This document lists all Security Risks related to the Remote Desktop Protocol (RDP) you should take into account when deadline with RDS infrastructure.
It also describes all RDS security Best Practices and hardening options you should implement to successfully secure your RDS deployment.
[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You Should Know
1. Remote Desktop Services
Security Risks & Best Practices
You Should Know
RDS Free Training
Module 1 : Security Risks & Best Practices
By Hicham KADIRI
January 12, 2019
A K&K Group Company
2. Contoso Ltd.
About me
Microsoft MVP
• Windows Expert-IT Pro (2014-2015)
• Cloud and Datacenter Management (2016)
• Enterprise Mobility /RDS (2017)
• CDCM /Azure (2018)
Founder
@BecomeITExpert.com
Co-Founder
@K&K Group
Think {Cloud /DevOps /Security}
IT Author (+10 eBooks)
• RDS 2012 R2 and 2016 Pocket Consultant
• RDS & OS Security & Hardening guide
• Azure CLI 2.0 Pocket Consultant
• GPO, PowerShell, AppLocker …
Lead Cloud Architect /Az Expert
• Working for several large companies
and international group including
Thales, Areva, Rabobank, Gemalto,
Vinci, CE, BP…etc
IT Blogger
• hichamkadiri.wordpress.com
• AskTheCloudExpert.wordpress.com
• ~2millions views ☺
/hicham_kadiri
/in/hichamkadiri
TechNet Contributor (Top 0,5%)
• MTFC (Microsoft Technical French Contributor)
• MCC (Microsoft Community Contributor)
Hicham KADIRI (aka #HK)
3. Document Objectives
• RDP/RDS : Presentation
• RDS Components
• RDS Architecture : High Level Picture
• Is RDP a secure protocol ?
• Security Risks related to RDP Protocol
• Security measures you should
implement
• PenTest your RDS environment
• Appendix : RDS Security & Hardening
Guide
5. Contoso Ltd.
RDP/RDS
What’s is it ?
• The Remote Desktop Protocol (aka RDP) is a proprietary protocol developed by Microsoft
that is used to provide a graphical means of connecting to a network-connected computer.
• RDP is essentially a protocol for dangling your keyboard, mouse and a display for others to
use. As you might expect, a juicy protocol like this has a variety of knobs used to control its
security capabilities, including controlling user authentication, what encryption is used, and
more.
• Formerly TSE (Terminal Services), RDS (Remote Desktop Services) is a native role in
Windows Server 2008, 2012/2012R2, 2016 and 2019, This is a set of services that enable
one or more users to simultaneously access (via RDP protocol) published applications
(RemoteApp Programs), Windows Desktop (Remote Desktop Sessions) or Virtual
Desktops (VDI), and this via the local corporate network or the Internet.
#HK
7. Contoso Ltd.
RDS
Components
• The RDS solution consists of 6 role services:
• Remote Desktop Session Host (RDSH) : Allows you to manage (accept) multiple Remote Desktop
connections simultaneously.
• Remote Desktop Virtualization Host (RDVH) : RDVH server integrates with the "Microsoft Hyper-V" to
distribute Virtual Desktops (Virtual Machines) on demand. RDVH role service represents the Microsoft VDI
infrastructure
• Remote Desktop License Server (RDLS) : this role manage installation and distribution of all RDS
CAL (Per-User & Per-Device).
• Remote Desktop Connection Broker (RDCB) : manage load balancing and RD Session
reconnection
• Remote Desktop Gateway (RDG) : the RDG acts as a RDP Firewall for all external remote desktop
users. RDG use only HTTPS/443 flaws and encapsulates RDP over HTTPS to secure
communication.
• Remote Desktop Web Access (RDWA) : this is a RDS Web Access Portal that allows publish your
internal RDS resources and distribute them through a Web Portal.
#HK
9. Contoso Ltd.
RDS Architecture
High Level Picture
• In a standard RDS Windows Server architecture (from 2008 R2 to 2019), the components
mentioned above are deployed as shown in the figure below :
#HK
11. Contoso Ltd.
Is RDP a
Secure Protocol ?
• The default RDP configuration left it vulnerable to several attacks when enabled; there are
however, some security improvements that are introduced on new RDS Windows Server
versions.
• By default, several attack are possible :
• Denial of Service (DoS) Attack is possible
• Man-in-The-Middle (MiTM) Attack
• Brute-Force Attack
• ….
