Server hardening can be a painful procedure. If you’re reading this article, you probably already know it. Endless hours, labor and money are invested in this process, which can often result in production breakdown despite the effort to prevent it. CSH by CalCom is automating the entire server hardening process. CHS’s unique ability to ‘learn’ your network abolishes the need to perform lab testing while ensuring zero outages to your production environment. CHS will allow you to implement your policy directly on your production hassle-free. want to know more? Click here and get the datasheet.
This blog post will cover:
- Plug and play device policy description.
- The potential vulnerability in plug and play devices.
- Countermeasures.
- The potential impact of policy change on your production.
- The recommended value for this setting.
- How to configure plug and play devices setting.
POLICY DESCRIPTION:
This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services allows redirection of supported Plug and Play devices. Users can use the “More” option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer. If you disable this policy setting or do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Note: You can also disallow redirection of supported Plug and Play devices on the Client Settings tab in the Remote Desktop Session Host Configuration tool. You can disallow redirection of specific types of supported Plug and Play devices by using the “Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions” policy settings.
POTENTIAL VULNERABILITY:
RemoteFX USB device redirection goal is to enable the user to use any device he wants. But, leaving Plug and Play device redirection enabled or unconfigured can be leveraged for RemoteFX redirection attacks, in which a rogue USB can harm an RDP server. In order to mitigate unwanted RemotetFX USB redirection, 'Do not allow supported Plug and Play device redirection' in the RDP needs to be configured to enable.
COUNTERMEASURES:
Enable 'Do not allow supported Plug and Play device redirection'.
POTENTIAL IMPACT:
Users won't be able to use remote devices. That may lead to damage in production for applications that rely on this ability.
CALCOM’S RECOMMENDED VALUE:
Enable
HOW TO CONFIGURE:
Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection “Do not allow supported Plug and Play device redirection” to “Enabled”.
