RDP Security / Hardening
-
Sorry if this is long-winded, I'll try to be as clear and succinct as possible.
Following a security audit we're trying to implement some additional security with regards to the administrative RDP access on our fleet of Windows servers. At the moment I've hit a roadblock trying to limit the number of simultaneous / concurrent sessions. Many of us have run into the issue of Windows servers allowing a default of 2 RDP sessions and 1 console session at the same time. I'm trying to lock that down to 1 interactive logon at a time and none of the settings I'm finding online seem to be having the proper effect.
So far I've tried:
- updating the MaxInstanceCount reg entry to 1
- Using a GPO to set "Limit number of connections" and "Restrict Remote Desktio Services users to a single Remote Desktop Services session"
-- It looks like this is only leveraged for the full RDP Session Host role, if it's installed. It doesn't seem to have any impact on the administrative RDP access
So:
Question 1: Is what I'm trying to do possible?
Question 2: Does anyone have a link / article / instructions on how to make it happen?Thanks in advance
-
@notverypunny said in RDP Security / Hardening:
Many of us have run into the issue of Windows servers allowing a default of 2 RDP sessions and 1 console session at the same time.
That's a very minor risk compared to all of the other things to worry about. What's the concern here? Comparatively, Linux is "unlimited" access by default and it's not considered to be any risk at all.
-
@notverypunny said in RDP Security / Hardening:
Question 1: Is what I'm trying to do possible?
Question 0: Is what you are trying useful?
Start there, likely it is possible. But use the effort to look at things that matter more. If someone CAN access your system, that's the concern. Not that they can access it WHILE you can still access it.
-
@scottalanmiller said in RDP Security / Hardening:
@notverypunny said in RDP Security / Hardening:
Question 1: Is what I'm trying to do possible?
Question 0: Is what you are trying useful?
Start there, likely it is possible. But use the effort to look at things that matter more. If someone CAN access your system, that's the concern. Not that they can access it WHILE you can still access it.
Fair point. Just went back through the audit report and can't find that as a recommendation so I don't know how that got on my list of things to lock down. I'll have to discuss with the boss 'cause there are some of the recommended hardening procedures that I'm not sure are a good idea, at least as a base-line across the board.
Thoughts on RDP restricted admin mode and disabling WDigest?
-
Let's start with understanding the need. Why is RDP open at all? Is it only open to the LAN, or is it open to the world? Is there RDS, or only RDP? Is this tied to AD or some other larger exposure?
-
First question is: multiple logins by the domain administrator account? or different users with domain admin privileges?
If giving everyone a shortcut with /admin is not an option, then....
If the former......
Not sure if this will have an affect on your specific scenario, but it has worked for us.Note: This is old school. But, indeed, a tool that should have never been removed! (In my opinion)
The caveat is that this is no longer included with 2012 and newer. You have to copy some files and two registry keys from an existing 2008 server.
We use this tool all the time, so copying the files and making the reg entries is something we do to every new server that may eventually allow RDP access.
We keep a zipped file in our ScreenConnect Toolbox just for this.
Here's a shot of what we change:
And here is a link with instructions on how to make the old manager work on new servers:
http://woshub.com/how-to-run-tsadmin-msc-and-tsconfig-msc-snap-ins-on-windows-server-2012-rds/ -
@scottalanmiller said in RDP Security / Hardening:
Let's start with understanding the need. Why is RDP open at all? Is it only open to the LAN, or is it open to the world?
Yeah that is a much bigger concern than simultaneous connections.