• Refer to the next slides for more informations about all risk related to RDP protocol
#HK
13. Contoso Ltd.
Security Risks
Related to RDP Protocol
When dealing with RDP protocol, there are (by default) several vulnerabilities and
security risks you should know and take into account :
• RDS Exposed on the Internet
• Man-in-the Middle (MiTM)
• Encryption Attack
• Denial of Service (DOS) Attack
• Dumping Passwords Hashs
• RDS Misconfiguration
• Ransomware
• Brute-Force Attack
• Risks related to a RDSH “Shared Mode” Environment (Shared RDS Collection)
• Keylogging
• …
#HK
14. Contoso Ltd.
Security Risk #1
RDP Exposed on the Internet
• There is no necessity to expose the Remote Desktop service to the Internet, thus
enabling untrusted users on the Internet to attempt connections. Worse still,
malicious Internet based attackers could carry out brute force attacks against the
service. By default, the first account an attacker would try is ‘Administrator’ which is
not usually configured with an account lockout.
• If a password is guessed successfully, the resulting access could have substantial
repercussions for your organization and facilitate further attacks against trusted or
connected infrastructure.
#HK
15. Contoso Ltd.
Security Risk #2
Man-in-the Middle (MiTM) Attack
• Although the Remote Desktop service provides data encryption between the client
and server by default, it doesn’t provide authentication for verifying the identity of
the Terminal/RDSH Server. This lack of identity verification allows a malicious person,
by deploying other nefarious activities, to intercept all communications sent
between a client and a Terminal Server.
• The likelihood of this type of attack depends on a hacker’s ability to control
connections between the client and the Terminal Server. Typically, this requires the
criminal to perform other attacks such as ARP (Address Resolution Protocol)
spoofing or DNS (Domain Name System) spoofing, which redirect connections to
the attacker prior to sending the data to the legitimate server
#HK
16. Contoso Ltd.
Security Risk #3
Encryption Attack
• By default, the Remote Desktop service uses an encryption setting of Client
Compatible (medium). This level of encryption encrypts data sent between the
client and the server at the maximum key strength supported by the client. It’s
generally used in an environment containing mixed or earlier-version clients.
• The medium setting may facilitate the use of weak encryption which could be
decrypted in a reasonable time-frame and lead to the disclosure of sensitive
information
#HK
17. Contoso Ltd.
Security Risk #4
Denial of Service (DOS) Attack
• Terminal Servers which support Network Level Authentication (NLA) but do not
have it configured present a risk. NLA forces the client computer to present user
credentials for authentication before the server will create a session for that user.
• As session creation is relatively resource intensive, NLA provides a layer of Defense
against Denial of Service attacks whereby a malicious user makes repeated
connections to the service to prevent its legitimate use by others.
#HK
18. Contoso Ltd.
Security Risk #5
Dumping Passwords Hashs
• You have to ensure that all Remote Desktop users are never “Local Administrators”
on the RDSHs. RDSH being a shared server (used by different kind of user), there is
an important security risk if you have one or several RD users with Local Admin
right. Indeed, they can run a dump hash password tool to dump all local password
hash of other remote desktop users that are connected on the same server.
• An AppLocker policy must also be defined to avoid any risk related to the use of a
dump hash password tool like Mimikatz
#HK
19. Contoso Ltd.
Security Risk #6
RDS Misconfiguration
• All RDSH servers must be hardened and locking down to avoid any risk related to
RDS misconfiguration
• RDSH hardening must be “enforced” using Group Policy Settings
#HK
20. Contoso Ltd.
Security Risk #7
Ransomware
• Ransomware attacks are getting more targeted to be more effective. And one of the
primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is
exactly what the name implies, an option to remotely control a PC. And with the
currently-available software, it almost feels as if you were actually sitting behind that
PC—which is what makes it so dangerous.
• Again, all RDSH Servers must be locking down to avoid any security risk related to
ransomware execution.
#HK
21. Contoso Ltd.
Security Risk #8
Brute-Force Attack
• RDP become vulnerable to Brute-force Attack when using a weak passwords.
• It’s recommended to define and enforce a strong password policy for all Remote
Desktop users that connect to your RDS Collection.
• It’s also recommended to limit number of remote desktop users and never leave
« illimited » connections on RDSH Servers and RD Gateway
#HK
22. Contoso Ltd.
Security Risk #9
RDS Collection in “Shared Mode”
• When you deploy a new RDS infrastructure, a new RDS Collection is (by default)
automatically created.
