Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You Should Know

7,545 views

Published on

This document lists all Security Risks related to the Remote Desktop Protocol (RDP) you should take into account when deadline with RDS infrastructure.

It also describes all RDS security Best Practices and hardening options you should implement to successfully secure your RDS deployment.

Published in: Technology
  • Be the first to comment

[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You Should Know

  1. 1. Remote Desktop Services Security Risks & Best Practices You Should Know RDS Free Training Module 1 : Security Risks & Best Practices By Hicham KADIRI January 12, 2019 A K&K Group Company
  2. 2. Contoso Ltd. About me Microsoft MVP • Windows Expert-IT Pro (2014-2015) • Cloud and Datacenter Management (2016) • Enterprise Mobility /RDS (2017) • CDCM /Azure (2018) Founder @BecomeITExpert.com Co-Founder @K&K Group Think {Cloud /DevOps /Security} IT Author (+10 eBooks) • RDS 2012 R2 and 2016 Pocket Consultant • RDS & OS Security & Hardening guide • Azure CLI 2.0 Pocket Consultant • GPO, PowerShell, AppLocker … Lead Cloud Architect /Az Expert • Working for several large companies and international group including Thales, Areva, Rabobank, Gemalto, Vinci, CE, BP…etc IT Blogger • hichamkadiri.wordpress.com • AskTheCloudExpert.wordpress.com • ~2millions views ☺ /hicham_kadiri /in/hichamkadiri TechNet Contributor (Top 0,5%) • MTFC (Microsoft Technical French Contributor) • MCC (Microsoft Community Contributor) Hicham KADIRI (aka #HK)
  3. 3. Document Objectives • RDP/RDS : Presentation • RDS Components • RDS Architecture : High Level Picture • Is RDP a secure protocol ? • Security Risks related to RDP Protocol • Security measures you should implement • PenTest your RDS environment • Appendix : RDS Security & Hardening Guide
  4. 4. Contoso Ltd. RDP/RDS Presentation #HK
  5. 5. Contoso Ltd. RDP/RDS What’s is it ? • The Remote Desktop Protocol (aka RDP) is a proprietary protocol developed by Microsoft that is used to provide a graphical means of connecting to a network-connected computer. • RDP is essentially a protocol for dangling your keyboard, mouse and a display for others to use. As you might expect, a juicy protocol like this has a variety of knobs used to control its security capabilities, including controlling user authentication, what encryption is used, and more. • Formerly TSE (Terminal Services), RDS (Remote Desktop Services) is a native role in Windows Server 2008, 2012/2012R2, 2016 and 2019, This is a set of services that enable one or more users to simultaneously access (via RDP protocol) published applications (RemoteApp Programs), Windows Desktop (Remote Desktop Sessions) or Virtual Desktops (VDI), and this via the local corporate network or the Internet. #HK
  6. 6. Contoso Ltd. RDS Components #HK
  7. 7. Contoso Ltd. RDS Components • The RDS solution consists of 6 role services: • Remote Desktop Session Host (RDSH) : Allows you to manage (accept) multiple Remote Desktop connections simultaneously. • Remote Desktop Virtualization Host (RDVH) : RDVH server integrates with the "Microsoft Hyper-V" to distribute Virtual Desktops (Virtual Machines) on demand. RDVH role service represents the Microsoft VDI infrastructure • Remote Desktop License Server (RDLS) : this role manage installation and distribution of all RDS CAL (Per-User & Per-Device). • Remote Desktop Connection Broker (RDCB) : manage load balancing and RD Session reconnection • Remote Desktop Gateway (RDG) : the RDG acts as a RDP Firewall for all external remote desktop users. RDG use only HTTPS/443 flaws and encapsulates RDP over HTTPS to secure communication. • Remote Desktop Web Access (RDWA) : this is a RDS Web Access Portal that allows publish your internal RDS resources and distribute them through a Web Portal. #HK
  8. 8. Contoso Ltd. RDS Architecture High Level Picture #HK
  9. 9. Contoso Ltd. RDS Architecture High Level Picture • In a standard RDS Windows Server architecture (from 2008 R2 to 2019), the components mentioned above are deployed as shown in the figure below : #HK
  10. 10. Contoso Ltd. Is RDP a Secure Protocol ? #HK
  11. 11. Contoso Ltd. Is RDP a Secure Protocol ? • The default RDP configuration left it vulnerable to several attacks when enabled; there are however, some security improvements that are introduced on new RDS Windows Server versions. • By default, several attack are possible : • Denial of Service (DoS) Attack is possible • Man-in-The-Middle (MiTM) Attack • Brute-Force Attack • …. • Refer to the next slides for more informations about all risk related to RDP protocol #HK
  12. 12. Contoso Ltd. Security Risks Related to RDP Protocol #HK
