Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »


Product Name

CIS Windows Build Kit

Product Version

n/a

Date



Problem

I am using a CIS BuildKit (Remediation_Kit) to harden a Windows server to a L2 profile. Everything works great except I need to enable RDP (Remote Desktop Services). Which settings do I need to change?

Solution

MAYBE reference this post to WB instead?? https://workbench.cisecurity.org/community/2/discussions/6151

The member was able to enable RDP by making the following changes;

Modifying RDP Policies (Part-1)

Open “gpedit.msc” and navigate to “Local Computer Policy\Computer Configuration\Administrative templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host”* Modify the “enabled/disabled” policies to “Not Configured” for every section.

Modifying “User Rights Assignment” Policies (if you are using Local Accounts)

Open “gpedit.msc” and navigate to “Local Computer Policy\Computer Configuration\Security Settings\User Rights Assignment”* Remove “Local Accounts” from below 2 policies. Only “Guests” should be Denied. * Deny log on through Remote Desktop Services* Deny access to this computer from the network

Start the RDP services

Open “Services.msc”* Start the below 3 services and with startup type “Automatic” * Remote Desktop Services* Remote Desktop Configuration* Remote Desktop Service UserMode Port Redirector

Modifying “System Properties”

Right click on “This PC” and choose properties.* Choose “Remote Settings” in the left pane.* Under “Remote Desktop”, choose the radio button “Allow remote connections to this computer”. And also choose checkbox to have “Network Level Authentication”.

Adding Inbound Firewall Rules to allow RDP traffic

Open “gpedit.msc” and navigate to “Local Computer Policy\Computer Configuration\Security Settings\Windows Defender Firewall with Advanced Security”* Breakdown the hierarchy and right click on “Inbound Rules” to add “New Rule”.* In the next dialogue box, choose the radio button “Predefined” and select “Remote Desktop” in the drop down list. * Select all 3 rules and set the action “Allow the connection” to add.


Copyright © 2020

Center for Internet Security®


  • No labels