• Most IT keep this RDS Collection with the default settings and configure it to allows all
remote desktop users, from different department to connect to the same Shared
Environnement.
• This RDS Collection is often used to host all kind of application (HR, Finance, IT…etc), there is
no isolation at the application level. Indeed all Apps are hosted in a “Shared”
environment/RD Session Host Servers.
• This allows a lateral movement attack !!
• Recommendation
• Always, create a dedicated RDS Collection to isolate the different applications environments
#HK
23. Contoso Ltd.
Security Risk #10
Keylogging
• A keylogger is a piece of malicious software, usually called "spyware" or "malware,"
that records every keystroke you make on a keyboard.
• To avoid any risk related to the use of a Keylogger tool, an AppLocker rules must be
defined and applied to all RD Session Host Servers.
• Recommendation
• AppLocker Rules must be defined and configured to White-List RemoteApp based on
their Hash Thumbprint.
#HK
25. Contoso Ltd.
Security measures
You Should Implement
To mitigate Risks related to RDP protocol, connections and communications, the following security
features and mechanisms Should be implemented :
• Enable HA (High Availability) of all RDS role services : RDSH/RDCB/RDWA/RDG/RDLS and also for SQL Server used
for RDCB DB HA.
• Create a dedicated RDS Session Collection per Customer and for each published App
• Deploy an RDG (Remote Desktop Gateway) for all external remote desktop users.
• Enabling MFA (or 2FA) for all remote (external) desktop users. You can use Azure MFA server if you are AD P1
Customer.
• Enable NLA (Network Level Authentication) for all RDS Session Collection
• Force High Level encryption for all RDP communication (128-bit encryption)
• Force the use of TLS layer on all RDS Session Collection : TLS Authentication for all RDSH
• Define and apply an AppLocker Policy on all RD Session Host Server
• Define a strong password & lockout Policy for all remote desktop users (using GPO)
• Change the default RDP port
• If possible, remote desktop devices must be hardened (restrict local resources redirection from MSTSC.exe client).
• Set the maximum number of the Allowed remote desktop session (on the RDS Collection and RDG’s Proprieties)
• All Remote desktop connections logs must be centrally stored and analyzed regularly.
#HK
26. Contoso Ltd.
Security Measure #1
Enable HA for All RDS roles services
• All RD Components/roles services must be highly available, this includes :
• RD Session Host Server : at least Two RDSH servers must be part of the dedicated RDS
Session Collection
• RD Connection Broker : at least two RDCB servers must be deployed and configured in
HA mode (SQL Server instance is required)
• RD Web Access : at least two RD Web Access servers must be deployed and configured
behind a Load balancer
• RD Gateway : at least two RD Gateway servers must be deployed and configured in HA
mode and behind a Load Balancer
• RD Licensing Server : at least two RD Licensing Server must be deployed and configured
in HA mode
#HK
27. Contoso Ltd.
Security Measure #2
Create a dedicated RDS Collection per Apps Group/Apps Type
• First, you have to list all your Published Apps (RemoteApps)
• Then, you have to create a Category list of your Apps : HR Apps, Finance Apps,
Admin Apps…
• Each Apps groups must be published and distributed through a dedicated RDS
Session Collect (dedicated RDSH Servers)
• RD Web Access & RD Gateway can be shared for all your remote desktop users
(Shared mode is allowed for RD Web services).
#HK
28. Contoso Ltd.
Security Measure #3
Deploy an RD Gateway
• It’s recommended to deploy an RD Gateway for all External remote desktop users
and define a strong CAP (Connection Access Policies) and RAP (Resources Access
Policies) to improve security level of RDS environment
• RD Gateway requires a valid SSL certificate to operate, the SSL certificate that will be
delivered to the RD Gateway must be provided by a Valid/Trusted CA (Certification
Authority).
• Note : you have to buy a valid SSL Certificate from a trusted Public CA Provider (eg :
GlobalSign)
#HK
29. Contoso Ltd.
Security Measure #4
Enable MFA for all Remote Desktop Users
• It’s recommended to enable MFA (Multi-Factor Authentication) for all external
Remote Desktop users connecting to your internal RDS resources from Outside.
• MFA service requires an RD Gateway component to operate
• Remote desktop users must have at least one physical device (smartphone,
biometrics…) to complete the MFA Process.
#HK
30. Contoso Ltd.
Security Measure #5
Enable NLA on All RDS Collection
• Network Level Authentication (or NLA) uses CredSSP provider to present user
credentials to the server before the server has to create a session.
