This worklet describes how to disable remote desktop services.
If a machine is unpatchable, security administrators can use this worklet as a mitigating control to protect impacted Windows systems from the BlueKeep vulnerability. This worklet also can act as a general security hardening on all Windows devices with newer operating systems not vulnerable to the specific threat.
To deploy this device hardening worklet, do the following:
-
Log in to your Automox console.
-
Browse to the Manage → Policies page and click Create Policy.
-
Click Worklet.
-
Click Next.
-
On the Create Worklet page, enter a name for the new worklet and select Windows.
-
Insert the Evaluation and Remediation Code (see the following scripts). The evaluation code keeps you apprised of each device’s ongoing compliance, as well as flags the device for remediation.
-
After setting a schedule, click Create Policy.
Evaluation Code
# Define Registry Key and sub-value to evaluate ############################################# $regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" $regProperty = "fDenyTSConnections" $desiredValue = '1' ############################################# # Retrieve current value for comparison $currentValue = (Get-ItemProperty -Path $regPath -Name $regProperty).$regProperty # Compare current with desired and exit accordingly. # 0 for Compliant, 1 for Non-Compliant if ($currentValue -eq $desiredValue) { Exit 0 } else { Exit 1 }
Remediation Code
# Define Registry Key and sub-value to modify ############################################# $regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" $regProperty = "fDenyTSConnections" $desiredValue = '1' ############################################# try { Set-ItemProperty -Path $regPath -Name $regProperty -Value $desiredValue Exit 0 } catch { Write-Output "Unable to update $regProperty" Exit 1 }
Comments
0 comments
Article is closed for comments.