1. Introduction
Terminal Services Web Detection indicates that the Terminal Services Client ActiveX control is available on a system, allowing users to connect via a web page and download an RDP client. This presents a risk as attackers could use this access point to gain Remote Desktop Protocol access to systems. Affected systems are typically those running Windows Server with Terminal Services enabled. A successful exploit could compromise confidentiality, integrity, and availability of the targeted server.
2. Technical Explanation
The vulnerability occurs because Terminal Services is configured to allow client downloads of an ActiveX control for RDP connections. An attacker can access a webpage hosting this control, prompting a download of a .cab file which then connects directly to a terminal services server using RDP. This allows remote access without requiring pre-existing VPN or other network connectivity.
- Root cause: The ‘tsweb’ resource is not password protected, allowing unauthenticated downloads of the ActiveX control.
- Exploit mechanism: An attacker locates the tsweb page and initiates a download of the .cab file. This triggers an RDP connection attempt to a server specified within the configuration.
- Scope: Windows Server systems running Terminal Services are affected.
3. Detection and Assessment
Confirming this vulnerability involves checking for the presence of the tsweb resource and its accessibility. A thorough assessment requires inspecting the webpage content.
- Quick checks: Use a web browser to navigate to
https://yourserver/tsweb(replace ‘yourserver’ with your server name). If the page loads, the control is present. - Scanning: Nessus plugin ID 32857 can identify this issue as an example.
- Logs and evidence: Examine web server logs for requests to the tsweb resource. Look for patterns indicating client downloads of the .cab file.
curl -I https://yourserver/tsweb4. Solution / Remediation Steps
The primary solution is to password protect access to the ‘tsweb’ resource, preventing unauthenticated downloads.
4.1 Preparation
- Ensure you have administrator credentials for the web server. A roll back plan is to restore the backed-up configuration.
- A change window may be needed depending on business impact. Approval from IT security should be sought.
4.2 Implementation
- Step 1: Open Internet Information Services (IIS) Manager.
- Step 2: Navigate to the website hosting the ‘tsweb’ resource.
- Step 3: Double-click ‘Authentication’.
- Step 4: Disable Anonymous Authentication.
- Step 5: Enable Basic Authentication or another appropriate authentication method.
- Step 6: Configure user credentials for access to the tsweb resource.
4.3 Config or Code Example
Before
Anonymous Authentication: EnabledAfter
Anonymous Authentication: Disabled
Basic Authentication: Enabled (or other method)4.4 Security Practices Relevant to This Vulnerability
List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice.
- Practice 1: Least privilege – restrict access to the tsweb resource to authorized users only, reducing potential impact if compromised.
- Practice 2: Secure defaults – avoid enabling unnecessary features like unauthenticated downloads of ActiveX controls.
4.5 Automation (Optional)
If suitable, provide a small script or infrastructure code that applies the fix at scale. Only include if safe and directly relevant.
# PowerShell example to disable anonymous authentication on a specific website
Import-Module WebAdministration
$siteName = "YourWebsiteName"
$website = Get-Website -Name $siteName
$authSection = $website.Configuration.Sections["system.webServer/security/authentication"]
$anonymousAuth = $authSection.AuthenticationProviders | Where-Object {$_.ModuleName -eq "AnonymousAuthentication"}
if ($anonymousAuth) {
Disable-WebFeature -Name AnonymousAuthentication -Scope Site -SiteName $siteName
} else {
Write-Host "Anonymous Authentication is already disabled for site '$siteName'"
}5. Verification / Validation
Confirm the fix by attempting to access the tsweb resource without credentials. Ensure authentication is now required.
- Post-fix check: Attempt to browse to
https://yourserver/tswebin a web browser. You should be prompted for login credentials. - Re-test: Repeat the quick check from section 3. The page should no longer load without authentication.
- Monitoring: Monitor web server logs for failed authentication attempts to the tsweb resource, which could indicate brute-force attacks.
curl -I https://yourserver/tsweb6. Preventive Measures and Monitoring
Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.
- Baselines: Update your web server security baseline to include disabling anonymous authentication by default.
- Pipelines: Integrate security scanning into deployment pipelines to identify misconfigured authentication settings.
- Asset and patch process: Review configuration changes regularly as part of a vulnerability management program.
7. Risks, Side Effects, and Roll Back
List known risks or service impacts from the change. Give short roll back steps.
- Risk or side effect 1: Users may need to update their saved credentials if authentication method is changed.
- Risk or side effect 2: Incorrect configuration could prevent all access to the website.
- Roll back: 1) Re-enable Anonymous Authentication in IIS Manager. 2) Restore the web server configuration from the backup created in step 4.1.
8. References and Resources
Link only to sources that match this exact vulnerability. Use official advisories and trusted documentation.
- Vendor advisory or bulletin: Microsoft TSWeb Vulnerability
- NVD or CVE entry: CVE-2019-7571
- Product or platform documentation relevant to the fix: IIS Authentication Configuration