SlideShare a Scribd company logo

[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You Should Know

☁ Hicham KADIRI ☁

This document lists all Security Risks related to the Remote Desktop Protocol (RDP) you should take into account when deadline with RDS infrastructure. It also describes all RDS security Best Practices and hardening options you should implement to successfully secure your RDS deployment.

Technology
1 of 54
Download to read offline
Remote Desktop Services Security Risks & Best Practices You Should Know RDS Free Training Module 1 : Security Risks & Best Practices By Hicham KADIRI January 12, 2019 A K&K Group Company
Contoso Ltd. About me Microsoft MVP • Windows Expert-IT Pro (2014-2015) • Cloud and Datacenter Management (2016) • Enterprise Mobility /RDS (2017) • CDCM /Azure (2018) Founder @BecomeITExpert.com Co-Founder @K&K Group Think {Cloud /DevOps /Security} IT Author (+10 eBooks) • RDS 2012 R2 and 2016 Pocket Consultant • RDS & OS Security & Hardening guide • Azure CLI 2.0 Pocket Consultant • GPO, PowerShell, AppLocker … Lead Cloud Architect /Az Expert • Working for several large companies and international group including Thales, Areva, Rabobank, Gemalto, Vinci, CE, BP…etc IT Blogger • hichamkadiri.wordpress.com • AskTheCloudExpert.wordpress.com • ~2millions views ☺ /hicham_kadiri /in/hichamkadiri TechNet Contributor (Top 0,5%) • MTFC (Microsoft Technical French Contributor) • MCC (Microsoft Community Contributor) Hicham KADIRI (aka #HK)
Document Objectives • RDP/RDS : Presentation • RDS Components • RDS Architecture : High Level Picture • Is RDP a secure protocol ? • Security Risks related to RDP Protocol • Security measures you should implement • PenTest your RDS environment • Appendix : RDS Security & Hardening Guide
Contoso Ltd. RDP/RDS Presentation #HK
Contoso Ltd. RDP/RDS What’s is it ? • The Remote Desktop Protocol (aka RDP) is a proprietary protocol developed by Microsoft that is used to provide a graphical means of connecting to a network-connected computer. • RDP is essentially a protocol for dangling your keyboard, mouse and a display for others to use. As you might expect, a juicy protocol like this has a variety of knobs used to control its security capabilities, including controlling user authentication, what encryption is used, and more. • Formerly TSE (Terminal Services), RDS (Remote Desktop Services) is a native role in Windows Server 2008, 2012/2012R2, 2016 and 2019, This is a set of services that enable one or more users to simultaneously access (via RDP protocol) published applications (RemoteApp Programs), Windows Desktop (Remote Desktop Sessions) or Virtual Desktops (VDI), and this via the local corporate network or the Internet. #HK
Contoso Ltd. RDS Components #HK
Contoso Ltd. RDS Components • The RDS solution consists of 6 role services: • Remote Desktop Session Host (RDSH) : Allows you to manage (accept) multiple Remote Desktop connections simultaneously. • Remote Desktop Virtualization Host (RDVH) : RDVH server integrates with the "Microsoft Hyper-V" to distribute Virtual Desktops (Virtual Machines) on demand. RDVH role service represents the Microsoft VDI infrastructure • Remote Desktop License Server (RDLS) : this role manage installation and distribution of all RDS CAL (Per-User & Per-Device). • Remote Desktop Connection Broker (RDCB) : manage load balancing and RD Session reconnection • Remote Desktop Gateway (RDG) : the RDG acts as a RDP Firewall for all external remote desktop users. RDG use only HTTPS/443 flaws and encapsulates RDP over HTTPS to secure communication. • Remote Desktop Web Access (RDWA) : this is a RDS Web Access Portal that allows publish your internal RDS resources and distribute them through a Web Portal. #HK
Contoso Ltd. RDS Architecture High Level Picture #HK
Contoso Ltd. RDS Architecture High Level Picture • In a standard RDS Windows Server architecture (from 2008 R2 to 2019), the components mentioned above are deployed as shown in the figure below : #HK
Contoso Ltd. Is RDP a Secure Protocol ? #HK
Contoso Ltd. Is RDP a Secure Protocol ? • The default RDP configuration left it vulnerable to several attacks when enabled; there are however, some security improvements that are introduced on new RDS Windows Server versions. • By default, several attack are possible : • Denial of Service (DoS) Attack is possible • Man-in-The-Middle (MiTM) Attack • Brute-Force Attack • …. • Refer to the next slides for more informations about all risk related to RDP protocol #HK
Contoso Ltd. Security Risks Related to RDP Protocol #HK
Contoso Ltd. Security Risks Related to RDP Protocol When dealing with RDP protocol, there are (by default) several vulnerabilities and security risks you should know and take into account : • RDS Exposed on the Internet • Man-in-the Middle (MiTM) • Encryption Attack • Denial of Service (DOS) Attack • Dumping Passwords Hashs • RDS Misconfiguration • Ransomware • Brute-Force Attack • Risks related to a RDSH “Shared Mode” Environment (Shared RDS Collection) • Keylogging • … #HK
Contoso Ltd. Security Risk #1 RDP Exposed on the Internet • There is no necessity to expose the Remote Desktop service to the Internet, thus enabling untrusted users on the Internet to attempt connections. Worse still, malicious Internet based attackers could carry out brute force attacks against the service. By default, the first account an attacker would try is ‘Administrator’ which is not usually configured with an account lockout. • If a password is guessed successfully, the resulting access could have substantial repercussions for your organization and facilitate further attacks against trusted or connected infrastructure. #HK
Contoso Ltd. Security Risk #2 Man-in-the Middle (MiTM) Attack • Although the Remote Desktop service provides data encryption between the client and server by default, it doesn’t provide authentication for verifying the identity of the Terminal/RDSH Server. This lack of identity verification allows a malicious person, by deploying other nefarious activities, to intercept all communications sent between a client and a Terminal Server. • The likelihood of this type of attack depends on a hacker’s ability to control connections between the client and the Terminal Server. Typically, this requires the criminal to perform other attacks such as ARP (Address Resolution Protocol) spoofing or DNS (Domain Name System) spoofing, which redirect connections to the attacker prior to sending the data to the legitimate server #HK
Contoso Ltd. Security Risk #3 Encryption Attack • By default, the Remote Desktop service uses an encryption setting of Client Compatible (medium). This level of encryption encrypts data sent between the client and the server at the maximum key strength supported by the client. It’s generally used in an environment containing mixed or earlier-version clients. • The medium setting may facilitate the use of weak encryption which could be decrypted in a reasonable time-frame and lead to the disclosure of sensitive information #HK
Contoso Ltd. Security Risk #4 Denial of Service (DOS) Attack • Terminal Servers which support Network Level Authentication (NLA) but do not have it configured present a risk. NLA forces the client computer to present user credentials for authentication before the server will create a session for that user. • As session creation is relatively resource intensive, NLA provides a layer of Defense against Denial of Service attacks whereby a malicious user makes repeated connections to the service to prevent its legitimate use by others. #HK