  13. 13. Contoso Ltd. Security Risks Related to RDP Protocol When dealing with RDP protocol, there are (by default) several vulnerabilities and security risks you should know and take into account : • RDS Exposed on the Internet • Man-in-the Middle (MiTM) • Encryption Attack • Denial of Service (DOS) Attack • Dumping Passwords Hashs • RDS Misconfiguration • Ransomware • Brute-Force Attack • Risks related to a RDSH “Shared Mode” Environment (Shared RDS Collection) • Keylogging • … #HK
  14. 14. Contoso Ltd. Security Risk #1 RDP Exposed on the Internet • There is no necessity to expose the Remote Desktop service to the Internet, thus enabling untrusted users on the Internet to attempt connections. Worse still, malicious Internet based attackers could carry out brute force attacks against the service. By default, the first account an attacker would try is ‘Administrator’ which is not usually configured with an account lockout. • If a password is guessed successfully, the resulting access could have substantial repercussions for your organization and facilitate further attacks against trusted or connected infrastructure. #HK
  15. 15. Contoso Ltd. Security Risk #2 Man-in-the Middle (MiTM) Attack • Although the Remote Desktop service provides data encryption between the client and server by default, it doesn’t provide authentication for verifying the identity of the Terminal/RDSH Server. This lack of identity verification allows a malicious person, by deploying other nefarious activities, to intercept all communications sent between a client and a Terminal Server. • The likelihood of this type of attack depends on a hacker’s ability to control connections between the client and the Terminal Server. Typically, this requires the criminal to perform other attacks such as ARP (Address Resolution Protocol) spoofing or DNS (Domain Name System) spoofing, which redirect connections to the attacker prior to sending the data to the legitimate server #HK
  16. 16. Contoso Ltd. Security Risk #3 Encryption Attack • By default, the Remote Desktop service uses an encryption setting of Client Compatible (medium). This level of encryption encrypts data sent between the client and the server at the maximum key strength supported by the client. It’s generally used in an environment containing mixed or earlier-version clients. • The medium setting may facilitate the use of weak encryption which could be decrypted in a reasonable time-frame and lead to the disclosure of sensitive information #HK
  17. 17. Contoso Ltd. Security Risk #4 Denial of Service (DOS) Attack • Terminal Servers which support Network Level Authentication (NLA) but do not have it configured present a risk. NLA forces the client computer to present user credentials for authentication before the server will create a session for that user. • As session creation is relatively resource intensive, NLA provides a layer of Defense against Denial of Service attacks whereby a malicious user makes repeated connections to the service to prevent its legitimate use by others. #HK
  18. 18. Contoso Ltd. Security Risk #5 Dumping Passwords Hashs • You have to ensure that all Remote Desktop users are never “Local Administrators” on the RDSHs. RDSH being a shared server (used by different kind of user), there is an important security risk if you have one or several RD users with Local Admin right. Indeed, they can run a dump hash password tool to dump all local password hash of other remote desktop users that are connected on the same server. • An AppLocker policy must also be defined to avoid any risk related to the use of a dump hash password tool like Mimikatz #HK
  19. 19. Contoso Ltd. Security Risk #6 RDS Misconfiguration • All RDSH servers must be hardened and locking down to avoid any risk related to RDS misconfiguration • RDSH hardening must be “enforced” using Group Policy Settings #HK
  20. 20. Contoso Ltd. Security Risk #7 Ransomware • Ransomware attacks are getting more targeted to be more effective. And one of the primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, an option to remotely control a PC. And with the currently-available software, it almost feels as if you were actually sitting behind that PC—which is what makes it so dangerous. • Again, all RDSH Servers must be locking down to avoid any security risk related to ransomware execution. #HK
  21. 21. Contoso Ltd. Security Risk #8 Brute-Force Attack • RDP become vulnerable to Brute-force Attack when using a weak passwords. • It’s recommended to define and enforce a strong password policy for all Remote Desktop users that connect to your RDS Collection. • It’s also recommended to limit number of remote desktop users and never leave « illimited » connections on RDSH Servers and RD Gateway #HK
