Windows Remote Desktop Service (RDS) in Microsoft Windows enables users to remotely control a computer or virtual machine over a network using the Remote Desktop Protocol (RDP). To secure this access, it’s crucial to implement strong passwords to prevent brute force attacks and unauthorized access.
What You Will Learn
- Why you must harden RDS and RDP
- Windows RDP key components
- RDP common vulnerabilities
- 10 RDP security rules
- Automating RDP hardening
Why You Must Harden RDS and RDP
In addition to strong passwords, you should implement a range of security measures to protect your remote desktop environment. This process, known as RDS hardening, involves steps such as enabling Network Level Authentication (NLA), utilizing two-factor authentication, and regularly updating your software.
By hardening RDS, you create a robust defense against potential attackers, ensuring your remote connections remain secure and reliable. The best approach for this task is to utilize automation tools that provide a secure infrastructure with minimal effort and reduced chances of outages.
Windows RDP key components
The Terminal Server is the server component of Terminal Services. It handles the job of authenticating clients, as well as making applications accessible to users remotely. The Terminal Server is the key component of RDS and listens on TCP port 3389.
The Remote Desktop Gateway service component can tunnel the RDP session using an HTTPS channel. This increases the security of RDS by encapsulating the session with Transport Layer Security (TLS). This also allows the option of using the Internet as the RDP client.
Once a client initiates a connection and is informed of a successful invocation of the terminal services stack at the server, it loads up the device as well as the keyboard/mouse drivers.
RDP Vulnerabilities
Let’s look at three key vulnerabilities.
RDP Clipboard
Microsoft’s clipboard-sharing channel, which supports various data formats such as CF_HDROP for the “Copy & Paste” feature, enables clients to transfer files between computers effortlessly. Failing to prevent malicious files via this feature exposes the client to a potential path traversal attack. The server can drop malicious files in arbitrary paths on the client’s computer, relying solely on the client’s approval for protection. Since the client doesn’t need to verify received files from the RDP server, detecting such attacks becomes nearly impossible.
BlueKeep
BlueKeep’s root cause lies in a Use-After-Free (UAF) condition within the RDP kernel driver, termdd.sys. An unauthenticated attacker can exploit it remotely by opening an RDP connection to a remote computer (channel MS_T210) and sending specially crafted data. This leads to the program attempting to use memory that was meant to be discarded. BlueKeep is a highly critical problem for three main reasons:
- There’s no need for any authentication in order to execute arbitrary code and take control of the targeted computer. Any remote attacker can compromise your computer by sending specially crafted requests to the device’s RDS via RDP, requiring no interaction with the user.
- An attacker can execute any arbitrary code once the targeted system is under his control.
- Being a ‘wormable’ vulnerability, once a computer is infected, the entire network can become infected rapidly.
DejaBlue
DejaBlue is a set of critical remote code execution flaws in Microsoft’s Remote Desktop Services (RDS), disclosed in 2019 under CVE-2019-1181 and CVE-2019-1182. Affecting Windows 7 through Windows 10 and Windows Server 2008 through 2019, DejaBlue is considered “wormable,” meaning it can spread automatically between vulnerable systems without user interaction, similar to the earlier BlueKeep flaw.
BlueKeep and DejaBlue allow unauthenticated attackers to execute code remotely and spread automatically across your network with no user interaction required. Download the RDS Hardening Guide for the GPO controls, NLA enforcement requirements, and redirection policies that close these attack surfaces.
How to Secure RDP
While Remote Desktop offers enhanced security compared to unencrypted remote administration tools like VNC, granting remote Administrator access introduces potential risks. The following guidelines aim to improve the security of Remote Desktop access for both supported desktops and servers:
1. Require user authentication for remote connections by using Network Level Authentication (NLA) – Enabled
POLICY DESCRIPTION
Enable this policy setting to require user authentication for remote connections to the RD Session Host server using Network Level Authentication (NLA). This enhances security by ensuring authentication occurs earlier in the connection process. When this setting is enabled, only client computers that support NLA can connect. To check if a client supports NLA, open Remote Desktop Connection, click the icon in the upper-left corner, and select “About” to see if “Network Level Authentication supported” is listed. If you disable or do not configure this setting, NLA is not required. You can also require NLA through the Remote Desktop Session Host Configuration tool or the Remote tab in System Properties.