Contoso Ltd. Security Risk #5 Dumping Passwords Hashs • You have to ensure that all Remote Desktop users are never “Local Administrators” on the RDSHs. RDSH being a shared server (used by different kind of user), there is an important security risk if you have one or several RD users with Local Admin right. Indeed, they can run a dump hash password tool to dump all local password hash of other remote desktop users that are connected on the same server. • An AppLocker policy must also be defined to avoid any risk related to the use of a dump hash password tool like Mimikatz #HK
Contoso Ltd. Security Risk #6 RDS Misconfiguration • All RDSH servers must be hardened and locking down to avoid any risk related to RDS misconfiguration • RDSH hardening must be “enforced” using Group Policy Settings #HK
Contoso Ltd. Security Risk #7 Ransomware • Ransomware attacks are getting more targeted to be more effective. And one of the primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, an option to remotely control a PC. And with the currently-available software, it almost feels as if you were actually sitting behind that PC—which is what makes it so dangerous. • Again, all RDSH Servers must be locking down to avoid any security risk related to ransomware execution. #HK
Contoso Ltd. Security Risk #8 Brute-Force Attack • RDP become vulnerable to Brute-force Attack when using a weak passwords. • It’s recommended to define and enforce a strong password policy for all Remote Desktop users that connect to your RDS Collection. • It’s also recommended to limit number of remote desktop users and never leave « illimited » connections on RDSH Servers and RD Gateway #HK
Contoso Ltd. Security Risk #9 RDS Collection in “Shared Mode” • When you deploy a new RDS infrastructure, a new RDS Collection is (by default) automatically created. • Most IT keep this RDS Collection with the default settings and configure it to allows all remote desktop users, from different department to connect to the same Shared Environnement. • This RDS Collection is often used to host all kind of application (HR, Finance, IT…etc), there is no isolation at the application level. Indeed all Apps are hosted in a “Shared” environment/RD Session Host Servers. • This allows a lateral movement attack !! • Recommendation • Always, create a dedicated RDS Collection to isolate the different applications environments #HK
Contoso Ltd. Security Risk #10 Keylogging • A keylogger is a piece of malicious software, usually called "spyware" or "malware," that records every keystroke you make on a keyboard. • To avoid any risk related to the use of a Keylogger tool, an AppLocker rules must be defined and applied to all RD Session Host Servers. • Recommendation • AppLocker Rules must be defined and configured to White-List RemoteApp based on their Hash Thumbprint. #HK
Contoso Ltd. Security Measures You Should Implement #HK
Contoso Ltd. Security measures You Should Implement To mitigate Risks related to RDP protocol, connections and communications, the following security features and mechanisms Should be implemented : • Enable HA (High Availability) of all RDS role services : RDSH/RDCB/RDWA/RDG/RDLS and also for SQL Server used for RDCB DB HA. • Create a dedicated RDS Session Collection per Customer and for each published App • Deploy an RDG (Remote Desktop Gateway) for all external remote desktop users. • Enabling MFA (or 2FA) for all remote (external) desktop users. You can use Azure MFA server if you are AD P1 Customer. • Enable NLA (Network Level Authentication) for all RDS Session Collection • Force High Level encryption for all RDP communication (128-bit encryption) • Force the use of TLS layer on all RDS Session Collection : TLS Authentication for all RDSH • Define and apply an AppLocker Policy on all RD Session Host Server • Define a strong password & lockout Policy for all remote desktop users (using GPO) • Change the default RDP port • If possible, remote desktop devices must be hardened (restrict local resources redirection from MSTSC.exe client). • Set the maximum number of the Allowed remote desktop session (on the RDS Collection and RDG’s Proprieties) • All Remote desktop connections logs must be centrally stored and analyzed regularly. #HK
Contoso Ltd. Security Measure #1 Enable HA for All RDS roles services • All RD Components/roles services must be highly available, this includes : • RD Session Host Server : at least Two RDSH servers must be part of the dedicated RDS Session Collection • RD Connection Broker : at least two RDCB servers must be deployed and configured in HA mode (SQL Server instance is required) • RD Web Access : at least two RD Web Access servers must be deployed and configured behind a Load balancer • RD Gateway : at least two RD Gateway servers must be deployed and configured in HA mode and behind a Load Balancer • RD Licensing Server : at least two RD Licensing Server must be deployed and configured in HA mode #HK
Contoso Ltd. Security Measure #2 Create a dedicated RDS Collection per Apps Group/Apps Type • First, you have to list all your Published Apps (RemoteApps) • Then, you have to create a Category list of your Apps : HR Apps, Finance Apps, Admin Apps… • Each Apps groups must be published and distributed through a dedicated RDS Session Collect (dedicated RDSH Servers) • RD Web Access & RD Gateway can be shared for all your remote desktop users (Shared mode is allowed for RD Web services). #HK
Contoso Ltd. Security Measure #3 Deploy an RD Gateway • It’s recommended to deploy an RD Gateway for all External remote desktop users and define a strong CAP (Connection Access Policies) and RAP (Resources Access Policies) to improve security level of RDS environment • RD Gateway requires a valid SSL certificate to operate, the SSL certificate that will be delivered to the RD Gateway must be provided by a Valid/Trusted CA (Certification Authority). • Note : you have to buy a valid SSL Certificate from a trusted Public CA Provider (eg : GlobalSign) #HK
Contoso Ltd. Security Measure #4 Enable MFA for all Remote Desktop Users • It’s recommended to enable MFA (Multi-Factor Authentication) for all external Remote Desktop users connecting to your internal RDS resources from Outside. • MFA service requires an RD Gateway component to operate • Remote desktop users must have at least one physical device (smartphone, biometrics…) to complete the MFA Process. #HK
Contoso Ltd. Security Measure #5 Enable NLA on All RDS Collection • Network Level Authentication (or NLA) uses CredSSP provider to present user credentials to the server before the server has to create a session. • This improve security level of the RDS environment by avoiding any security risk related to Denial of Service Attack • It’s highly recommended to enable NLA on all your RDS Collections • This can be also forced by using RDS Group Policy Settings #HK
Contoso Ltd. Security Measure #6 Force “High Level” encryption on All RDS Collection • By default, the Remote Desktop service uses an encryption setting of Client Compatible (medium). This level of encryption encrypts data sent between the client and the server at the maximum key strength supported by the client. It’s generally used in an environment containing mixed or earlier-version clients. • The medium setting may facilitate the use of weak encryption which could be decrypted in a reasonable time-frame and lead to the disclosure of sensitive information • It’s highly recommended to “Force” a High encryption level on all your RDS Collections. • This can be also forced by using RDS Group Policy Settings #HK
Contoso Ltd. Security Measure #7 Force “TLS Layer” on All RDS Collection • All RD Session Hosts Server of your RDS deployment must be authenticated using SSL/TLS Certificate. • This is mandatory to avoid any security risk related to remote users identity theft • SSL certificates that will be used to authenticate RDSH Servers must be delivered by a Valid/Trusted Public CA (Certification Authority) or your internal PKI • It’s highly recommended to configure a Valid SSL Certificates for your RDSH Servers • This can be also forced by using RDS Group Policy Settings #HK
