Category Archives: Windows Server 2019

Changing RDWeb default Port on Windows Server 2019

Story:

When you install RDS on a server which already uses the port 443, you will get the following error when you try to access RDWeb main page.

Reason for this is the server you installed RDWeb on is most likely already using the port 443 or something else.

Error Message:

When trying to access RDWeb on the same server you’ll get the following error:

Service Unavailable

Http Error 503. The Service is unavailable

clip_image001

Troubleshooting

To Troubleshoot, Let’s see what is using the port 443.

Run CMD or PowerShell as an Administrator and type the following command

Netstat -anbo | findstr 443

clip_image002

Changing Port to 1443 or 8443

Let’s try changing the Port using the RD Gateway Manager

From the Gateway Manager click on the Properties on the right pane > Go to Transport Settings Tab and change the HTTPS port to 1443 or 8443

clip_image003

Changing Ports using Registry

Navigate to and make sure you first take a backup (Export the key)

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core]

Change the following registry value

IsUdpEnabled REG_DWORD 0

clip_image004

Backup and change the following port value to the intended one

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core]

HttpsPort REG_DWORD (8443)

Change the base to Decimal to type the write port number.

clip_image005

Restart Service

From PowerShell restart the service

net stop tsgateway
net start tsgateway

clip_image006

Let’s see the listening port 8443

From PowerShell type

Netstat -anbo | findstr 8443

Netstat -anbo | findstr 8443

clip_image007

Let’s go to the main page and see if it works..

Voila! Finally it worked

clip_image008

clip_image009

Microsoft exposes a security issue that affects millions of Windows 10 computers, RDP and DHCP on win2008R2

Windows 10 Crypto API Spoofing

Microsoft has released a new security patch for a vulnerability that could affect millions of Windows 10 Users world wide.

A decades old API

The decades old CryptoAPI tool validates and signs packages/software which could be utilized by hackers/developers to sign and execute illegitimate software thus would allow users to run anything without user’s nor Antivirus/Internet Security software’s notice.

Microsoft mentioned that the vulnerability could also allow hackers to change or modify encrypted communications.

It’s important to mention that CryptoAPI is a legacy API that’s being replaced by a new CNG (Cryptography Next Generation API) which also supports CryptoAPI.

CryptoAPI Key Storage Architecture

cryptoapi architecture

Download Patch

Direct Download

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4528760

CVE

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

Windows 2008 R2, Windows 7 RDP

A day ago Microsoft released two very important security patches on May 14, 2019.

One of these patches has been detected in the RDP service (CVE-2019-0708) which affects Windows 7 and Windows 2008 R2.

According to MS’s Article a remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.

No Authentication or Interaction needed

This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

When look at CVE-2019-0708, which is related to the RDP service, we see that attackers are able to run code on systems by sending specially produced packages without any user interaction and authentication and manage to install malware like Ransomware or other execution files.

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Windows 2008R2, 2012R2, 2016 and 2019 DHCP

The other one is in the DHCP service (CVE-2019-0725), and both vulnerabilities are very critical.

A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could run arbitrary code on the DHCP server.

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0725

Sources:

Microsoft, NSA, Other Security Researchers