Mitigation
The Australian Cyber Security Centre advises Windows users to:
- Patch as soon as possible
- Microsoft patching options are available here for the following systems:
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for Itanium-Based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Microsoft patching options are available here for the following systems:
- Deny access to Remote Desktop Protocols (RDP) directly from the internet
- Block all access to RDP, and
- Utilise a VPN with multifactor authentication, if RDP is required
- Limit internal network machine to machine RDP
- Apply appropriate internal network segmentation,
- Deny standard workstations to arbitrarily connect to servers or other workstations over RDP (or any other unnecessary protocol), and
- Limit RDP to servers; consider using a jump box to connect to other servers.
- Consider adding “Network Level Authentication” which adds a pre-exploitation hurdle. For more information on Microsoft’s Configuration of Network Level Authentication for Remote Desktop Services Connections, see here.
Detection
NCCGroup have developed a network detection rule that looks for potential signs of BlueKeep, pre-encryption.
For more information, see the github rules here.
References
CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability
Github | NCCGroup network detection rules
Microsoft | Configuration for Network Level Authentication