In a recent blog, we covered the National Security Agency (NSA) cybersecurity advisory urging all Microsoft Windows Administrators and Users to ensure they are using patched and updated systems based on the potential threats surrounding the BlueKeep vulnerability.
In this blog, we highlighted some cyber hygiene steps to help protect all impacted Windows systems against the vulnerability as organizations work to patch their systems. One step in particular, disabling Remote Desktop Services (RDS), can help stop the BlueKeep vulnerability in its tracks. By disabling unused services, security administrators are reducing the exploitable landscape of their corporate infrastructure to this threat.
Introducing the Automox Worklet
To enable your ability to configure and update systems using the Automox platform, we’ve created an endpoint hardening worklet that disables the remote desktop protocol connection.
An Automox worklet is an open extensible automation architecture that allows IT operations to create any custom task that they can imagine. Our tool consumes and contains these worklets within a policy that can be automated and maintained across all devices with the Automox sensor installed. These reusable units of work can be applied across any supported operating system (including Windows, Linux, and OSX) and are powered by PowerShell and Bash scripting.
How to Disable Remote Desktop Services Worklet
If a machine is unpatchable, security administrators can use this worklet as a mitigating control to protect impacted Windows systems from the BlueKeep vulnerability. This worklet also can act as a general security hardening on all Windows devices with newer operating systems not vulnerable to the specific threat.
Tips for Creating an Automox Worklet
Before deploying an Automox Worklet to the production environment, we suggest testing this on a few devices to confirm its accuracy. If you have any questions, please contact our support team for technical assistance at support@automox.com.
For step-by-step instructions on creating the Worklet, see our user documentation: Create a Worklet.
Evaluation Code:
# Define Registry Key and sub-value to evaluate#############################################$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"$regProperty = "fDenyTSConnections"$desiredValue = '1'############################################## Retrieve current value for comparison$currentValue = (Get-ItemProperty -Path $regPath -Name $regProperty).$regProperty# Compare current with desired and exit accordingly.# 0 for Compliant, 1 for Non-Compliantif ($currentValue -eq $desiredValue) { Exit 0} else { Exit 1 }
Remediation Code:
# Define Registry Key and sub-value to modify#############################################$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"$regProperty = "fDenyTSConnections"$desiredValue = '1'#############################################try { Set-ItemProperty -Path $regPath -Name $regProperty -Value $desiredValue Exit 0} catch { Write-Output "Unable to update $regProperty" Exit 1}
If you have any questions, feel free to reach out to our support team for technical assistance at support@automox.com.
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.
