
