Windows - Security - Mitigate HTTP/2 Rapid Reset Attack Vulnerability (CVE-2023-44487)

What the HTTP/2 Rapid Reset mitigation Worklet does

This Automox Worklet™ disables HTTP/2 protocol support inside the Windows HTTP.sys kernel driver to neutralize CVE-2023-44487, the HTTP/2 Rapid Reset attack. The Worklet writes two DWORD registry values to HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters: EnableHttp2Tls and EnableHttp2Cleartext, both set to 0. HTTP.sys is the kernel-mode component that fronts Internet Information Services (IIS), the HTTP Server API, WinRM, WSUS, and any third-party application that listens through http.sys.

Once those values are in place and the endpoint reboots, http.sys advertises only HTTP/1.1 during ALPN negotiation. Clients fall back to HTTP/1.1 automatically, which is unaffected by Rapid Reset because the attack exploits HTTP/2 stream cancellation semantics. The Worklet does not modify IIS site bindings, TLS settings, or application code; the change is global to http.sys on the endpoint.

This is a stop-gap mitigation, not a patch. Microsoft has shipped fixes through the October 2023 cumulative updates and follow-on rollups for Windows Server 2012 R2, 2016, 2019, and 2022. Use this Worklet to close the exposure window on internet-facing IIS hosts while the patch policy rolls. Re-enable HTTP/2 by reverting the registry values to 1 after the cumulative update is verified installed.

Why mitigate CVE-2023-44487 before the cumulative update lands

CVE-2023-44487 abuses the HTTP/2 RST_STREAM frame to cancel requests as fast as the client can open new streams. A single TCP connection can drive thousands of request/cancel cycles per second, and the server still pays the CPU cost of header decompression, request routing, and stream accounting for each cancelled request. The disclosed attack peaked at 398 million requests per second against Google, an order of magnitude larger than any previously observed Layer 7 flood. On Windows, http.sys consumes the workload before IIS ever sees it, so kernel CPU saturates and the endpoint stops serving even HTTP/1.1 traffic from legitimate clients.

Disabling HTTP/2 in http.sys removes the attack surface in minutes. The throughput cost is real but bounded: HTTP/1.1 forces one request per connection (or serialized requests over a keep-alive socket), which raises connection counts and removes header compression. For most intranet IIS workloads that is acceptable for a few patch cycles. For high-volume public sites, pair this Worklet with a CDN or reverse proxy that terminates HTTP/2 in software unaffected by the kernel-level flood.

Applying the http.sys mitigation through a single Automox policy run replaces a coordinated registry change across every IIS host, every WSUS server, every Exchange front-end, and every internal application that listens through the HTTP Server API. The October 2023 Microsoft cumulative updates take days to roll through change control on internet-exposed tiers; the registry mitigation goes everywhere in one evaluation cycle and stays in place across reboots. Servers that come back online after a maintenance window or DR drill pick up the mitigation on their next evaluation, so a forgotten host in a branch rack does not stay exposed.

How the HTTP/2 disablement runs

1. Evaluation phase: A Test-Registry helper opens HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters through [Microsoft.Win32.RegistryKey]::OpenBaseKey and reads EnableHttp2Tls and EnableHttp2Cleartext with GetValue. The endpoint is flagged non-compliant and exits with code 2 if the Parameters key is missing, either value is absent, either value is not 0, or either value is not a DWORD. The check is read-only and safe to run on Windows endpoints that have never hosted a web service.

2. Remediation phase: A Set-Registry helper calls CreateSubKey on the Parameters path (creating it if necessary) and writes EnableHttp2Tls = 0 and EnableHttp2Cleartext = 0 with SetValue using RegistryValueKind DWord. The script honors 64-bit and 32-bit registry views based on [System.Environment]::Is64BitOperatingSystem. New connections negotiate HTTP/1.1 once http.sys re-reads the values, but a reboot is required to flush in-flight HTTP/2 sessions and fully apply the mitigation; pair this Worklet with the Automox reboot policy on internet-facing hosts.

HTTP/2 Rapid Reset mitigation requirements

• Windows Server 2012 R2, 2016, 2019, 2022, or Windows 10/11 endpoints running IIS, the HTTP Server API, or any other http.sys-backed listener

• Local administrator context for the Automox agent (the default service account already meets this)

• Maintenance window for a reboot, or tolerance for live HTTP/2 sessions to drain on their own

• Awareness of any application that hard-requires HTTP/2 (gRPC over http.sys, server-push workloads); confirm fallback to HTTP/1.1 is acceptable before scoping the policy

• FixNow compatible: trigger from the Automox console for immediate execution on a named endpoint without waiting for the next policy run

• Plan to revert once the Microsoft cumulative update (October 2023 and later) is installed; pair with a complementary Worklet that re-enables HTTP/2 after patching

Expected http.sys state after remediation

After the Worklet runs, reg query "HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" returns EnableHttp2Tls REG_DWORD 0x0 and EnableHttp2Cleartext REG_DWORD 0x0. Once the endpoint reboots, an ALPN probe against the server reports only h2 absent from the offered protocols: openssl s_client -alpn h2 -connect <host>:443 returns no ALPN extension or selects http/1.1 instead of h2. curl --http2 https://<host>/ falls back to HTTP/1.1 and reports HTTP/1.1 200 OK rather than HTTP/2 200.

On subsequent Automox policy runs the evaluation phase exits 0 and the endpoint stays compliant without re-applying the registry write. The mitigation persists across reboots because the values live in the registry. If an administrator re-enables HTTP/2 manually or a configuration script flips the values back to 1, the next evaluation re-flags the endpoint and the Worklet restores the zero values.

After Microsoft's cumulative update is verified installed (KB5031361 for Server 2022 and the matching rollups for other versions), schedule the companion re-enable Worklet to flip EnableHttp2Tls and EnableHttp2Cleartext back to 1 and reboot. HTTP/2 negotiation returns, header compression and request multiplexing come back online, and the endpoint runs the patched http.sys that drops malicious RST_STREAM floods without exhausting kernel CPU.