Contoso Ltd. Security Measure #8 Define and Apply an AppLocker Policy • You have to Lock-down your RD Session Host that host your published sessions and Apps. • A strong AppLocker policy must be defined and applied to all RD Session Host Servers of your Deployment. • Hash-based AppLocker rule can be used to enforce software restrictions on your RDSH Server. • You have first to audit your Apps and collect all required information such as “Apps Thumbprint” to define and apply your AppLocker Rule • It’s recommended to create and Apply an White-List-based AppLocker Rule #HK
Contoso Ltd. Security Measure #9 Define a strong password & lockout Policy for all remote desktop users • A strong password policy must be defined and applied to all remote desktop users • Using AD Group Policy Object, you can create, configure and apply your Password policy to a specific AD Group (eg : RDS-USERS). • It’s also highly recommended to define and apply an Account Lockout policy #HK
Contoso Ltd. Security Measure #10 Change the Default RDP Port • By default, RDP protocol listen on 3389 • This port is targeted by several malware/ransomware • Hackers also target this default port during Footprinting phase • Recommendation • It’s highly recommended to change this default port to something like 33381 (or higher port). • Tip : you can download and use this PS Script to make this change : https://gallery.technet.microsoft.com/RDS-Script-RDP-Port-af6a974b #HK
Contoso Ltd. Security Measure #11 Secure your Remote Desktop user’s Devices • If you security policy consists of restricting all local resource redirection (local drive, printers, Clipboard…etc), you have to force (via GPO) all local resources redirection options on your RD Session Hosts servers, and make the same hardening or your RDS clients devices. • The Registry key listed on the “Appendix” section can be configured via GPO to disable all local resources direction on the RDC (Remote Desktop Connection) client > MSTSC.exe #HK
Contoso Ltd. Security Measure #12 Set the maximum number of the Allowed remote desktop session • If you have the complete list of all your Remote desktop users (internal & external), it’s recommended to set the maximum number of the allowed remote desktop sessions on the RDS Session Collection properties (Load Balancing) and also on your RD Gateway properties. #HK
Contoso Ltd. Security Measure #13 Define a RDS Logs management policy • All Operations performed on your RDS environment must be logged : connections, reconnections, change/modification… • All RDS Logs must be centrally stored and analyzed to check if there are any suspicious connections or abnormal behavior • At least, a WEF (Windows Event Forwarding) policy must be defined and configured #HK
Contoso Ltd. PenTest your RDS Environment #HK
Contoso Ltd. PenTest You RDS Environment • Once deployed, your have to perform a Penetration tests on your RDS environment, this allows you to validate the security level of your RDS platform before integrating it on your production environment. • Several Penetration tests have to be performed to validate the security posture of this RDS environment • PenTesting phase will include : ▪ Security of all RDS components exposed to Internet : RDG, RD Web Access… ▪ Authentication process ▪ Encryption Attack ▪ TLS Authentication ▪ MiMT Attack ▪ D/DoS Attack ▪ Network isolation ▪ Apps Restrictions Policies ▪ RDS Collection Multi-tenancy #HK
Contoso Ltd. Appendix RDS Security & Hardening Guide #HK
Contoso Ltd. HowTo : Restrict local resource redirection on your RDS Client (MSTSC.exe)
Contoso Ltd. Tip & Tricks [Part1] Restrict local resources redirection from MSTSC.exe client • The following Registry key must be created and deployed on Remote desktop devices/client laptops to disable the Clipboard redirection : ▪ Key Path : HKLMSOFTWAREMicrosoftTerminal Server Client ▪ Registry Key Name : DisableClipboardRedirection ▪ Key Type : REG_DWORD ▪ Data Value : 1 #HK
Contoso Ltd. Tip & Tricks [Part2] Restrict local resources redirection from MSTSC.exe client • The following Registry key must be created and deployed on Remote desktop devices/client laptops to disable the Local Drive redirection : ▪ Key Path : HKLMSOFTWAREMicrosoftTerminal Server Client ▪ Registry Key Name : DisableDriveRedirection ▪ Key Type : REG_DWORD ▪ Data Value : 1 #HK
Contoso Ltd. Tip & Tricks [Part3] Restrict local resources redirection from MSTSC.exe client • The following Registry key must be created and deployed on Remote desktop devices/client laptops to disable the Local Printers redirection : ▪ Key Path : HKLMSOFTWAREMicrosoftTerminal Server Client ▪ Registry Key Name : DisablePrinterRedirection ▪ Key Type : REG_DWORD ▪ Data Value : 1 #HK
Contoso Ltd. HowTo : Locking-down your RDSH Servers
Contoso Ltd. Tip & Tricks [Part1] RDS Hardening Group Policy Settings #HK ○ Restricting Device and Resource Redirection Restricting Device and Resource Redirection can be configured using the following Group Policy parameter: Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Session Host Remote Desktop | redirection of device and resource ○ Restricting Printers Redirection Restricting Printers Redirection can be configured using the following Group Policy parameter: - Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Session Host Remote Desktop | Printer Redirection
Contoso Ltd. Tip & Tricks [Part2] RDS Hardening Group Policy Settings #HK ○ Restricting access to Registry Restricting access to the Registry can be configured using the following Group Policy parameter: - User Configuration | Policies | Administrative Templates | System Parameter : Prevent access to registry editing tools ○ Hide Desktop icons Desktop icons can be hidden by using the following Group Policy parameters: - User Configuration | Policies | Administrative Templates | Desktop Parameters: • Hide and disable all items on the desktop • Delete "My Computer" from the Desktop
Contoso Ltd. Tip & Tricks [Part3] RDS Hardening Group Policy Settings #HK ○ Restricting access to Control Panel Restricting access to the Control Panel can be configured using the following Group Policy parameter: - User Configuration | Policies | Administrative Templates | Control Panel Parameter: Deny access to Control Panel and PC settings ○ Restricting the Printer Drivers Installation Restricting the Printer Drivers installation can be configured using the following Group Policy parameter: - Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options Parameter : Devices: Prevent users from installing printer drivers
Contoso Ltd. Tip & Tricks [Part4] RDS Hardening Group Policy Settings #HK ○ Restricting access to the Command Prompt Restricting access to Command Prompt (cmd.exe) can be configured using the following Group Policy parameter: - User Configuration | Policies | Administrative Templates | System Parameter : Disable access to Command Prompt ○ Restricting access to Task Manager Restricting access to the Task Manager can be configured using the following Group Policy parameter: - User Configuration | Policies | Administrative Templates | System | Ctrl + Alt + Del Options Parameter: Remove Task Manager
Contoso Ltd. You want to read more ? A complete list of all RDS Security and hardening features are detailed on the Ultimate Guide above Request your RDS Book copy, contact us !
Contoso Ltd. Do you have any RDS Security Project ? If yes, feel free to contact us Your Contacts Hicham KADIRI RDP Expert & Microsoft MVP hicham.kadiri@k-nd-k-group.com +33 (0)6 52 97 72 84 Mohsine CHOUGDALI Key Account Manager mohsine.chougdali@k-nd-k-group.com +33 6 66 26 55 15 A K&K Group Company
Contoso Ltd. #HK o_O /hicham_kadiri /in/hichamkadiri Subscribe to my Blog hichamkadiri.wordpress.com
Contoso Ltd. End of Lesson Hope this Helps ☺

