Why RDS Hardening and Hardening RDP are a Must
Windows Remote Desktop Service (RDS) in Microsoft Windows allows users to control a remote computer or virtual machine over a network using the Remote Desktop Protocol (RDP). To secure this access, it’s crucial to implement strong passwords to prevent brute force attacks and unauthorized access.
Beyond strong passwords, you should employ a range of security measures to protect your remote desktop environment. This process, known as RDS hardening, involves steps like enabling Network Level Authentication (NLA), using two-factor authentication, and regularly updating your software. By hardening RDS, you create a robust defense against potential attackers, ensuring your remote connections remain secure and reliable. The best approach for this task is using automation tools that promise a secure infrastructure with minimal effort invested and minimal chances for outages.
This guide will explain:
- Windows RDP key components
- RDP common vulnerabilities
- 10 rules you must implement to ensure RDP security
- An automated approach for RDP hardening
Windows RDP key components
The Terminal Server is the server component of Terminal Services. It handles the job of authenticating clients, as well as making applications that are accessible to the user available remotely. The Terminal Server is the key component of RDS and listens on TCP port 3389.
The Remote Desktop Gateway service component can tunnel the RDP session using an HTTPS channel. This increases the security of RDS by encapsulating the session with Transport Layer Security (TLS). This also allows the option of using the Internet as the RDP client.
Once a client initiates a connection and is informed of a successful invocation of the terminal services stack at the server, it loads up the device as well as the keyboard/mouse drivers.
RDP Vulnerabilities
RDP Clipboard Vulnerability
Microsoft’s clipboard-sharing channel, supporting various data formats like CF_HDROP for the “Copy & Paste” feature, allows clients to effortlessly transfer files between computers. Failing to prevent malicious files via this feature exposes the client to a potential path traversal attack. The server can drop malicious files in arbitrary paths on the client’s computer, relying solely on the client’s approval for protection. Since the client doesn’t need to verify received files from the RDP server, detecting such attacks becomes nearly impossible.
BlueKeep Vulnerability
BlueKeep’s root cause lies in a Use After Free (UAF) condition within the RDP kernel driver, termdd.sys. An unauthenticated attacker can exploit it remotely by opening an RDP connection to a remote computer (channel MS_T210) and sending specially crafted data. This leads to the program attempting to use memory that was meant to be discarded
BlueKeep is an extremely critical problem for three main reasons:
- There's no need for any authentication in order to execute arbitrary code and take control of the targeted computer. Any remote attacker can attack your computer just by sending specially crafted requests to the device's RDS via the RDP with zero interaction with the user.
- An attacker can execute any arbitrary code once the targeted system is under his control.
- Being a 'wormable' vulnerability, once a computer gets infected, the entire network can get infected really fast.
DejaBlue Vulnerability
Do not allow client printer redirection- Enabled
POLICY DESCRIPTION:
This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions. You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping. If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions. If you disable this policy setting, users can redirect print jobs with client printer mapping. If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level. However, an administrator can still disable client printer mapping by using the Remote Desktop Session Host Configuration tool.
POTENTIAL VULNERABILITY:
Printers installed in company networks have no security by default. The worst case is that most printers provide full administrative access until the network administrator reconfigures the network once in a while. This results in serious threats and misuse of data, creating a platform for attacking all the systems connected to the network. Therefore, unsecured multi-functional printers that can be accessed by a remote user create a threat that can be utilized by spies or hackers.
Do not allow clipboard redirection- Enabled
POLICY DESCRIPTION:
Specifies whether to prevent the sharing of clipboard contents (clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. You can use this setting to prevent users from redirecting clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows clipboard redirection. If the status is set to Enabled, users cannot redirect clipboard data. If the status is set to Disabled, Remote Desktop Services always allows clipboard redirection. If the status is set to Not Configured, clipboard redirection is not specified at the Group Policy level. However, an administrator can still disable clipboard redirection using the Remote Desktop Session Host Configuration tool.
POTENTIAL VULNERABILITY:
Microsoft's clipboard sharing channel supports several data formats such as CF_HDROP that is responsible for the "Copy & Paste" feature. When used, it allows to simply copy a group of files from one computer to the other. If the client itself fails to prevent malicious files from entering his computer via this feature, he could be vulnerable to a path traversal attack. The server can then drop malicious files in arbitrary paths on the client's computer. In other words, the client's approval of the files is the only thing protecting him from this vulnerability. Considering the fact that the client doesn't even need to verify the received files coming from the RDP server, it is almost impossible to detect the attack.
How to Secure RDP
While Remote Desktop offers enhanced security compared to unencrypted remote administration tools like VNC, granting remote Administrator access introduces potential risks. The following guidelines aim to enhance the security of Remote Desktop access for both supported desktops and servers:
1. Require user authentication for remote connections by using Network Level Authentication (NLA) – Enabled
POLICY DESCRIPTION:
Enable this policy setting to require user authentication for remote connections to the RD Session Host server using Network Level Authentication (NLA). This enhances security by ensuring authentication occurs earlier in the connection process. When this setting is enabled, only client computers that support NLA can connect. To check if a client supports NLA, open Remote Desktop Connection, click the icon in the upper-left corner, and select “About” to see if “Network Level Authentication supported” is listed. If you disable or do not configure this setting, NLA is not required. You can also require NLA through the Remote Desktop Session Host Configuration tool or the Remote tab in System Properties.
POTENTIAL VULNERABILITY:
By not configuring this value to Enable, you are exposed to the BlueKeep vulnerability and any remote attacker will be able to attack your computer (see above).