  22. 22. Contoso Ltd. Security Risk #9 RDS Collection in “Shared Mode” • When you deploy a new RDS infrastructure, a new RDS Collection is (by default) automatically created. • Most IT keep this RDS Collection with the default settings and configure it to allows all remote desktop users, from different department to connect to the same Shared Environnement. • This RDS Collection is often used to host all kind of application (HR, Finance, IT…etc), there is no isolation at the application level. Indeed all Apps are hosted in a “Shared” environment/RD Session Host Servers. • This allows a lateral movement attack !! • Recommendation • Always, create a dedicated RDS Collection to isolate the different applications environments #HK
  23. 23. Contoso Ltd. Security Risk #10 Keylogging • A keylogger is a piece of malicious software, usually called "spyware" or "malware," that records every keystroke you make on a keyboard. • To avoid any risk related to the use of a Keylogger tool, an AppLocker rules must be defined and applied to all RD Session Host Servers. • Recommendation • AppLocker Rules must be defined and configured to White-List RemoteApp based on their Hash Thumbprint. #HK
  24. 24. Contoso Ltd. Security Measures You Should Implement #HK
  25. 25. Contoso Ltd. Security measures You Should Implement To mitigate Risks related to RDP protocol, connections and communications, the following security features and mechanisms Should be implemented : • Enable HA (High Availability) of all RDS role services : RDSH/RDCB/RDWA/RDG/RDLS and also for SQL Server used for RDCB DB HA. • Create a dedicated RDS Session Collection per Customer and for each published App • Deploy an RDG (Remote Desktop Gateway) for all external remote desktop users. • Enabling MFA (or 2FA) for all remote (external) desktop users. You can use Azure MFA server if you are AD P1 Customer. • Enable NLA (Network Level Authentication) for all RDS Session Collection • Force High Level encryption for all RDP communication (128-bit encryption) • Force the use of TLS layer on all RDS Session Collection : TLS Authentication for all RDSH • Define and apply an AppLocker Policy on all RD Session Host Server • Define a strong password & lockout Policy for all remote desktop users (using GPO) • Change the default RDP port • If possible, remote desktop devices must be hardened (restrict local resources redirection from MSTSC.exe client). • Set the maximum number of the Allowed remote desktop session (on the RDS Collection and RDG’s Proprieties) • All Remote desktop connections logs must be centrally stored and analyzed regularly. #HK
  26. 26. Contoso Ltd. Security Measure #1 Enable HA for All RDS roles services • All RD Components/roles services must be highly available, this includes : • RD Session Host Server : at least Two RDSH servers must be part of the dedicated RDS Session Collection • RD Connection Broker : at least two RDCB servers must be deployed and configured in HA mode (SQL Server instance is required) • RD Web Access : at least two RD Web Access servers must be deployed and configured behind a Load balancer • RD Gateway : at least two RD Gateway servers must be deployed and configured in HA mode and behind a Load Balancer • RD Licensing Server : at least two RD Licensing Server must be deployed and configured in HA mode #HK
  27. 27. Contoso Ltd. Security Measure #2 Create a dedicated RDS Collection per Apps Group/Apps Type • First, you have to list all your Published Apps (RemoteApps) • Then, you have to create a Category list of your Apps : HR Apps, Finance Apps, Admin Apps… • Each Apps groups must be published and distributed through a dedicated RDS Session Collect (dedicated RDSH Servers) • RD Web Access & RD Gateway can be shared for all your remote desktop users (Shared mode is allowed for RD Web services). #HK
  28. 28. Contoso Ltd. Security Measure #3 Deploy an RD Gateway • It’s recommended to deploy an RD Gateway for all External remote desktop users and define a strong CAP (Connection Access Policies) and RAP (Resources Access Policies) to improve security level of RDS environment • RD Gateway requires a valid SSL certificate to operate, the SSL certificate that will be delivered to the RD Gateway must be provided by a Valid/Trusted CA (Certification Authority). • Note : you have to buy a valid SSL Certificate from a trusted Public CA Provider (eg : GlobalSign) #HK
  29. 29. Contoso Ltd. Security Measure #4 Enable MFA for all Remote Desktop Users • It’s recommended to enable MFA (Multi-Factor Authentication) for all external Remote Desktop users connecting to your internal RDS resources from Outside. • MFA service requires an RD Gateway component to operate • Remote desktop users must have at least one physical device (smartphone, biometrics…) to complete the MFA Process. #HK