Recommended

Easy Steps to implement UDP Server and Client Sockets
Easy Steps to implement UDP Server and Client SocketsEasy Steps to implement UDP Server and Client Sockets
Easy Steps to implement UDP Server and Client Socketsbabak danyal
 
Algorithmique et methodes de programmation
Algorithmique et methodes de programmationAlgorithmique et methodes de programmation
Algorithmique et methodes de programmationSageKataliko1
 
What is word2vec?
What is word2vec?What is word2vec?
What is word2vec?Traian Rebedea
 
Développement informatique : Programmation réseau
Développement informatique : Programmation réseauDéveloppement informatique : Programmation réseau
Développement informatique : Programmation réseauECAM Brussels Engineering School
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetesrajdeep
 
Créer un moteur de recherche avec des logiciels libres
Créer un moteur de recherche avec des logiciels libresCréer un moteur de recherche avec des logiciels libres
Créer un moteur de recherche avec des logiciels libresRobert Viseur
 
Active Directory et la Sécurité
Active Directory et la SécuritéActive Directory et la Sécurité
Active Directory et la SécuritéMicrosoft
 
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...Concentrated Technology
 

Recommended

Easy Steps to implement UDP Server and Client Sockets
Easy Steps to implement UDP Server and Client SocketsEasy Steps to implement UDP Server and Client Sockets
Easy Steps to implement UDP Server and Client Socketsbabak danyal
 
Algorithmique et methodes de programmation
Algorithmique et methodes de programmationAlgorithmique et methodes de programmation
Algorithmique et methodes de programmationSageKataliko1
 
What is word2vec?
What is word2vec?What is word2vec?
What is word2vec?Traian Rebedea
 
Développement informatique : Programmation réseau
Développement informatique : Programmation réseauDéveloppement informatique : Programmation réseau
Développement informatique : Programmation réseauECAM Brussels Engineering School
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetesrajdeep
 
Créer un moteur de recherche avec des logiciels libres
Créer un moteur de recherche avec des logiciels libresCréer un moteur de recherche avec des logiciels libres
Créer un moteur de recherche avec des logiciels libresRobert Viseur
 
Active Directory et la Sécurité
Active Directory et la SécuritéActive Directory et la Sécurité
Active Directory et la SécuritéMicrosoft
 
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...Concentrated Technology
 
How Cloud Hosted Desktop Differs From Remote Desktop Services?
How Cloud Hosted Desktop Differs From Remote Desktop Services?How Cloud Hosted Desktop Differs From Remote Desktop Services?
How Cloud Hosted Desktop Differs From Remote Desktop Services?Yuvraj Jain
 
5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop Secure5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop SecureDirect Deals, LLC
 
Rds infrastructure is the gateway to network
Rds infrastructure is the gateway to networkRds infrastructure is the gateway to network
Rds infrastructure is the gateway to networkSuman Singh
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
Linux mail-server-firewall-dealers-thinclient-antivirus-cloud-computing
Linux mail-server-firewall-dealers-thinclient-antivirus-cloud-computingLinux mail-server-firewall-dealers-thinclient-antivirus-cloud-computing
Linux mail-server-firewall-dealers-thinclient-antivirus-cloud-computingSeo Tss
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security ChallengesSTO STRATEGY
 
Synergy 2015 Session Slides: SYN235 Cost-effective XenDesktop and XenApp Desi...
Synergy 2015 Session Slides: SYN235 Cost-effective XenDesktop and XenApp Desi...Synergy 2015 Session Slides: SYN235 Cost-effective XenDesktop and XenApp Desi...
Synergy 2015 Session Slides: SYN235 Cost-effective XenDesktop and XenApp Desi...Citrix
 
Introduction to Connection Broker Technology
Introduction to Connection Broker TechnologyIntroduction to Connection Broker Technology
Introduction to Connection Broker TechnologyLeostream
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17LennartF
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Remote Access For Desktop With Encryption System (
Remote Access For Desktop With Encryption System (Remote Access For Desktop With Encryption System (
Remote Access For Desktop With Encryption System (Mohit Gupta (Advisor – Business | IT Strategy | Delivery)
 
Securely connecting to apps over the internet using rds
Securely connecting to apps over the internet using rdsSecurely connecting to apps over the internet using rds
Securely connecting to apps over the internet using rdsConcentrated Technology
 
Cloud Computing Assignment 3
Cloud Computing Assignment 3Cloud Computing Assignment 3
Cloud Computing Assignment 3Gurpreet singh
 
What Can DDS Do For You?
What Can DDS Do For You?What Can DDS Do For You?
What Can DDS Do For You?Twin Oaks Computing, Inc.
 
