If there aren’t enough reasons to make sure your patch management program is effective already, a vulnerability like BlueKeep gets discovered and reminds us all. BlueKeep is a critical remote code-execution vulnerability in Microsoft Windows. It’s particularly nefarious because it’s wormable, meaning it can self-propagate from one machine to the next:
“The type of risks that organizations are facing are wide, just to name a few: once the exploit is in place the attacker can exfiltrate data from the RDP server, obtain credentials, disrupt the operations of the organization or use the RDP server as a jumping point to access further resources inside the company,” says Fausto Oliveira, principal security architect at Acceptto [Source].
On the list of fears when it comes to security vulnerabilities like these, the possibility of someone gaining remote access to your network should rank right at the top. What makes BlueKeep even more concerning is that it only affects older versions of Windows that may not be patched within a typical cycle of an organization’s patch management program.
BlueKeep Mitigation
What should you do?
- The first step is to ensure you are patching your machines. Microsoft released a patch that should be installed immediately.
- Make sure you have an up-to-date catalog of assets. This vulnerability only really affects environments running Windows Server 2008R2 and earlier for servers, and Windows 7 and earlier for workstations. Knowing what machines to patch will help you understand and address your exposure.
- Run a vulnerability scan on your network, both internally and externally. While the vulnerability may be remediated by a firewall blocking port 3389, there are some concerns with someone being able to exploit this one internally.
- Determine whether RDP is absolutely necessary on each system that has it enabled. If not, disable it. If so, avoid exposing it to the public internet.
- Decide whether RDP is the right method of remote-controlling your systems. There are a lot of other ways to administer systems that have more robust controls, such as using VPN or VMware Horizon.
- Review your patch management program. Is it built in such a way that this patch would have been applied in a timely manner and on the proper assets in question?
Patch management is typically the bane of many IT departments and can take a back seat to other tasks or exciting projects. Not only is it a tedious process, there are commonly many exceptions, testing requirements, and possible downtime.
Managing the OS and everything associated with it (patching, AV, etc.) isn’t for everyone, and many IT departments don’t have the staff or time to do it adequately. For some businesses, it makes sense to consider using a managed services provider instead. Doing so will allow your team to focus less on BlueKeep-type emergencies, and more on strategic tasks.