Instance is constantly restarting with "bluescreen" error?

This last time that it happened I did not run or start any programs, I left it as it was after it rebooted, and it rebooted again with the bluescreen error, so I assume it is something on your end.

Hi Chris,

I understand that your instance is constantly restarting with bluescreen error. We have recently observed this happening with Windows Server 2008 R2 instances with 3389 port opened to internet in the instance security group and lots of bugcheck code 0x3B or 0xA present in the EC2 Console log.

If you instance is Windows server 2008 R2 I would suggest to review the System event logs of your instance (Select your instance > Actions> Instance settings > get system logs ) and check if any of these bugcheck is reported : 0x3B or 0xA. Also, check if the RDP port 3389 is open from all sources (0.0.0.0/0) in the security group attached to your instance.

If you find the above symptoms in your instance then this indicates the root cause for the issue is most likely a Windows vulnerability "CVE-2019-0708" of termdd.sys which cause BSOD with 0x3b and 0xA bugcheck code.

I want to inform you that there is a known remote desktop services remote code execution vulnerability that is impacting Windows server 2008 R2 with RDP port open to 0.0.0.0/0 and makes it crash frequently. Kindly refer to below documentation for more information on the remote desktop services remote code execution vulnerability. To mitigate the issue, kindly follow the steps in the workaround and solution section below.
[+] https://github.com/fourtwizzy/CVE-2019-0708-Check-Device-Patch-Status
[+] Remote Desktop Services Remote Code Execution Vulnerability: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Workaround:

1. Allow incoming traffic to TCP port 3389 and some other ports from Anywhere leaves your instance vulnerable to such attacks. In particular, this attack is directed at RDP port (TCP 3389). Therefore, we recommend that you immediate lock down the port(s) by editing your security group rules to only allow traffic from specific sources, i.e., the IP or CIDR blocks of your client.   
  
2. After completing step 1, please make the windows update for CVE-2019-0708 on your instance. We strongly recommend updating and patching up the Instance as soon as possible.  
Make the Monthly Rollup and security update for "Windows Server 2008 R2 for x64-based Systems Service Pack 1" from the below link.   
       \[+] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708  
Note: Please create a backup of your instance using AMI before making any changes.   

I would recommend that you perform the above steps and hope you find this information helpful.

Regards,
AyushiAtAWS

Ok thanks for the reply!

I have done what you said and only allow my IP when I log is via the Remote Desktop program. For far the server has been stable.

Also, from reading other posts, I also stopped and started my server so that my server hopefully migrated to another set of hardware, as some people said they had issues with random crashes and this apparently solved the issue for them.