Important Terminology for the Users of Web-based Services
Important Terminology for the Users of Web-based ServicesImportant Terminology for the Users of Web-based Services
Important Terminology for the Users of Web-based ServicesHTS Hosting
 
Download Microsoft Windows Server 2022 RDS
Download Microsoft Windows Server 2022 RDSDownload Microsoft Windows Server 2022 RDS
Download Microsoft Windows Server 2022 RDSDirect Deals, LLC
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerMuhammad Moinur Rahman
 
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29MysoreMuleSoftMeetup
 
Enterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktopsEnterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktopsMolten Technologies
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 

More Related Content

Similar to [RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You Should Know

How Cloud Hosted Desktop Differs From Remote Desktop Services?
How Cloud Hosted Desktop Differs From Remote Desktop Services?How Cloud Hosted Desktop Differs From Remote Desktop Services?
How Cloud Hosted Desktop Differs From Remote Desktop Services?Yuvraj Jain
 
5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop Secure5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop SecureDirect Deals, LLC
 
Rds infrastructure is the gateway to network
Rds infrastructure is the gateway to networkRds infrastructure is the gateway to network
Rds infrastructure is the gateway to networkSuman Singh
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
Linux mail-server-firewall-dealers-thinclient-antivirus-cloud-computing
Linux mail-server-firewall-dealers-thinclient-antivirus-cloud-computingLinux mail-server-firewall-dealers-thinclient-antivirus-cloud-computing
Linux mail-server-firewall-dealers-thinclient-antivirus-cloud-computingSeo Tss
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security ChallengesSTO STRATEGY
 
Synergy 2015 Session Slides: SYN235 Cost-effective XenDesktop and XenApp Desi...
Synergy 2015 Session Slides: SYN235 Cost-effective XenDesktop and XenApp Desi...Synergy 2015 Session Slides: SYN235 Cost-effective XenDesktop and XenApp Desi...
Synergy 2015 Session Slides: SYN235 Cost-effective XenDesktop and XenApp Desi...Citrix
 
Introduction to Connection Broker Technology
Introduction to Connection Broker TechnologyIntroduction to Connection Broker Technology
Introduction to Connection Broker TechnologyLeostream
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17LennartF
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Securely connecting to apps over the internet using rds
Securely connecting to apps over the internet using rdsSecurely connecting to apps over the internet using rds
Securely connecting to apps over the internet using rdsConcentrated Technology
 
Cloud Computing Assignment 3
Cloud Computing Assignment 3Cloud Computing Assignment 3
Cloud Computing Assignment 3Gurpreet singh
 
Important Terminology for the Users of Web-based Services
Important Terminology for the Users of Web-based ServicesImportant Terminology for the Users of Web-based Services
Important Terminology for the Users of Web-based ServicesHTS Hosting
 
Download Microsoft Windows Server 2022 RDS
Download Microsoft Windows Server 2022 RDSDownload Microsoft Windows Server 2022 RDS
Download Microsoft Windows Server 2022 RDSDirect Deals, LLC
 
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29MysoreMuleSoftMeetup
 
Enterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktopsEnterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktopsMolten Technologies
 

Similar to [RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You Should Know (20)

How Cloud Hosted Desktop Differs From Remote Desktop Services?
How Cloud Hosted Desktop Differs From Remote Desktop Services?How Cloud Hosted Desktop Differs From Remote Desktop Services?
How Cloud Hosted Desktop Differs From Remote Desktop Services?
 
5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop Secure5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop Secure
 
Rds infrastructure is the gateway to network
Rds infrastructure is the gateway to networkRds infrastructure is the gateway to network
Rds infrastructure is the gateway to network
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Linux mail-server-firewall-dealers-thinclient-antivirus-cloud-computing
Linux mail-server-firewall-dealers-thinclient-antivirus-cloud-computingLinux mail-server-firewall-dealers-thinclient-antivirus-cloud-computing
Linux mail-server-firewall-dealers-thinclient-antivirus-cloud-computing
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security Challenges
 
Synergy 2015 Session Slides: SYN235 Cost-effective XenDesktop and XenApp Desi...
Synergy 2015 Session Slides: SYN235 Cost-effective XenDesktop and XenApp Desi...Synergy 2015 Session Slides: SYN235 Cost-effective XenDesktop and XenApp Desi...
Synergy 2015 Session Slides: SYN235 Cost-effective XenDesktop and XenApp Desi...
 
Introduction to Connection Broker Technology
Introduction to Connection Broker TechnologyIntroduction to Connection Broker Technology
Introduction to Connection Broker Technology
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Remote Access For Desktop With Encryption System (
Remote Access For Desktop With Encryption System (Remote Access For Desktop With Encryption System (
Remote Access For Desktop With Encryption System (
 
Securely connecting to apps over the internet using rds
Securely connecting to apps over the internet using rdsSecurely connecting to apps over the internet using rds
Securely connecting to apps over the internet using rds
 
Cloud Computing Assignment 3
Cloud Computing Assignment 3Cloud Computing Assignment 3
Cloud Computing Assignment 3
 
What Can DDS Do For You?
What Can DDS Do For You?What Can DDS Do For You?
What Can DDS Do For You?
 
Important Terminology for the Users of Web-based Services
Important Terminology for the Users of Web-based ServicesImportant Terminology for the Users of Web-based Services
Important Terminology for the Users of Web-based Services
 
Download Microsoft Windows Server 2022 RDS
Download Microsoft Windows Server 2022 RDSDownload Microsoft Windows Server 2022 RDS
Download Microsoft Windows Server 2022 RDS
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
 
Enterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktopsEnterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktops
 

