System HardeningWindows

Windows RDP Hardening

RDP (Remote Desktop Protocol) misconfigurations are commonly identified by vulnerability scanners, most often consisting of:

  1. Network Level Authentication (NLA) Disabled
  2. Terminal Services Encryption Level is Medium or Low, or
  3. Terminal Services Encryption Level is not FIPS-140 Compliant

I created a four minute video explaining and fixing these issues here. More can be found on each of these subjects by Microsoft here.

The Problem

Using weaker cryptography with RDP could potentially allow and attacker to eavesdrop and perform a MiTM (Man in The Middle) attack and ultimately affecting system confidentiality and integrity. In this post we will address these issues to help you harden your Remote Desktop services configuration.

Vuln scan results showing RDP weaknesses

The Solution

To resolve all three findings, from your DC, open Group Policy Management and create (or edit) a GPO (Group Policy Object) and navigate to the following path:

 

Computer Configuration\Policies\Administrative Templates\Windows Components\
Remote Desktop Services\Remote Desktop Session Host\Security 

Enable all three options highlighted below.

 

Require user authentication for remote connections by using NLA

Enabled

Set client connection encryption level

Enabled - Encryption Level = High

Require use of specific security layer  for remote (RDP) connections

Enabled - Security Layer TLS 1.0

Finally, push the configuration changes domain wide by opening up a Powershell terminal window and typing the following command:

 

gpupdate /force

Thanks for reading. If you’d like to read more on hardening SSL and TLS configurations, please check out my blog on that matter here and my YouTube channel.