Do not allow COM port redirection in RDP is a security setting stated in Windows servers’ CIS benchmarks/STIGs. A COM port is an I/O interface that enables the connection of a serial device to a computer. In some cases, COM ports are also referred to as “serial ports”. Most computers are no longer equipped with COM ports, but many serial port devices are still used in computer networks. The COM port can refer not only to physical ports but also to emulated ports, such as ports created by Bluetooth or USB-to-serial adapters.
What You Will Learn
- What is this policy
- What are the policy’s vulnerabilities
- Are there available countermeasures
- How to mitigate the vulnerability
- Configuring the policy
What is the Do Not Allow COM Port Redirection Policy
This server hardening policy setting determines whether data redirection to client COM ports from the remote computer is allowed in the RDP session. By default, RDP allows COM port redirection. It can be used, for example, to use a USB dongle in an RDS session.
Policy Vulnerabilities
When not enabled, users can redirect data to COM port peripherals or map the local COM ports while using the Remote Desktop Service session.
As stated by MITRE ATT&CK, port redirection can lead to protocol tunneling- Adversaries may tunnel network communication to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves
explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable the routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. T-1572
Available Counter Measures
Enable this object wherever possible. If the status is set to Disabled, Remote Desktop Services always allows COM port redirection. If the status is set to Not Configured, COM port redirection is not specified at the Group Policy level. However, an administrator can still disable COM port redirection using the Remote Desktop Session Host Configuration tool.
POTENTIAL IMPACT
RDP users won’t be able to access a client’s COM port peripherals, such as USB dongles and Bluetooth.
CALCOM’S RECOMMENDED VALUE
Enable
Configuring: Do not allow COM port redirection
1. Press Windows Logo+R, type gpedit.msc, and press Enter.
2. Click the arrow next to Computer Configuration under Local Computer Policy to expand it.
3. Click the arrow next to Administrative Templates to expand it.
4. Click All Settings to show all group policy settings.
5. Scroll down to Do not allow COM port redirection and double-click on it to view the setting.
6. Ensure the policy isn’t Disabled and click OK. (Enabled must be selected).
Key Takeaways
- RDP is a common attack vector.
- Hackers exploit misconfigured RDP installations.
- Port redirection can lead to protocol tunneling.
- The best countermeasure is to disable this functionality.
- Use Group policies as your frontline defense.
CalCom’s RDP Hardening Solution
Attackers actively exploit weak RDS configurations, turning simple missteps into full-scale breaches. CalCom hardening solution (CHS) is a hardening automation tool designed to help IT infrastructure teams automate hardening procedures. With CHS, you can automatically enforce secure RDS policies, eliminate misconfigurations, and maintain compliance with CIS Benchmarks, PCI DSS, HIPAA, and more—without disrupting operations.
