MS12-020如何防护

微软已经发布了针对此漏洞的安全公告MS12-020和系统补丁，请用户立刻更新到系统最新版本来避免受到漏洞的影响：
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
（1） 在Windows系统中默认关闭远程桌面协议（Remote Desktop Protocol），不开启远程桌面协议（Remote Desktop Protocol）可不受漏洞影响。在Windows操作系统中，可禁用如下服务：Terminal Services, Remote Desktop, Remote Assistance, Windows Small Business Server 2003 Remote Web Workplace feature。
（2）可配置防火墙过滤来自非法用户向3389端口的请求。
（3）Windows Server 2008 和Windows 7 上开启Network Level Authentication服务。

Enable Network Level Authentication on systems running supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2

Note See Microsoft Knowledge Base Article 2671387 to use the automated Microsoft Fix it solution to enable this workaround.

You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With Network Level Authentication turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.

In order to use Network Level Authentication, your environment must meet the following requirements:

• The client computer must be using at least Remote Desktop Connection 6.0.
• The client computer must be using an operating system, such as Windows 7 or Windows Vista that supports the Credential Security Support Provider (CredSSP) protocol.
• The RD Session Host server must be running Windows Server 2008 R2 or Windows Server 2008.

To configure Network Level Authentication for a connection, perform the following steps:

1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to AdministrativeTools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
2. Under Connections, right-click the name of the connection, and then click Properties.
3. On the General tab, select the Allow connections only from computers running Remote Desktop with Network Level Authentication check box.
   If the Allow connections only from computers running Remote Desktop with Network Level Authentication check box is selected and is not enabled, the Require user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled and has been applied to the RD Session Host server.
4. Click OK.

Impact of workaround. Client computers that do not support Credential Security Support Provider (CredSSP) protocol will not be able to access servers protected with Network Level Authentication. Note For administrators deploying this workaround in a mixed network environment where Windows XP Service Pack 3 systems need to use Remote Desktop, see Microsoft Knowledge Base Article 951608 for information on how to enable CredSSP in Windows XP Service Pack 3.

For more information regarding Network Level Authentication, including how to enable Network Level Authentication using Group Policy, see the Technet article, Configure Network Level Authentication for Remote Desktop Services Connections.