Must Read: Sorry, but bringing back the Start menu won't help Windows 8

Topic: Virtualization

Dear Hyper-V fans, I'll take that apology now.

Summary: Ouch. It's pain time again on the Microsoft front. You were warned.

Ken Hess

By for Consumerization: BYOD |

[UPDATE] Systems that don't have RDP enabled aren't vulnerable to this RDP worm.

If you used VMware, you wouldn't have to reboot your vulnerable systems after patching for the RDP Worm today. Sure, you'll still have to patch all of your Windows VMs that ride on top of your VMware hosts but at least you don't have to patch and reboot the VMware host systems. Wait, I think I actually might have mentioned this very possibility in my follow-up article to the Great Debate: Hyper-V vs. VMware with Jason Perlow.

I don't like having to say, "I told you so" but I really did tell you so.

Let me post my exact quote from that follow-up just so I can read it again:

Windows Security - Oxymoron Time

Unless your name is Rip van Winkle, you know that Windows is, shall we say, light on security. There’s a good reason why every other major hypervisor is Linux-based in some way or another: Security. That isn’t the only reason but it’s a darn good start. Plus, how many reboots of your Windows host will it take to continuously patch? Can your production environment withstand the downtime?

Additionally, when your Windows host becomes infected with a worm or virus, how many VMs will it take with it? Answer: All of them.

Now's your chance to answer my question, "Can your production environment withstand the downtime?"

While you're patching, rebooting and making excuses, I've compiled a short list of resources to help you through the pain you're currently feeling.

VMware's Main Website

VMware Sales

The VMware Partner Locator

VMware's Phone Number: 1-877-486-9273

I hate worms, viruses and Trojan Horses because I think that the people who write them have nothing better to do with their time and it's a tremendous waste of resources for companies who are innocent. It just causes loss and grief. It's malicious and pointless.

And, all of the due diligence in the world won't protect you when this kind of thing happens. Well, aside from choosing a technology that you know has these kinds of vulnerabilities.

By the way, in case you're wondering, yes, this is going to wreck MY weekend too. And, it's the beginning of Spring Break for my kids who had hoped to spend some quality time with both of their parents.

Now, how did that process go again? Oh yeah, "Patch. Reboot. Pray. Patch. Reboot. Pray. Lather. Rinse. Repeat."

[UPDATE Addition] I still recommend patching your systems on their next patch cycles whether RDP is enabled or not.

See Also:

Exploit code published for RDP worm hole; Does Microsoft have a leak?

Microsoft warns: Expect exploits for critical Windows worm hole

Linux servers keep growing, Windows & Unix keep shrinking

Topics: Virtualization, Hardware, VMware

About

Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Google+ Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion

  • Why VMware?

    Why only VMware? If your going to list helpful alternatives you might as well mention KVM (Redhat) and Xen (Citrix). Besides the commercial Redhat and Citrix solutions there's plenty of other good solutions like ProxMox that use KVM and OpenVZ on the same server, and it's if tech savvy enough, you can roll your own custom solution with these hypervisors.

    But considering your talking to Hyper-V users, they probably aren't very tech savvy and perhaps VMware is the best alternative for them, but a lot more expensive then Redhat and Citrix. And VMware has occasional security issues too...and they do release updates that require host reboots...just saying :) So do all the others I mentioned ... it's part of life :)

    Also, Hyper-V has similar live migration feature as Vmotion, so admins who need to patch Hyper-V hosts can move the guests around during patching. Same thing you would do with VMware when installing their next point release update and same thing you would do with an RHEV host kernel update.

    I'm not taking sides here, but no one owes you apology for anything...I use mainly VMware and qemu-kvm, but Hyper-V does have it's advantages for some.
    Scratchi
    Reply Vote

    • Ah but those facts don't support his argument.

      Shame on you for pointing them out :)
      whatagenda
      Reply Vote

    • You're right

      I did mention the others in the debate.
      khess
      Reply Vote

    • Diversity is the reason

      You want some diversity between the physical Host and client VM's. That way you're not fighting the SAME bug on both systems.

      I think you are right though, just saying VMWare is a mistake. There are others which offer the diversity advantage. VMWare is going to have to start watching its brand name, or its going to end up being like Coke in Texas (everything's a coke, and primarily what you get is a Dr Pepper), or Kleenex, or any number of brands that become synonymous with their product.
      admiraljkb
      Reply Vote

  • Dear Hyper-V fans, I???ll take that apology now.

    This blog brought to you and paid for by VMWare.

    Um... no. Its not hard to schedule a reboot during the maintenance window. Takes a few minutes of time at most and if you are worried about downtime then you roll over to the back up server. This way any routine maintenance can be done during that time instead of waiting for it to completely crash and then be up the creek with the VMWare solution. You do know about maintenance windows and change controls right?