• This improve security level of the RDS environment by avoiding any security risk
related to Denial of Service Attack
• It’s highly recommended to enable NLA on all your RDS Collections
• This can be also forced by using RDS Group Policy Settings
#HK
31. Contoso Ltd.
Security Measure #6
Force “High Level” encryption on All RDS Collection
• By default, the Remote Desktop service uses an encryption setting of Client
Compatible (medium). This level of encryption encrypts data sent between the
client and the server at the maximum key strength supported by the client. It’s
generally used in an environment containing mixed or earlier-version clients.
• The medium setting may facilitate the use of weak encryption which could be
decrypted in a reasonable time-frame and lead to the disclosure of sensitive
information
• It’s highly recommended to “Force” a High encryption level on all your RDS
Collections.
• This can be also forced by using RDS Group Policy Settings
#HK
32. Contoso Ltd.
Security Measure #7
Force “TLS Layer” on All RDS Collection
• All RD Session Hosts Server of your RDS deployment must be authenticated using
SSL/TLS Certificate.
• This is mandatory to avoid any security risk related to remote users identity theft
• SSL certificates that will be used to authenticate RDSH Servers must be delivered by
a Valid/Trusted Public CA (Certification Authority) or your internal PKI
• It’s highly recommended to configure a Valid SSL Certificates for your RDSH Servers
• This can be also forced by using RDS Group Policy Settings
#HK
33. Contoso Ltd.
Security Measure #8
Define and Apply an AppLocker Policy
• You have to Lock-down your RD Session Host that host your published sessions and
Apps.
• A strong AppLocker policy must be defined and applied to all RD Session Host
Servers of your Deployment.
• Hash-based AppLocker rule can be used to enforce software restrictions on your
RDSH Server.
• You have first to audit your Apps and collect all required information such as “Apps
Thumbprint” to define and apply your AppLocker Rule
• It’s recommended to create and Apply an White-List-based AppLocker Rule
#HK
34. Contoso Ltd.
Security Measure #9
Define a strong password & lockout Policy for all remote desktop users
• A strong password policy must be defined and applied to all remote desktop users
• Using AD Group Policy Object, you can create, configure and apply your Password
policy to a specific AD Group (eg : RDS-USERS).
• It’s also highly recommended to define and apply an Account Lockout policy
#HK
35. Contoso Ltd.
Security Measure #10
Change the Default RDP Port
• By default, RDP protocol listen on 3389
• This port is targeted by several malware/ransomware
• Hackers also target this default port during Footprinting phase
• Recommendation
• It’s highly recommended to change this default port to something like 33381 (or higher
port).
• Tip : you can download and use this PS Script to make this change :
https://gallery.technet.microsoft.com/RDS-Script-RDP-Port-af6a974b
#HK
36. Contoso Ltd.
Security Measure #11
Secure your Remote Desktop user’s Devices
• If you security policy consists of restricting all local resource redirection (local drive,
printers, Clipboard…etc), you have to force (via GPO) all local resources redirection
options on your RD Session Hosts servers, and make the same hardening or your
RDS clients devices.
• The Registry key listed on the “Appendix” section can be configured via GPO to
disable all local resources direction on the RDC (Remote Desktop Connection) client
> MSTSC.exe
#HK
37. Contoso Ltd.
Security Measure #12
Set the maximum number of the Allowed remote desktop session
• If you have the complete list of all your Remote desktop users (internal & external),
it’s recommended to set the maximum number of the allowed remote desktop
sessions on the RDS Session Collection properties (Load Balancing) and also on
your RD Gateway properties.
#HK
38. Contoso Ltd.
Security Measure #13
Define a RDS Logs management policy
• All Operations performed on your RDS environment must be logged : connections,
reconnections, change/modification…
• All RDS Logs must be centrally stored and analyzed to check if there are any
suspicious connections or abnormal behavior
• At least, a WEF (Windows Event Forwarding) policy must be defined and configured
#HK
40. Contoso Ltd.
PenTest
You RDS Environment
• Once deployed, your have to perform a Penetration tests on your RDS environment, this allows you
to validate the security level of your RDS platform before integrating it on your production
environment.