POTENTIAL VULNERABILITY
By not configuring this value to Enable, you are exposed to the BlueKeep vulnerability and any remote attacker will be able to attack your computer (see above).
2. Do not allow client printer redirection- Enabled
POLICY DESCRIPTION:
Enable this policy setting to prevent the mapping of client printers in Remote Desktop Services sessions. This stops users from redirecting print jobs from the remote computer to a local printer. By default, Remote Desktop Services allows client printer mapping. If you disable this setting, users can redirect print jobs. If not configured, client printer mapping isn’t specified at the Group Policy level, but an administrator can still disable it using the Remote Desktop Session Host Configuration tool.
POTENTIAL VULNERABILITY
Printers installed in company networks have no security by default. The worst-case scenario is that most printers provide full administrative access until the network administrator reconfigures the network periodically. This results in serious threats and misuse of data, creating a platform for attacking all the systems connected to the network. Therefore, unsecured multi-functional printers that can be accessed remotely create a threat that spies or hackers can exploit.
3. Do not allow client printer redirection- Enabled
POLICY DESCRIPTION
This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions. You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping. If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions.
If you disable this policy setting, users can redirect print jobs with client printer mapping. If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level. However, an administrator can still disable client printer mapping by using the Remote Desktop Session Host Configuration tool.
POTENTIAL VULNERABILITY
Printers installed in company networks have no security by default. The worst-case scenario is that most printers provide full administrative access until the network administrator reconfigures the network periodically. This results in serious threats and misuse of data, creating a platform for attacking all the systems connected to the network. Therefore, unsecured multi-functional printers that can be accessed remotely create a threat that spies or hackers can exploit.
4. Do not allow clipboard redirection- Enabled
POLICY DESCRIPTION
Specifies whether to prevent the sharing of clipboard contents (clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. You can use this setting to prevent users from redirecting clipboard data between the remote computer and the local computer. By default, Remote Desktop Services allows clipboard redirection. If the status is set to Enabled, users cannot redirect clipboard data. If the status is set to Disabled, Remote Desktop Services always allows clipboard redirection. If the status is set to Not Configured, clipboard redirection is not specified at the Group Policy level. However, an administrator can still disable clipboard redirection using the Remote Desktop Session Host Configuration tool.
POTENTIAL VULNERABILITY
Microsoft’s clipboard sharing channel supports several data formats, such as CF_HDROP, which is responsible for the “Copy & Paste” feature. When used, it allows for the simple copying of a group of files from one computer to another. If the client itself fails to prevent malicious files from entering its computer via this feature, it could be vulnerable to a path traversal attack. The server can then drop malicious files in arbitrary paths on the client’s computer. In other words, the client’s approval of the files is the only thing protecting him from this vulnerability. Considering the fact that the client doesn’t even need to verify the received files coming from the RDP server, it is almost impossible to detect the attack.
5. Do not allow COM port redirection- Enabled
POLICY DESCRIPTION
Prevents data redirection to client COM ports from the remote computer in a Remote Desktop Services session, blocking users from redirecting data to COM port peripherals or mapping local COM ports during the session. By default, COM port redirection is allowed. When enabled, it disables COM port redirection. When disabled, it provides redirection. When not configured, it defers to the Remote Desktop Session Host Configuration tool settings.
POTENTIAL VULNERABILITY
When Disabled or not configured, the attacker can redirect potentially harmful data to client COM ports from the remote computer or terminal server. An attacker can also map a local COM port while he is logged to the RDS session.
