This worklet describes how to disable remote desktop services.
If a machine is unpatchable, security administrators can use this worklet as a mitigating control to protect impacted Windows systems from the BlueKeep vulnerability. This worklet also can act as a general security hardening on all Windows devices with newer operating systems not vulnerable to the specific threat.
To deploy this device hardening worklet, do the following:
-
Log in to your Automox console.
-
Browse to the Manage → Policies page and click Create Policy.
-
Click Worklet.
-
Click Next.
-
On the Create Worklet page, enter a name for the new worklet and select Windows.
-
Insert the Evaluation and Remediation Code (see the following scripts). The evaluation code keeps you apprised of each device’s ongoing compliance, as well as flags the device for remediation.
-
After setting a schedule, click Create Policy.
Evaluation Code
# Define Registry Key and sub-value to evaluate
#############################################
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"
$regProperty = "fDenyTSConnections"
$desiredValue = '1'
#############################################
# Retrieve current value for comparison
$currentValue = (Get-ItemProperty -Path $regPath -Name $regProperty).$regProperty
# Compare current with desired and exit accordingly.
# 0 for Compliant, 1 for Non-Compliant
if ($currentValue -eq $desiredValue) {
Exit 0
} else { Exit 1 }
Remediation Code
# Define Registry Key and sub-value to modify
#############################################
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"
$regProperty = "fDenyTSConnections"
$desiredValue = '1'
#############################################
try {
Set-ItemProperty -Path $regPath -Name $regProperty -Value $desiredValue
Exit 0
} catch {
Write-Output "Unable to update $regProperty"
Exit 1
}
Comments
0 comments
Article is closed for comments.