• Several Penetration tests have to be performed to validate the security posture of this RDS
environment
• PenTesting phase will include :
▪ Security of all RDS components exposed to Internet : RDG, RD Web Access…
▪ Authentication process
▪ Encryption Attack
▪ TLS Authentication
▪ MiMT Attack
▪ D/DoS Attack
▪ Network isolation
▪ Apps Restrictions Policies
▪ RDS Collection Multi-tenancy
#HK
43. Contoso Ltd.
Tip & Tricks [Part1]
Restrict local resources redirection from MSTSC.exe client
• The following Registry key must be created and deployed on Remote desktop
devices/client laptops to disable the Clipboard redirection :
▪ Key Path : HKLMSOFTWAREMicrosoftTerminal Server Client
▪ Registry Key Name : DisableClipboardRedirection
▪ Key Type : REG_DWORD
▪ Data Value : 1
#HK
44. Contoso Ltd.
Tip & Tricks [Part2]
Restrict local resources redirection from MSTSC.exe client
• The following Registry key must be created and deployed on Remote desktop
devices/client laptops to disable the Local Drive redirection :
▪ Key Path : HKLMSOFTWAREMicrosoftTerminal Server Client
▪ Registry Key Name : DisableDriveRedirection
▪ Key Type : REG_DWORD
▪ Data Value : 1
#HK
45. Contoso Ltd.
Tip & Tricks [Part3]
Restrict local resources redirection from MSTSC.exe client
• The following Registry key must be created and deployed on Remote desktop
devices/client laptops to disable the Local Printers redirection :
▪ Key Path : HKLMSOFTWAREMicrosoftTerminal Server Client
▪ Registry Key Name : DisablePrinterRedirection
▪ Key Type : REG_DWORD
▪ Data Value : 1
#HK
47. Contoso Ltd.
Tip & Tricks [Part1]
RDS Hardening Group Policy Settings
#HK
○ Restricting Device and Resource Redirection
Restricting Device and Resource Redirection can be configured using the following
Group Policy parameter:
Computer Configuration | Policies | Administrative Templates | Windows
Components | Remote Desktop Services | Session Host Remote Desktop | redirection
of device and resource
○ Restricting Printers Redirection
Restricting Printers Redirection can be configured using the following Group Policy parameter:
- Computer Configuration | Policies | Administrative Templates | Windows
Components | Remote Desktop Services | Session Host Remote Desktop | Printer
Redirection
48. Contoso Ltd.
Tip & Tricks [Part2]
RDS Hardening Group Policy Settings
#HK
○ Restricting access to Registry
Restricting access to the Registry can be configured using the following Group Policy
parameter:
- User Configuration | Policies | Administrative Templates | System
Parameter : Prevent access to registry editing tools
○ Hide Desktop icons
Desktop icons can be hidden by using the following Group Policy parameters:
- User Configuration | Policies | Administrative Templates | Desktop
Parameters:
• Hide and disable all items on the desktop
• Delete "My Computer" from the Desktop
49. Contoso Ltd.
Tip & Tricks [Part3]
RDS Hardening Group Policy Settings
#HK
○ Restricting access to Control Panel
Restricting access to the Control Panel can be configured using the following Group
Policy parameter:
- User Configuration | Policies | Administrative Templates | Control Panel
Parameter: Deny access to Control Panel and PC settings
○ Restricting the Printer Drivers Installation
Restricting the Printer Drivers installation can be configured using the following Group Policy
parameter:
- Computer Configuration | Policies | Windows Settings | Security Settings |
Local Policies | Security Options
Parameter : Devices: Prevent users from installing printer drivers
50. Contoso Ltd.
Tip & Tricks [Part4]
RDS Hardening Group Policy Settings
#HK
○ Restricting access to the Command Prompt
Restricting access to Command Prompt (cmd.exe) can be configured using the
following Group Policy parameter:
- User Configuration | Policies | Administrative Templates | System
Parameter : Disable access to Command Prompt
○ Restricting access to Task Manager
Restricting access to the Task Manager can be configured using the following Group Policy
parameter:
- User Configuration | Policies | Administrative Templates | System | Ctrl + Alt + Del Options
Parameter: Remove Task Manager
51. Contoso Ltd.
You want to
read more ?
A complete list of all RDS Security and hardening
features are detailed on the Ultimate Guide above
Request your RDS Book copy, contact us !
52. Contoso Ltd.
Do you have any RDS
Security Project ?
If yes, feel free to contact us
Your Contacts
Hicham KADIRI
RDP Expert & Microsoft MVP
hicham.kadiri@k-nd-k-group.com
+33 (0)6 52 97 72 84
Mohsine CHOUGDALI
Key Account Manager
mohsine.chougdali@k-nd-k-group.com
+33 6 66 26 55 15
A K&K Group Company