6. Do not allow drive redirection – Enabled
POLICY DESCRIPTION
Specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in Windows Explorer or Computer in the format <driveletter> on <computername>. You can use this setting to override this behavior. If the status is set to Enabled, client drive redirection is not allowed in Remote Desktop Services sessions. If the status is set to Disabled, client drive redirection is always allowed. If the status is set to Not Configured, client drive redirection is not specified at the Group Policy level. However, an administrator can still disable the client drive redirection by using the Remote Desktop Session Host Configuration tool.
POTENTIAL VULNERABILITY
Preventing users from sharing local drives on their client computers with Remote Session Hosts they access helps reduce the possible exposure of sensitive data. An attacker can leverage this function to forward data from the user’s Terminal Server session to the user’s local computer without requiring any direct user interaction.
7. Do not allow LPT port redirection – Enabled
POLICY DESCRIPTION
Specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows this LPT port redirection. If the status is set to Enabled, users in a Remote Desktop Services session cannot redirect server data to the local LPT port. If the status is set to Disabled, LPT port redirection is always allowed. If the status is set to Not Configured, LPT port redirection is not specified at the Group Policy level. However, an administrator can still disable local LPT port redirection using the Remote Desktop Session Host Configuration tool.
POTENTIAL VULNERABILITY
If a value is configured to Disabled or Not Configured, the attacker can leverage it to map the client’s LPT ports. Additionally, he can utilize the port to redirect data from the Terminal Server to the local LTP ports.
8. Do not allow passwords to be saved- Enabled
POLICY DESCRIPTION
Controls whether passwords can be saved on this computer from Remote Desktop Connection. If you enable this setting, the password saving checkbox in Remote Desktop Connection will be disabled, and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves their settings, any existing passwords in the RDP file will be deleted. If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
POTENTIAL VULNERABILITY
Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. This can pose a security hazard, especially if you share the computer you are using to log in to the remote computer.
In environments that fall under PCI DSS scope, uncontrolled RDP access and saved credentials represent a direct violation of Requirement 8 (authentication management) and can trigger findings under a QSA audit. See how PCI DSS maps to RDS hardening controls and what auditors look for.
9. Do not allow supported Plug and Play device redirection- Enabled
POLICY DESCRIPTION
This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services allows redirection of supported Plug and Play devices. Users can use the “More” option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer.
If you disable or do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Note: You can also disallow redirection of supported Plug and Play devices on the Client Settings tab in the Remote Desktop Session Host Configuration tool. You can disallow redirection of specific types of supported Plug and Play devices by using the “Computer ConfigurationAdministrative TemplatesSystemDevice InstallationDevice Installation Restrictions” policy settings.
POTENTIAL VULNERABILITY
The RemoteFX USB device redirection goal is to enable the user to use any device they want. But, leaving Plug and Play device redirection enabled or unconfigured can be leveraged for RemoteFX redirection attacks, in which a rogue USB can harm an RDP server. To mitigate unwanted RemotetFX USB redirection, the ‘Do not allow supported Plug and Play device redirection’ option in the RDP needs to be enabled.
10. Set Time Limits
- Set time limit for disconnected sessions- 5 minutes.
- Set time limit for active but idle Remote Desktop Services sessions- 24 hours
Key Takeaways
- RDS is a high-value target
- Misconfigurations amplify exposure
- Authentication is critical
- Group Policy is your frontline defense
- Automation ensures consistency
RDP Hardening without breaking production
To enhance your RDP security, several best practices can be employed to protect your remote environment. Testing configurations in a lab environment before implementation is crucial to prevent potential damage in production. The manual nature of policy establishment and implementation often results in a lengthy and cumbersome process.
The CalCom Hardening Suite (CHS) automates the entire hardening process to secure the remote desktop, learning from your production environment and assessing the impact of configuration changes. It removes the necessity for testing in a lab environment before policy implementation. CHS enables centralized control of the entire hardening process, preventing configuration drift. It ensures continuous compliance and adaptability to system or policy changes, effectively restricting access.
