Skip to main content

Mitigation for Microsoft Windows Security Vulnerability – ‘BlueKeep’ (CVE-2019-0708)

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) advises Windows users to ensure their systems are patched and up to date after Microsoft’s recent disclosure of new remote desktop vulnerability.

Mitigation

The Australian Cyber Security Centre advises Windows users to:

  • Patch as soon as possible
    • Microsoft patching options are available here for the following systems:
      • Windows 7 for 32-bit Systems Service Pack 1
      • Windows 7 for x64-based Systems Service Pack 1
      • Windows Server 2008 for 32-bit Systems Service Pack 2
      • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
      • Windows Server 2008 for Itanium-Based Systems Service Pack 2
      • Windows Server 2008 for x64-based Systems Service Pack 2
      • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
      • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
      • Windows Server 2008 R2 for x64-based Systems Service Pack 1
      • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Deny access to Remote Desktop Protocols (RDP) directly from the internet
    • Block all access to RDP, and
    • Utilise a VPN with multifactor authentication, if RDP is required
  • Limit internal network machine to machine RDP
    • Apply appropriate internal network segmentation,
    • Deny standard workstations to arbitrarily connect to servers or other workstations over RDP (or any other unnecessary protocol), and
    • Limit RDP to servers; consider using a jump box to connect to other servers.
  • Consider adding “Network Level Authentication” which adds a pre-exploitation hurdle. For more information on Microsoft’s Configuration of Network Level Authentication for Remote Desktop Services Connections, see here.

Detection

NCCGroup have developed a network detection rule that looks for potential signs of BlueKeep, pre-encryption.

For more information, see the github rules here.

References

CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability

Github | NCCGroup network detection rules

Microsoft | Configuration for Network Level Authentication