Windows - Security - Mitigate HTTP/2 Rapid Reset Attack Vulnerability (CVE-2023-44487)

What the HTTP/2 Rapid Reset mitigation does

This Automox Worklet™ disables HTTP/2 protocol support on Windows endpoints by setting two critical registry values to zero. The Worklet targets the HTTP.sys driver, which handles HTTP and HTTPS connections for Internet Information Services (IIS) and other web services.

The Worklet modifies the registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters by setting EnableHttp2Tls and EnableHttp2Cleartext values to 0. This disables HTTP/2 for both encrypted (TLS) and cleartext connections, effectively preventing rapid reset attacks while you deploy permanent security updates.

Microsoft's recommended approach is to disable HTTP/2 as an immediate mitigation. This Worklet automates that process, delivering consistent configuration across your server fleet without manual registry editing.

Why disable HTTP/2 to prevent rapid reset attacks

CVE-2023-44487 is a critical vulnerability in the HTTP/2 protocol that allows attackers to send specially crafted requests causing rapid stream resets. An attacker can exploit this to exhaust server resources, causing denial-of-service (DoS) conditions on your web endpoints.

Disabling HTTP/2 eliminates the attack surface while maintaining service availability. Endpoints fall back to HTTP/1.1, which is unaffected by this vulnerability. This approach provides immediate protection while you plan and deploy official security patches from Microsoft.

For internet-facing web servers, this mitigation prevents attackers from launching DoS attacks, protecting your infrastructure availability and maintaining uninterrupted service for your users.

How HTTP/2 disablement works

1. Evaluation phase: The Worklet queries the registry to check if EnableHttp2Tls and EnableHttp2Cleartext are already set to 0. If either value is missing, has a different value, or the registry path does not exist, the endpoint is flagged for remediation.

2. Remediation phase: The Worklet creates the registry path if necessary and sets both EnableHttp2Tls and EnableHttp2Cleartext to 0 (DWORD type). This change takes effect immediately for new connections, though a reboot is recommended to allow all services to restart with the new configuration.

HTTP/2 mitigation requirements

• Windows Server 2012 R2 or later (Windows Server 2016, 2019, 2022)

• Local administrator privileges on the endpoint

• IIS, HTTP API, or other HTTP.sys-dependent services (can run safely on systems without HTTP services)

• Reboot recommended after remediation to allow all web services to restart

• FixNow compatible for immediate deployment during scheduled maintenance windows

Expected state after HTTP/2 remediation

After the Worklet runs successfully, the EnableHttp2Tls and EnableHttp2Cleartext registry values will be set to 0 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters. Web services will no longer accept HTTP/2 connections and will automatically negotiate HTTP/1.1 instead.

Your endpoints remain protected against CVE-2023-44487 until you deploy Microsoft's official security patches. After patching, you can re-enable HTTP/2 by setting the registry values back to 1 and rebooting. The Worklet is compatible with Microsoft's automated remediation processes once patches are available.

How to validate mitigate http/2 rapid reset attack vulnerability ( cve-2023-44487 ) changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for mitigate http/2 rapid reset attack vulnerability ( cve-2023-44487 ).

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Test-Registry, Write-Verbose, Write-Error.

4. Validate remediation effects from script operations such as Test-Registry, Write-Verbose, Write-Error, then rerun evaluation for compliance.