Recently uploaded

Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You Should Know

  • 1. Remote Desktop Services Security Risks & Best Practices You Should Know RDS Free Training Module 1 : Security Risks & Best Practices By Hicham KADIRI January 12, 2019 A K&K Group Company
  • 2. Contoso Ltd. About me Microsoft MVP • Windows Expert-IT Pro (2014-2015) • Cloud and Datacenter Management (2016) • Enterprise Mobility /RDS (2017) • CDCM /Azure (2018) Founder @BecomeITExpert.com Co-Founder @K&K Group Think {Cloud /DevOps /Security} IT Author (+10 eBooks) • RDS 2012 R2 and 2016 Pocket Consultant • RDS & OS Security & Hardening guide • Azure CLI 2.0 Pocket Consultant • GPO, PowerShell, AppLocker … Lead Cloud Architect /Az Expert • Working for several large companies and international group including Thales, Areva, Rabobank, Gemalto, Vinci, CE, BP…etc IT Blogger • hichamkadiri.wordpress.com • AskTheCloudExpert.wordpress.com • ~2millions views ☺ /hicham_kadiri /in/hichamkadiri TechNet Contributor (Top 0,5%) • MTFC (Microsoft Technical French Contributor) • MCC (Microsoft Community Contributor) Hicham KADIRI (aka #HK)
  • 3. Document Objectives • RDP/RDS : Presentation • RDS Components • RDS Architecture : High Level Picture • Is RDP a secure protocol ? • Security Risks related to RDP Protocol • Security measures you should implement • PenTest your RDS environment • Appendix : RDS Security & Hardening Guide
  • 5. Contoso Ltd. RDP/RDS What’s is it ? • The Remote Desktop Protocol (aka RDP) is a proprietary protocol developed by Microsoft that is used to provide a graphical means of connecting to a network-connected computer. • RDP is essentially a protocol for dangling your keyboard, mouse and a display for others to use. As you might expect, a juicy protocol like this has a variety of knobs used to control its security capabilities, including controlling user authentication, what encryption is used, and more. • Formerly TSE (Terminal Services), RDS (Remote Desktop Services) is a native role in Windows Server 2008, 2012/2012R2, 2016 and 2019, This is a set of services that enable one or more users to simultaneously access (via RDP protocol) published applications (RemoteApp Programs), Windows Desktop (Remote Desktop Sessions) or Virtual Desktops (VDI), and this via the local corporate network or the Internet. #HK
  • 7. Contoso Ltd. RDS Components • The RDS solution consists of 6 role services: • Remote Desktop Session Host (RDSH) : Allows you to manage (accept) multiple Remote Desktop connections simultaneously. • Remote Desktop Virtualization Host (RDVH) : RDVH server integrates with the "Microsoft Hyper-V" to distribute Virtual Desktops (Virtual Machines) on demand. RDVH role service represents the Microsoft VDI infrastructure • Remote Desktop License Server (RDLS) : this role manage installation and distribution of all RDS CAL (Per-User & Per-Device). • Remote Desktop Connection Broker (RDCB) : manage load balancing and RD Session reconnection • Remote Desktop Gateway (RDG) : the RDG acts as a RDP Firewall for all external remote desktop users. RDG use only HTTPS/443 flaws and encapsulates RDP over HTTPS to secure communication. • Remote Desktop Web Access (RDWA) : this is a RDS Web Access Portal that allows publish your internal RDS resources and distribute them through a Web Portal. #HK
  • 9. Contoso Ltd. RDS Architecture High Level Picture • In a standard RDS Windows Server architecture (from 2008 R2 to 2019), the components mentioned above are deployed as shown in the figure below : #HK
  • 10. Contoso Ltd. Is RDP a Secure Protocol ? #HK
  • 11. Contoso Ltd. Is RDP a Secure Protocol ? • The default RDP configuration left it vulnerable to several attacks when enabled; there are however, some security improvements that are introduced on new RDS Windows Server versions. • By default, several attack are possible : • Denial of Service (DoS) Attack is possible • Man-in-The-Middle (MiTM) Attack • Brute-Force Attack • …. • Refer to the next slides for more informations about all risk related to RDP protocol #HK
  • 12. Contoso Ltd. Security Risks Related to RDP Protocol #HK
  • 13. Contoso Ltd. Security Risks Related to RDP Protocol When dealing with RDP protocol, there are (by default) several vulnerabilities and security risks you should know and take into account : • RDS Exposed on the Internet • Man-in-the Middle (MiTM) • Encryption Attack • Denial of Service (DOS) Attack • Dumping Passwords Hashs • RDS Misconfiguration • Ransomware • Brute-Force Attack • Risks related to a RDSH “Shared Mode” Environment (Shared RDS Collection) • Keylogging • … #HK
  • 14. Contoso Ltd. Security Risk #1 RDP Exposed on the Internet • There is no necessity to expose the Remote Desktop service to the Internet, thus enabling untrusted users on the Internet to attempt connections. Worse still, malicious Internet based attackers could carry out brute force attacks against the service. By default, the first account an attacker would try is ‘Administrator’ which is not usually configured with an account lockout. • If a password is guessed successfully, the resulting access could have substantial repercussions for your organization and facilitate further attacks against trusted or connected infrastructure. #HK
  • 15. Contoso Ltd. Security Risk #2 Man-in-the Middle (MiTM) Attack • Although the Remote Desktop service provides data encryption between the client and server by default, it doesn’t provide authentication for verifying the identity of the Terminal/RDSH Server. This lack of identity verification allows a malicious person, by deploying other nefarious activities, to intercept all communications sent between a client and a Terminal Server. • The likelihood of this type of attack depends on a hacker’s ability to control connections between the client and the Terminal Server. Typically, this requires the criminal to perform other attacks such as ARP (Address Resolution Protocol) spoofing or DNS (Domain Name System) spoofing, which redirect connections to the attacker prior to sending the data to the legitimate server #HK
  • 16. Contoso Ltd. Security Risk #3 Encryption Attack • By default, the Remote Desktop service uses an encryption setting of Client Compatible (medium). This level of encryption encrypts data sent between the client and the server at the maximum key strength supported by the client. It’s generally used in an environment containing mixed or earlier-version clients. • The medium setting may facilitate the use of weak encryption which could be decrypted in a reasonable time-frame and lead to the disclosure of sensitive information #HK
  • 17. Contoso Ltd. Security Risk #4 Denial of Service (DOS) Attack • Terminal Servers which support Network Level Authentication (NLA) but do not have it configured present a risk. NLA forces the client computer to present user credentials for authentication before the server will create a session for that user. • As session creation is relatively resource intensive, NLA provides a layer of Defense against Denial of Service attacks whereby a malicious user makes repeated connections to the service to prevent its legitimate use by others. #HK
  • 18. Contoso Ltd. Security Risk #5 Dumping Passwords Hashs • You have to ensure that all Remote Desktop users are never “Local Administrators” on the RDSHs. RDSH being a shared server (used by different kind of user), there is an important security risk if you have one or several RD users with Local Admin right. Indeed, they can run a dump hash password tool to dump all local password hash of other remote desktop users that are connected on the same server. • An AppLocker policy must also be defined to avoid any risk related to the use of a dump hash password tool like Mimikatz #HK
