Windows - Security - Mitigate CredSSP Remote Code Execution Vulnerability ( CVE-2018-0886 )

What the CredSSP vulnerability mitigation does

This Automox Worklet™ hardens Windows endpoints against CVE-2018-0886, a remote code execution vulnerability in the CredSSP protocol used by Remote Desktop Protocol (RDP) and other Windows services. The vulnerability allows man-in-the-middle attackers to relay user credentials and execute code on target systems.

The Worklet implements Microsoft's recommended mitigation by configuring the AllowEncryptionOracle registry value. Setting this value to 0 (Force Updated Clients) prevents CredSSP from falling back to insecure protocol versions that attackers could exploit.

After applying this mitigation, client applications using CredSSP cannot connect to unpatched servers, and server services reject connections from unpatched clients. Deploy this Worklet only after confirming all systems in your environment have the CredSSP security update installed.

Why enforce CredSSP encryption oracle protection

CVE-2018-0886 enables credential theft through the CredSSP protocol's encryption oracle vulnerability. Attackers positioned between a client and server can intercept and relay credentials, potentially gaining unauthorized access to systems across your network.

The security update for this vulnerability requires additional registry configuration to take full effect. Without setting AllowEncryptionOracle to 0, patched systems may still accept connections using vulnerable protocol versions, leaving the attack vector partially open.

Vulnerability scanners and compliance frameworks often flag systems that lack this registry hardening. Applying this Worklet addresses those findings and completes the CVE-2018-0886 remediation process.

How CredSSP mitigation works

1. Evaluation phase: The Worklet checks HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters for the AllowEncryptionOracle value. It verifies the value exists, equals 0, and uses DWORD type. Any deviation triggers remediation.

2. Remediation phase: The Worklet creates the CredSSP\Parameters registry path if it does not exist, then sets the AllowEncryptionOracle value to 0 with DWORD type. This configuration enforces the Force Updated Clients policy, blocking insecure CredSSP connections.

CredSSP mitigation requirements

• Windows workstations or servers

• PowerShell 3.0 or later

• All CredSSP clients and servers must have security updates installed before deployment

• Administrative privileges to modify HKEY_LOCAL_MACHINE registry

• Restart required after remediation for changes to take effect

Expected CredSSP configuration state

After successful remediation and restart, the endpoint enforces secure CredSSP connections. Client applications using CredSSP (including Remote Desktop Connection) cannot connect to unpatched servers. Server services reject connections from clients using vulnerable protocol versions.

Verify the configuration by checking HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle, which should be REG_DWORD with value 0. If you encounter RDP connectivity issues after applying this mitigation, verify that both client and server endpoints have the CredSSP security update installed.

How to validate mitigate credssp remote code execution vulnerability ( cve-2018-0886 ) changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for mitigate credssp remote code execution vulnerability ( cve-2018-0886 ).

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Test-Registry, Set-Registry, Write-Verbose.

4. Validate remediation effects from script operations such as Test-Registry, Set-Registry, Write-Verbose, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for mitigate credssp remote code execution vulnerability ( cve-2018-0886 ). This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as Test-Registry, Set-Registry, Write-Verbose and remediation operations such as Test-Registry, Set-Registry, Write-Verbose. Use these indicators to verify that endpoint changes match intended policy outcomes.