    I especially love how you think VMWare and linux need no patches.
    Loverock Davidson-
    Reply Vote

    • Are you insane????

      Let's say that you are a cloud provider like Amazon. And let's say for kicks they were all running Hyper-V. They would have to take down their ENTIRE CLOUD! Oh yeah now that is going to get good press coverage! Seriously it is an issue!

      Or imagine you were a bank. This means that you have to take down all of the running vm's to do a security hack! That is pure and utterly LAME!
      serpentmage
      Reply Vote

      • Oh my

        I am also patching the hyper-v hosts for our production envirornment and not ONE VM will be unavailable. Live migration will clear a hyper-v host of all VM, then apply the patch, then move back and do the next machine. Normal business, happens each month after patch tuesday.
        sjaak327
        Reply Vote

      • Not insane

        Perhaps you should learn about patch management and best practices.
        Loverock Davidson-
        Reply Vote

      • seriously lame. first no one is going to have rdp enabled on the hypervisor

        os to begin with so this is a complete crock of FUD. Second you can patch/reboot every hyperV server in your datacenter with a script without having any vm's go unavailable. This is as much of a non-issue for hyperV as it is for any other hypervisor.
        Johnny Vegas
        Reply Vote

      • Don't be ridiculous.

        Clouds are made up of multiple servers. Fail over your VM's to another server, reboot, fail back. Simple.
        mikedees
        Reply Vote

      • Um...wrong

        Where do you get your facts? Oh, right. Nobody cares about when you're posting anonymously as "serpentimage" and nobody can connect your inane BS with a real person. You have no remote clue what you're talking about.
        marksashton
        Reply Vote

  • Why trolling is allowed in ZDnet?

    Seriously, why ZDnet allow trolling and inflammatory post like this? To enrage your readers? Why?

    Seriuosly, Ken. Are you trying to say that ESX doesn't need to restart for patching system? Then tell me what are these "VM Shutdown & Host Reboot" means when I click on "Search" ESX patch?

    http://www.vmware.com/patchmgr/findPatch.portal

    It's trivial to implement HA for Hyper-V with failover clustering and live migrate for servicing. I can even just turn off RDP and patch the server on my next maintainance schedule. It's just something any sysadmin trained to do.

    Please Ken, I'm probably half of your age but I can't help but wanted tell you grow the h*** up already.
    Samic
    Reply Vote

    • Best practices for Hyper V..

      ..also state that the host management network should be on a separate network/NIC so the RDP service is not likely to be listening on a public accessable network anyway.
      planruse
      Reply Vote

      • And this is uniquie to Hyper-V?

        This should be the practice regardless of virtualization platform. If Microsoft is the only company that specifically lists this as a best practice, all it proves is the lack of security foresight of the other players.
        daftkey
        Reply Vote

      • Yup and...

        ...we have to be inside the firewall already in order to even get at RDP. So a whole host of other things have to go wrong first before this is a real problem. But as daftkey says, this is the way it should be anyway - even without virtualization.
        cornpie
        Reply Vote

      • Exactly.

        I wonder if the guy who wrote this article knows a damned thing about network segmentation or DMZ's? No one opens a hypervisor to the public internet.
        mikedees
        Reply Vote

  • Ugh - Flamebait

    Articles like this really bring zdnet down. Not only is it misleading, it's wrong. There are plenty of times VMWare has been sacked and had to be rebooted. Furthermore this exploit is not exploitable in almost all situations. An RDP machine with this exploit is not usually connected directly to the Internet. A SERVER that is exposed would be running Windows Terminal Services gateways which is not vulnerable.

    And for workstations that are vulnerable (by somebody INSIDE the network on the premises), RDP config dialog boxes pretty much *scream* right there in the dialog box, "please enable NLA."
    cmoya
    Reply Vote

    • MS says, "ALL WINDOWS SYSTEMS"

      Even Server Core.

      *Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option."

      http://technet.microsoft.com/en-us/security/bulletin/ms12-020
      khess
      Reply Vote

      • Mitigating Factors

        "By default, the Remote Desktop Protocol is not enabled on any Windows operating system"
        thevogon
        Reply Vote

      • Yep

        All windows systems (Except Windows 8 CP and Windows 8 server), of course having RDP disabled will at least make your system secure. Now your typical Hyper-V host would be a server core version (less attack surface) and I highly doubt many will have RDP enabled (it is disabled by default, also on all Windows versions including the latest), as it is next to useless to have it enabled. There is no GUI on this server and the command line can be started remotely by using either remote powershell or psremote.

        The debate incidentially was about Hyper-V and Server 8, and server 8 does NOT have this vulnerabiltiy. I am more then willing to accept your apology.
        sjaak327
        Reply Vote
CNET Join | Log In | Privacy | Cookies Close