Reducing the Attack Surface for BlueKeep

It’s been a few months since the BlueKeep vulnerability was brought to light. This discovery shouldn’t be taken lightly as it allows a malicious user to gain unauthenticated access and the ability to perform remote code execution on Windows systems. The documentation on the vulnerability depicts that the following operating systems are vulnerable.

  • Windows XP (out-of-support)
  • Server 2003 (out-of-support)
  • Windows 7
  • Server 2008
  • Server 2008R2

In a domain environment, it is also extremely important to have an understanding of what systems are susceptible to the vulnerability. We can determine this using PowerShell by returning a list of each system’s operating system.

Get-ADComputer -Filter * -Properties * | Select-Object Name, OperatingSystem

With a better understanding, the best approach would be to patch the vulnerable systems. If the critical patch can’t be applied, mitigation measures can be used instead with PowerShell (assuming it is installed on Windows XP and Server 2003). The two areas that will be focused on are:

  • Identifying if Remote Desktop Protocol (RDP) is enabled
  • Identifying if Network-Level Authentication (NLA) is enabled

The determination of whether the Remote Desktop Protocol is enabled or not on those systems can be done by typing:

$comp = (Get-ADComputer -Filter * -Properties *).name

Invoke-Command -ComputerName $comp {(Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server').fDenyTSConnections}

Anything that returns a ‘1’ signifies that RDP is enabled. If possible, disable the service however, if that is not an option, it is recommended to whitelist IPs who need to access the system.

If seeking to disable the service, the following can be done:

$comp = (Get-ADComputer -Filter * -Properties *).name

Invoke-Command -ComputerName $comp {set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name 'fDenyTSConnections' -Value '0'}

Additionally, another approach to determining if RDP is enabled and accessible is to conduct a targeted port scan on TCP 3389. It is recognized that if the service isn’t bound to the common port, this tactic will not be effective.

$comp = (Get-ADComputer -Filter * -Properties *).name

foreach($sys in $comp){
Test-NetConnection -ComputerName $sys -Port 3389 -WarningAction SilentlyContinue| select-object RemoteAddress, TcpTestSucceeded

If it is vital for RDP to be enabled and accessible from the Internet, partial mitigation is to enable NLA. This is only partial mitigation due to a user being able to enter legitimate credentials in order to get past NLA and still exploit the system. Some protection is better than none and the determination of if it is enabled can be done with the following:

$comp = (Get-ADComputer -Filter * -Properties *).name

Invoke-Command -ComputerName $comp {(Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp').UserAuthentication}

For systems that don’t have the feature enabled, they can have it turned on by doing the following:

Invoke-Command -ComputerName wk1, wk2, wk3 {
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Value 1

In the end, there is no real substitute for patching a system but the following is offered:

  1. Patch!
  2. Disable RDP (if not needed) 
  3. Configure RDP properly
  4. Enable Network Level Authentication (NLA)