  30. 30. Contoso Ltd. Security Measure #5 Enable NLA on All RDS Collection • Network Level Authentication (or NLA) uses CredSSP provider to present user credentials to the server before the server has to create a session. • This improve security level of the RDS environment by avoiding any security risk related to Denial of Service Attack • It’s highly recommended to enable NLA on all your RDS Collections • This can be also forced by using RDS Group Policy Settings #HK
  31. 31. Contoso Ltd. Security Measure #6 Force “High Level” encryption on All RDS Collection • By default, the Remote Desktop service uses an encryption setting of Client Compatible (medium). This level of encryption encrypts data sent between the client and the server at the maximum key strength supported by the client. It’s generally used in an environment containing mixed or earlier-version clients. • The medium setting may facilitate the use of weak encryption which could be decrypted in a reasonable time-frame and lead to the disclosure of sensitive information • It’s highly recommended to “Force” a High encryption level on all your RDS Collections. • This can be also forced by using RDS Group Policy Settings #HK
  32. 32. Contoso Ltd. Security Measure #7 Force “TLS Layer” on All RDS Collection • All RD Session Hosts Server of your RDS deployment must be authenticated using SSL/TLS Certificate. • This is mandatory to avoid any security risk related to remote users identity theft • SSL certificates that will be used to authenticate RDSH Servers must be delivered by a Valid/Trusted Public CA (Certification Authority) or your internal PKI • It’s highly recommended to configure a Valid SSL Certificates for your RDSH Servers • This can be also forced by using RDS Group Policy Settings #HK
  33. 33. Contoso Ltd. Security Measure #8 Define and Apply an AppLocker Policy • You have to Lock-down your RD Session Host that host your published sessions and Apps. • A strong AppLocker policy must be defined and applied to all RD Session Host Servers of your Deployment. • Hash-based AppLocker rule can be used to enforce software restrictions on your RDSH Server. • You have first to audit your Apps and collect all required information such as “Apps Thumbprint” to define and apply your AppLocker Rule • It’s recommended to create and Apply an White-List-based AppLocker Rule #HK
  34. 34. Contoso Ltd. Security Measure #9 Define a strong password & lockout Policy for all remote desktop users • A strong password policy must be defined and applied to all remote desktop users • Using AD Group Policy Object, you can create, configure and apply your Password policy to a specific AD Group (eg : RDS-USERS). • It’s also highly recommended to define and apply an Account Lockout policy #HK
  35. 35. Contoso Ltd. Security Measure #10 Change the Default RDP Port • By default, RDP protocol listen on 3389 • This port is targeted by several malware/ransomware • Hackers also target this default port during Footprinting phase • Recommendation • It’s highly recommended to change this default port to something like 33381 (or higher port). • Tip : you can download and use this PS Script to make this change : https://gallery.technet.microsoft.com/RDS-Script-RDP-Port-af6a974b #HK
  36. 36. Contoso Ltd. Security Measure #11 Secure your Remote Desktop user’s Devices • If you security policy consists of restricting all local resource redirection (local drive, printers, Clipboard…etc), you have to force (via GPO) all local resources redirection options on your RD Session Hosts servers, and make the same hardening or your RDS clients devices. • The Registry key listed on the “Appendix” section can be configured via GPO to disable all local resources direction on the RDC (Remote Desktop Connection) client > MSTSC.exe #HK
  37. 37. Contoso Ltd. Security Measure #12 Set the maximum number of the Allowed remote desktop session • If you have the complete list of all your Remote desktop users (internal & external), it’s recommended to set the maximum number of the allowed remote desktop sessions on the RDS Session Collection properties (Load Balancing) and also on your RD Gateway properties. #HK
  38. 38. Contoso Ltd. Security Measure #13 Define a RDS Logs management policy • All Operations performed on your RDS environment must be logged : connections, reconnections, change/modification… • All RDS Logs must be centrally stored and analyzed to check if there are any suspicious connections or abnormal behavior • At least, a WEF (Windows Event Forwarding) policy must be defined and configured #HK
  39. 39. Contoso Ltd. PenTest your RDS Environment #HK
