Mitigation The Australian Cyber Security Centre advises Windows users to: Patch as soon as possible Microsoft patching options are available here for the following systems: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Deny access to Remote Desktop Protocols (RDP) directly from the internet Block all access to RDP, and Utilise a VPN with multifactor authentication, if RDP is required Limit internal network machine to machine RDP Apply appropriate internal network segmentation, Deny standard workstations to arbitrarily connect to servers or other workstations over RDP (or any other unnecessary protocol), and Limit RDP to servers; consider using a jump box to connect to other servers. Consider adding “Network Level Authentication” which adds a pre-exploitation hurdle. For more information on Microsoft’s Configuration of Network Level Authentication for Remote Desktop Services Connections, see here. Detection NCCGroup have developed a network detection rule that looks for potential signs of BlueKeep, pre-encryption. For more information, see the github rules here. References CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability Github | NCCGroup network detection rules Microsoft | Configuration for Network Level Authentication Related alert Microsoft Windows security vulnerability – ‘BlueKeep’ (CVE-2019-0708)