  • 19. Contoso Ltd. Security Risk #6 RDS Misconfiguration • All RDSH servers must be hardened and locking down to avoid any risk related to RDS misconfiguration • RDSH hardening must be “enforced” using Group Policy Settings #HK
  • 20. Contoso Ltd. Security Risk #7 Ransomware • Ransomware attacks are getting more targeted to be more effective. And one of the primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, an option to remotely control a PC. And with the currently-available software, it almost feels as if you were actually sitting behind that PC—which is what makes it so dangerous. • Again, all RDSH Servers must be locking down to avoid any security risk related to ransomware execution. #HK
  • 21. Contoso Ltd. Security Risk #8 Brute-Force Attack • RDP become vulnerable to Brute-force Attack when using a weak passwords. • It’s recommended to define and enforce a strong password policy for all Remote Desktop users that connect to your RDS Collection. • It’s also recommended to limit number of remote desktop users and never leave « illimited » connections on RDSH Servers and RD Gateway #HK
  • 22. Contoso Ltd. Security Risk #9 RDS Collection in “Shared Mode” • When you deploy a new RDS infrastructure, a new RDS Collection is (by default) automatically created. • Most IT keep this RDS Collection with the default settings and configure it to allows all remote desktop users, from different department to connect to the same Shared Environnement. • This RDS Collection is often used to host all kind of application (HR, Finance, IT…etc), there is no isolation at the application level. Indeed all Apps are hosted in a “Shared” environment/RD Session Host Servers. • This allows a lateral movement attack !! • Recommendation • Always, create a dedicated RDS Collection to isolate the different applications environments #HK
  • 23. Contoso Ltd. Security Risk #10 Keylogging • A keylogger is a piece of malicious software, usually called "spyware" or "malware," that records every keystroke you make on a keyboard. • To avoid any risk related to the use of a Keylogger tool, an AppLocker rules must be defined and applied to all RD Session Host Servers. • Recommendation • AppLocker Rules must be defined and configured to White-List RemoteApp based on their Hash Thumbprint. #HK
  • 24. Contoso Ltd. Security Measures You Should Implement #HK
  • 25. Contoso Ltd. Security measures You Should Implement To mitigate Risks related to RDP protocol, connections and communications, the following security features and mechanisms Should be implemented : • Enable HA (High Availability) of all RDS role services : RDSH/RDCB/RDWA/RDG/RDLS and also for SQL Server used for RDCB DB HA. • Create a dedicated RDS Session Collection per Customer and for each published App • Deploy an RDG (Remote Desktop Gateway) for all external remote desktop users. • Enabling MFA (or 2FA) for all remote (external) desktop users. You can use Azure MFA server if you are AD P1 Customer. • Enable NLA (Network Level Authentication) for all RDS Session Collection • Force High Level encryption for all RDP communication (128-bit encryption) • Force the use of TLS layer on all RDS Session Collection : TLS Authentication for all RDSH • Define and apply an AppLocker Policy on all RD Session Host Server • Define a strong password & lockout Policy for all remote desktop users (using GPO) • Change the default RDP port • If possible, remote desktop devices must be hardened (restrict local resources redirection from MSTSC.exe client). • Set the maximum number of the Allowed remote desktop session (on the RDS Collection and RDG’s Proprieties) • All Remote desktop connections logs must be centrally stored and analyzed regularly. #HK
  • 26. Contoso Ltd. Security Measure #1 Enable HA for All RDS roles services • All RD Components/roles services must be highly available, this includes : • RD Session Host Server : at least Two RDSH servers must be part of the dedicated RDS Session Collection • RD Connection Broker : at least two RDCB servers must be deployed and configured in HA mode (SQL Server instance is required) • RD Web Access : at least two RD Web Access servers must be deployed and configured behind a Load balancer • RD Gateway : at least two RD Gateway servers must be deployed and configured in HA mode and behind a Load Balancer • RD Licensing Server : at least two RD Licensing Server must be deployed and configured in HA mode #HK
  • 27. Contoso Ltd. Security Measure #2 Create a dedicated RDS Collection per Apps Group/Apps Type • First, you have to list all your Published Apps (RemoteApps) • Then, you have to create a Category list of your Apps : HR Apps, Finance Apps, Admin Apps… • Each Apps groups must be published and distributed through a dedicated RDS Session Collect (dedicated RDSH Servers) • RD Web Access & RD Gateway can be shared for all your remote desktop users (Shared mode is allowed for RD Web services). #HK
  • 28. Contoso Ltd. Security Measure #3 Deploy an RD Gateway • It’s recommended to deploy an RD Gateway for all External remote desktop users and define a strong CAP (Connection Access Policies) and RAP (Resources Access Policies) to improve security level of RDS environment • RD Gateway requires a valid SSL certificate to operate, the SSL certificate that will be delivered to the RD Gateway must be provided by a Valid/Trusted CA (Certification Authority). • Note : you have to buy a valid SSL Certificate from a trusted Public CA Provider (eg : GlobalSign) #HK
  • 29. Contoso Ltd. Security Measure #4 Enable MFA for all Remote Desktop Users • It’s recommended to enable MFA (Multi-Factor Authentication) for all external Remote Desktop users connecting to your internal RDS resources from Outside. • MFA service requires an RD Gateway component to operate • Remote desktop users must have at least one physical device (smartphone, biometrics…) to complete the MFA Process. #HK
  • 30. Contoso Ltd. Security Measure #5 Enable NLA on All RDS Collection • Network Level Authentication (or NLA) uses CredSSP provider to present user credentials to the server before the server has to create a session. • This improve security level of the RDS environment by avoiding any security risk related to Denial of Service Attack • It’s highly recommended to enable NLA on all your RDS Collections • This can be also forced by using RDS Group Policy Settings #HK
  • 31. Contoso Ltd. Security Measure #6 Force “High Level” encryption on All RDS Collection • By default, the Remote Desktop service uses an encryption setting of Client Compatible (medium). This level of encryption encrypts data sent between the client and the server at the maximum key strength supported by the client. It’s generally used in an environment containing mixed or earlier-version clients. • The medium setting may facilitate the use of weak encryption which could be decrypted in a reasonable time-frame and lead to the disclosure of sensitive information • It’s highly recommended to “Force” a High encryption level on all your RDS Collections. • This can be also forced by using RDS Group Policy Settings #HK
  • 32. Contoso Ltd. Security Measure #7 Force “TLS Layer” on All RDS Collection • All RD Session Hosts Server of your RDS deployment must be authenticated using SSL/TLS Certificate. • This is mandatory to avoid any security risk related to remote users identity theft • SSL certificates that will be used to authenticate RDSH Servers must be delivered by a Valid/Trusted Public CA (Certification Authority) or your internal PKI • It’s highly recommended to configure a Valid SSL Certificates for your RDSH Servers • This can be also forced by using RDS Group Policy Settings #HK