  40. 40. Contoso Ltd. PenTest You RDS Environment • Once deployed, your have to perform a Penetration tests on your RDS environment, this allows you to validate the security level of your RDS platform before integrating it on your production environment. • Several Penetration tests have to be performed to validate the security posture of this RDS environment • PenTesting phase will include : ▪ Security of all RDS components exposed to Internet : RDG, RD Web Access… ▪ Authentication process ▪ Encryption Attack ▪ TLS Authentication ▪ MiMT Attack ▪ D/DoS Attack ▪ Network isolation ▪ Apps Restrictions Policies ▪ RDS Collection Multi-tenancy #HK
  41. 41. Contoso Ltd. Appendix RDS Security & Hardening Guide #HK
  42. 42. Contoso Ltd. HowTo : Restrict local resource redirection on your RDS Client (MSTSC.exe)
  43. 43. Contoso Ltd. Tip & Tricks [Part1] Restrict local resources redirection from MSTSC.exe client • The following Registry key must be created and deployed on Remote desktop devices/client laptops to disable the Clipboard redirection : ▪ Key Path : HKLMSOFTWAREMicrosoftTerminal Server Client ▪ Registry Key Name : DisableClipboardRedirection ▪ Key Type : REG_DWORD ▪ Data Value : 1 #HK
  44. 44. Contoso Ltd. Tip & Tricks [Part2] Restrict local resources redirection from MSTSC.exe client • The following Registry key must be created and deployed on Remote desktop devices/client laptops to disable the Local Drive redirection : ▪ Key Path : HKLMSOFTWAREMicrosoftTerminal Server Client ▪ Registry Key Name : DisableDriveRedirection ▪ Key Type : REG_DWORD ▪ Data Value : 1 #HK
  45. 45. Contoso Ltd. Tip & Tricks [Part3] Restrict local resources redirection from MSTSC.exe client • The following Registry key must be created and deployed on Remote desktop devices/client laptops to disable the Local Printers redirection : ▪ Key Path : HKLMSOFTWAREMicrosoftTerminal Server Client ▪ Registry Key Name : DisablePrinterRedirection ▪ Key Type : REG_DWORD ▪ Data Value : 1 #HK
  46. 46. Contoso Ltd. HowTo : Locking-down your RDSH Servers
  47. 47. Contoso Ltd. Tip & Tricks [Part1] RDS Hardening Group Policy Settings #HK ○ Restricting Device and Resource Redirection Restricting Device and Resource Redirection can be configured using the following Group Policy parameter: Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Session Host Remote Desktop | redirection of device and resource ○ Restricting Printers Redirection Restricting Printers Redirection can be configured using the following Group Policy parameter: - Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Session Host Remote Desktop | Printer Redirection
  48. 48. Contoso Ltd. Tip & Tricks [Part2] RDS Hardening Group Policy Settings #HK ○ Restricting access to Registry Restricting access to the Registry can be configured using the following Group Policy parameter: - User Configuration | Policies | Administrative Templates | System Parameter : Prevent access to registry editing tools ○ Hide Desktop icons Desktop icons can be hidden by using the following Group Policy parameters: - User Configuration | Policies | Administrative Templates | Desktop Parameters: • Hide and disable all items on the desktop • Delete "My Computer" from the Desktop
  49. 49. Contoso Ltd. Tip & Tricks [Part3] RDS Hardening Group Policy Settings #HK ○ Restricting access to Control Panel Restricting access to the Control Panel can be configured using the following Group Policy parameter: - User Configuration | Policies | Administrative Templates | Control Panel Parameter: Deny access to Control Panel and PC settings ○ Restricting the Printer Drivers Installation Restricting the Printer Drivers installation can be configured using the following Group Policy parameter: - Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options Parameter : Devices: Prevent users from installing printer drivers
  50. 50. Contoso Ltd. Tip & Tricks [Part4] RDS Hardening Group Policy Settings #HK ○ Restricting access to the Command Prompt Restricting access to Command Prompt (cmd.exe) can be configured using the following Group Policy parameter: - User Configuration | Policies | Administrative Templates | System Parameter : Disable access to Command Prompt ○ Restricting access to Task Manager Restricting access to the Task Manager can be configured using the following Group Policy parameter: - User Configuration | Policies | Administrative Templates | System | Ctrl + Alt + Del Options Parameter: Remove Task Manager
  51. 51. Contoso Ltd. You want to read more ? A complete list of all RDS Security and hardening features are detailed on the Ultimate Guide above Request your RDS Book copy, contact us !
  52. 52. Contoso Ltd. Do you have any RDS Security Project ? If yes, feel free to contact us Your Contacts Hicham KADIRI RDP Expert & Microsoft MVP hicham.kadiri@k-nd-k-group.com +33 (0)6 52 97 72 84 Mohsine CHOUGDALI Key Account Manager mohsine.chougdali@k-nd-k-group.com +33 6 66 26 55 15 A K&K Group Company
  53. 53. Contoso Ltd. #HK o_O /hicham_kadiri /in/hichamkadiri Subscribe to my Blog hichamkadiri.wordpress.com
  54. 54. Contoso Ltd. End of Lesson Hope this Helps ☺

×