Product Name
CIS Windows Build Kit
Product Version
n/a
Date
Problem
I am using a CIS BuildKit (Remediation_Kit) to harden a Windows server to a L2 profile. Everything works great except I need to enable RDP (Remote Desktop Services). Which settings do I need to change?
Solution
MAYBE reference this post to WB instead?? https://workbench.cisecurity.org/community/2/discussions/6151
The member was able to enable RDP by making the following changes;
Modifying RDP Policies (Part-1) | Open “gpedit.msc” and navigate to “Local Computer Policy\Computer Configuration\Administrative templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host”* Modify the “enabled/disabled” policies to “Not Configured” for every section. |
Modifying “User Rights Assignment” Policies (if you are using Local Accounts) | Open “gpedit.msc” and navigate to “Local Computer Policy\Computer Configuration\Security Settings\User Rights Assignment”* Remove “Local Accounts” from below 2 policies. Only “Guests” should be Denied. * Deny log on through Remote Desktop Services* Deny access to this computer from the network |
Start the RDP services | Open “Services.msc”* Start the below 3 services and with startup type “Automatic” * Remote Desktop Services* Remote Desktop Configuration* Remote Desktop Service UserMode Port Redirector |
Modifying “System Properties” | Right click on “This PC” and choose properties.* Choose “Remote Settings” in the left pane.* Under “Remote Desktop”, choose the radio button “Allow remote connections to this computer”. And also choose checkbox to have “Network Level Authentication”. |
Adding Inbound Firewall Rules to allow RDP traffic | Open “gpedit.msc” and navigate to “Local Computer Policy\Computer Configuration\Security Settings\Windows Defender Firewall with Advanced Security”* Breakdown the hierarchy and right click on “Inbound Rules” to add “New Rule”.* In the next dialogue box, choose the radio button “Predefined” and select “Remote Desktop” in the drop down list. * Select all 3 rules and set the action “Allow the connection” to add. |
Copyright © 2020
Center for Internet Security®
Add Comment