  • 33. Contoso Ltd. Security Measure #8 Define and Apply an AppLocker Policy • You have to Lock-down your RD Session Host that host your published sessions and Apps. • A strong AppLocker policy must be defined and applied to all RD Session Host Servers of your Deployment. • Hash-based AppLocker rule can be used to enforce software restrictions on your RDSH Server. • You have first to audit your Apps and collect all required information such as “Apps Thumbprint” to define and apply your AppLocker Rule • It’s recommended to create and Apply an White-List-based AppLocker Rule #HK
  • 34. Contoso Ltd. Security Measure #9 Define a strong password & lockout Policy for all remote desktop users • A strong password policy must be defined and applied to all remote desktop users • Using AD Group Policy Object, you can create, configure and apply your Password policy to a specific AD Group (eg : RDS-USERS). • It’s also highly recommended to define and apply an Account Lockout policy #HK
  • 35. Contoso Ltd. Security Measure #10 Change the Default RDP Port • By default, RDP protocol listen on 3389 • This port is targeted by several malware/ransomware • Hackers also target this default port during Footprinting phase • Recommendation • It’s highly recommended to change this default port to something like 33381 (or higher port). • Tip : you can download and use this PS Script to make this change : https://gallery.technet.microsoft.com/RDS-Script-RDP-Port-af6a974b #HK
  • 36. Contoso Ltd. Security Measure #11 Secure your Remote Desktop user’s Devices • If you security policy consists of restricting all local resource redirection (local drive, printers, Clipboard…etc), you have to force (via GPO) all local resources redirection options on your RD Session Hosts servers, and make the same hardening or your RDS clients devices. • The Registry key listed on the “Appendix” section can be configured via GPO to disable all local resources direction on the RDC (Remote Desktop Connection) client > MSTSC.exe #HK
  • 37. Contoso Ltd. Security Measure #12 Set the maximum number of the Allowed remote desktop session • If you have the complete list of all your Remote desktop users (internal & external), it’s recommended to set the maximum number of the allowed remote desktop sessions on the RDS Session Collection properties (Load Balancing) and also on your RD Gateway properties. #HK
  • 38. Contoso Ltd. Security Measure #13 Define a RDS Logs management policy • All Operations performed on your RDS environment must be logged : connections, reconnections, change/modification… • All RDS Logs must be centrally stored and analyzed to check if there are any suspicious connections or abnormal behavior • At least, a WEF (Windows Event Forwarding) policy must be defined and configured #HK
  • 39. Contoso Ltd. PenTest your RDS Environment #HK
  • 40. Contoso Ltd. PenTest You RDS Environment • Once deployed, your have to perform a Penetration tests on your RDS environment, this allows you to validate the security level of your RDS platform before integrating it on your production environment. • Several Penetration tests have to be performed to validate the security posture of this RDS environment • PenTesting phase will include : ▪ Security of all RDS components exposed to Internet : RDG, RD Web Access… ▪ Authentication process ▪ Encryption Attack ▪ TLS Authentication ▪ MiMT Attack ▪ D/DoS Attack ▪ Network isolation ▪ Apps Restrictions Policies ▪ RDS Collection Multi-tenancy #HK
  • 41. Contoso Ltd. Appendix RDS Security & Hardening Guide #HK
  • 42. Contoso Ltd. HowTo : Restrict local resource redirection on your RDS Client (MSTSC.exe)
  • 43. Contoso Ltd. Tip & Tricks [Part1] Restrict local resources redirection from MSTSC.exe client • The following Registry key must be created and deployed on Remote desktop devices/client laptops to disable the Clipboard redirection : ▪ Key Path : HKLMSOFTWAREMicrosoftTerminal Server Client ▪ Registry Key Name : DisableClipboardRedirection ▪ Key Type : REG_DWORD ▪ Data Value : 1 #HK
  • 44. Contoso Ltd. Tip & Tricks [Part2] Restrict local resources redirection from MSTSC.exe client • The following Registry key must be created and deployed on Remote desktop devices/client laptops to disable the Local Drive redirection : ▪ Key Path : HKLMSOFTWAREMicrosoftTerminal Server Client ▪ Registry Key Name : DisableDriveRedirection ▪ Key Type : REG_DWORD ▪ Data Value : 1 #HK
  • 45. Contoso Ltd. Tip & Tricks [Part3] Restrict local resources redirection from MSTSC.exe client • The following Registry key must be created and deployed on Remote desktop devices/client laptops to disable the Local Printers redirection : ▪ Key Path : HKLMSOFTWAREMicrosoftTerminal Server Client ▪ Registry Key Name : DisablePrinterRedirection ▪ Key Type : REG_DWORD ▪ Data Value : 1 #HK
  • 47. Contoso Ltd. Tip & Tricks [Part1] RDS Hardening Group Policy Settings #HK ○ Restricting Device and Resource Redirection Restricting Device and Resource Redirection can be configured using the following Group Policy parameter: Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Session Host Remote Desktop | redirection of device and resource ○ Restricting Printers Redirection Restricting Printers Redirection can be configured using the following Group Policy parameter: - Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Session Host Remote Desktop | Printer Redirection
  • 48. Contoso Ltd. Tip & Tricks [Part2] RDS Hardening Group Policy Settings #HK ○ Restricting access to Registry Restricting access to the Registry can be configured using the following Group Policy parameter: - User Configuration | Policies | Administrative Templates | System Parameter : Prevent access to registry editing tools ○ Hide Desktop icons Desktop icons can be hidden by using the following Group Policy parameters: - User Configuration | Policies | Administrative Templates | Desktop Parameters: • Hide and disable all items on the desktop • Delete "My Computer" from the Desktop
  • 49. Contoso Ltd. Tip & Tricks [Part3] RDS Hardening Group Policy Settings #HK ○ Restricting access to Control Panel Restricting access to the Control Panel can be configured using the following Group Policy parameter: - User Configuration | Policies | Administrative Templates | Control Panel Parameter: Deny access to Control Panel and PC settings ○ Restricting the Printer Drivers Installation Restricting the Printer Drivers installation can be configured using the following Group Policy parameter: - Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options Parameter : Devices: Prevent users from installing printer drivers
  • 50. Contoso Ltd. Tip & Tricks [Part4] RDS Hardening Group Policy Settings #HK ○ Restricting access to the Command Prompt Restricting access to Command Prompt (cmd.exe) can be configured using the following Group Policy parameter: - User Configuration | Policies | Administrative Templates | System Parameter : Disable access to Command Prompt ○ Restricting access to Task Manager Restricting access to the Task Manager can be configured using the following Group Policy parameter: - User Configuration | Policies | Administrative Templates | System | Ctrl + Alt + Del Options Parameter: Remove Task Manager
  • 51. Contoso Ltd. You want to read more ? A complete list of all RDS Security and hardening features are detailed on the Ultimate Guide above Request your RDS Book copy, contact us !
  • 52. Contoso Ltd. Do you have any RDS Security Project ? If yes, feel free to contact us Your Contacts Hicham KADIRI RDP Expert & Microsoft MVP hicham.kadiri@k-nd-k-group.com +33 (0)6 52 97 72 84 Mohsine CHOUGDALI Key Account Manager mohsine.chougdali@k-nd-k-group.com +33 6 66 26 55 15 A K&K Group Company
  • 53. Contoso Ltd. #HK o_O /hicham_kadiri /in/hichamkadiri Subscribe to my Blog hichamkadiri.wordpress.com
  • 54. Contoso Ltd. End of Lesson Hope this Helps ☺