2. Do not allow client printer redirection- Enabled
POLICY DESCRIPTION:
Enable this policy setting to prevent the mapping of client printers in Remote Desktop Services sessions. This stops users from redirecting print jobs from the remote computer to a local printer. By default, Remote Desktop Services allows client printer mapping. If you disable this setting, users can redirect print jobs. If not configured, client printer mapping isn’t specified at the Group Policy level, but an administrator can still disable it using the Remote Desktop Session Host Configuration tool.
POTENTIAL VULNERABILITY:
printers installed in company networks have no security by default. The worst case is that most printers provide full administrative access until the network administrator reconfigures the network once in a while. This results in serious threats and misuse of data, creating a platform for attacking all the systems connected to the network. Therefore, unsecured multi-functional printers that can be accessed by a remote user create a threat that can be utilized by spies or hackers.
3. Do not allow clipboard redirection- Enabled
POLICY DESCRIPTION:
Enable this policy setting to prevent clipboard sharing between a remote computer and a client computer during Remote Desktop Services sessions. By default, clipboard redirection is allowed. When enabled, users cannot redirect clipboard data. If disabled, clipboard redirection is always allowed. If not configured, clipboard redirection isn’t specified at the Group Policy level, but an administrator can still disable it using the Remote Desktop Session Host Configuration tool.
POTENTIAL VULNERABILITY:
Microsoft’s clipboard sharing channel supports several data formats, such as CF_HDROP, which enables the “Copy & Paste” feature. This allows users to copy files between computers. If the client fails to block malicious files, they become vulnerable to path traversal attacks. The server can drop malicious files in arbitrary paths on the client’s computer. The client’s approval of the files is the only protection against this vulnerability. Since clients don’t verify files from the RDP server, detecting such attacks is nearly impossible.
4. Do not allow COM port redirection- Enabled
POLICY DESCRIPTION:
Prevents data redirection to client COM ports from the remote computer in a Remote Desktop Services session, blocking users from redirecting data to COM port peripherals or mapping local COM ports during the session. By default, COM port redirection is allowed. When enabled, it disables COM port redirection. When disabled, it allows redirection. When not configured, it defers to the Remote Desktop Session Host Configuration tool settings.
POTENTIAL VULNERABILITY:
When Disabled or not configured, the attacker can redirect potential harmful data to client COM ports from the remote computer or terminal server. Attacker can also map a local COM port while he is logged to the RDS session.
5. Do not allow drive redirection- Enabled
POLICY DESCRIPTION:
Specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in Windows Explorer or Computer in the format <driveletter> on <computername>. You can use this setting to override this behavior. If the status is set to Enabled, client drive redirection is not allowed in Remote Desktop Services sessions. If the status is set to Disabled, client drive redirection is always allowed. If the status is set to Not Configured, client drive redirection is not specified at the Group Policy level. However, an administrator can still disable the client drive redirection by using the Remote Desktop Session Host Configuration tool.
POTENTIAL VULNERABILITY:
Preventing users from sharing the local drives on their client computers to Remote Session Hosts that they access helps reduce possible exposure of sensitive data. An attacker can leverage this function in order to forward data from the user's Terminal Server session to the user's local computer without any direct user interaction.
6. Do not allow LPT port redirection– Enabled
POLICY DESCRIPTION:
Specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows this LPT port redirection. If the status is set to Enabled, users in a Remote Desktop Services session cannot redirect server data to the local LPT port. If the status is set to Disabled, LPT port redirection is always allowed. If the status is set to Not Configured, LPT port redirection is not specified at the Group Policy level. However, an administrator can still disable local LPT port redirection using the Remote Desktop Session Host Configuration tool.
POTENTIAL VULNERABILITY:
If a value is configured to Disabled or Not Configured, the attacker can leverage it to map the client's LPT ports. In addition, he can use the port to redirect data from the Terminal Server to the local LTP ports.
https://www.calcomsoftware.com/hardening-iis-server-guide/
7. Do not allow passwords to be saved- Enabled
POLICY DESCRIPTION:
Controls whether passwords can be saved on this computer from Remote Desktop Connection. If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
POTENTIAL VULNERABILITY:
Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system.
This can be a security hazard, especially if you share the computer you are using to log onto the remote computer.
8. Do not allow supported Plug and Play device redirection- Enabled
POLICY DESCRIPTION:
This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services allows redirection of supported Plug and Play devices. Users can use the "More" option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer. If you disable this policy setting or do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Note: You can also disallow redirection of supported Plug and Play devices on the Client Settings tab in the Remote Desktop Session Host Configuration tool. You can disallow redirection of specific types of supported Plug and Play devices by using the "Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions" policy settings.
POTENTIAL VULNERABILITY:
RemoteFX USB device redirection goal is to enable the user to use any device he wants. But, leaving Plug and Play device redirection enabled or unconfigured can be leveraged for RemoteFX redirection attacks, in which a rogue USB can harm an RDP server. In order to mitigate unwanted RemotetFX USB redirection, 'Do not allow supported Plug and Play device redirection' in the RDP needs to be configured to enable.
9. Set time limit for disconnected sessions- 5 minutes
10. Set time limit for active but idle Remote Desktop Services sessions- 24 hours
RDP Hardening without breaking production
To enhance your RDP security there are several best practices you can employ to protect your remote environment. Testing configurations in a lab environment before implementation is crucial to prevent potential production damage. The manual nature of policy establishment and implementation often results in a lengthy and cumbersome process.
The CalCom Hardening Suite (CHS) automates the entire hardening process to secure remote desktop by learning your production environment and assessing the impact of configuration changes. It removes the necessity for testing in a lab environment before policy implementation. CHS enables centralized control of the entire hardening process, preventing configuration drifts. It ensures continuous compliance and adaptability to system or policy changes, effectively restricting access.