HOWTO: Harden Remote Desktop connections to Domain Controllers

Workstations that are allowed to communicate to Domain Controllers pose a risk of lateral movement. To mitigate some of these risks, we can harden the Remote Desktop connections to Domain Controllers.

Note:
For organizations that have implemented the Active Directory administrative tier model, or are striving to embrace, their Privileged Access Workstations (PAWs) pose a limited risk through unhardened Remote Desktop connections towards lateral movement. However, it is still present under admins themselves.

 

Why harden remote desktop services?

Of course, Active Directory admins can manage most aspects of Active Directory from the Active Directory MMC snap-ins, from the Active Directory Administrative Center, Windows PowerShell module for Active Directory and other remote management tools. However, sometimes, admins need to sign in interactively to Domain Controllers. The Remote Desktop Protocol (RDP) allows this and is enabled by default on Windows Server.

However, the Remote Desktop Protocol (RDP) also has some default settings that allow:

  • Copying of files to Domain Controllers
  • Taking over (stale) Remote Desktop sessions to Domain Controllers
  • Exploiting printer redirections

 

POSSIBLE NEGATIVE IMPACT (WHAT COULD GO WRONG?)

When you harden the Remote Desktop Protocol (RDP) incorrectly on Domain Controllers, you might lock yourself out. This leaves the physical console or (in case of virtual Domain Controllers) the virtual machine connection to sign in interactively to Domain Controllers.

 

How to harden RDP connections

Let’s dive into the work to make it more secure:

 

Recommended changes

I recommend making the following changes:

  1. Use Network Level Authentication
    Network Level Authentication offers the strongest available method for authenticating to remote desktop protocol (RDP) communications. Without it, logons are sent in clear text to Domain Controllers.
  2. Use the 'High' encryption level
    The ‘High’ encryption level offers the strongest available encryption for remote desktop protocol (RDP) communication traffic. Without it, the maximum key strength supported by the client is negotiated, instead of the maximum key strength of the Domain Controller.
  3. Disable LTP redirection
    By default, Windows Servers offer LTP redirection for remote desktop protocol (RDP) sessions. This connects the printers of connecting devices to Domain Controllers, introducing (potentially insecure) printer drivers, clutter and errors due to platform mismatches. RDP should be configured without LPT redirection.
  4. Disable clipboard redirection
    By default, Windows Servers offer clipboard redirection, so Remote Desktop users can easily cut/copy and paste contents from Domain Controllers to the connecting device, and vice versa. This might facilitate data extraction, and pasting of passwords. Additionally, malware might actively monitor the use of the clipboard to gain access to credentials and data.
  5. Disable network printer redirection
    By default, Windows Servers offer redirection for remote desktop protocol (RDP) sessions. This connects the network printers of connecting devices to Domain Controllers introducing (potentially insecure) printer drivers, clutter and errors due to platform mismatches. RDP should be configured without redirection for network printers.
  6. Restrict admins to one session
    By default, Windows Server allows for multiple Remote Desktop sessions per user account. When a user is disconnected, this may lead to a loss of productivity or information, because a new session may be configured. By restricting admins to one session, this problem may not arise. Additionally, it acts as a rudimentary monitoring solution for malicious RDP users, as they need to hijack the admins’ sessions.

 

Implementing the hardening

As Domain Controllers are part of Active Directory (…), we can use Group Policy to manage the above settings. Perform these steps to create a new Group Policy object (GPO) and assign it to the Domain Controllers Organizational Unit (OU):

 

Sign in with an account with the appropriate privileges

To perform the steps below, sign in to a system with the Group Policy Management Console (GPMC) installed with an account that is either:

  • A member of the Domain Admins group, or;
  • The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or
  • Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

 

Create the Group Policy object (GPO)

To create a Group Policy Object, perform these steps:

  • Open the Group Policy Management Console (gpmc.msc)
  • In the left navigation pane, expand the Forest container.
  • Expand the Domains container, and then navigate to the domain where you want to create the GPO.
  • Expand the domain name.
  • Right-click the Group Policy Objects node and select New from the menu.
  • In the New GPO pop-up window, enter a descriptive name for the Group Policy Object for instance ‘Harden RDP’. Make sure you don’t select a Starter GPO.
  • Click OK to create the GPO.

 

Change the Group Policy settings

Make the appropriate changes in the Group Policy object to harden Remote Desktop connections, while still in the Group Policy Management Console (GPMC):

  • Select the previously created Group Policy object.
  • In the left navigation pane, right-click the GPO and select Edit… from the menu.
    The Group Policy Editor (gpedit.msc) appears.
  • In the left navigation pane of the Group Policy Editor window expand the Computer Configuration node, then the Policies node, the Administrative Templates node, the Windows Components node, the Remote Desktop Services node, the Remote Desktop Session Host node and finally the Connections node.
  • In the main pane of the Group Policy Editor window, double-click the Restrict Remote Desktop Services users to a single Remote Desktop Services session setting.
    The Restrict Remote Desktop Services users to a single Remote Desktop Services session window appears.
  • Configure the setting as Enabled at the top of the window.
  • Click OK.
  • In the left navigation pane, select the next group of Group Policy settings by switching from the Connections folder to the Device and Resource Redirection folder.
  • Make the following changes:
    • In the main pane of the Group Policy Editor window, double-click the Do not allow drive redirection setting.
      The Do not allow drive redirection window appears.
    • Configure the setting as Enabled at the top of the window.
    • Click OK.
    • In the main pane of the Group Policy Editor window, double-click the Do not allow LPT port redirection setting.
      The Do not allow LPT port redirection window appears.
    • Configure the setting as Enabled at the top of the window.
    • Click OK.
  • In the left navigation pane, select the next group of Group Policy settings by switching from the Device and Resource Redirection folder to the Printer Redirection folder.
  • In the main pane of the Group Policy Editor window, double-click the Do not allow client printer redirection setting.
    The Do not allow client printer redirection window appears.
  • Configure the setting as Enabled at the top of the window.
  • Click OK.
  • In the left navigation pane, select the next group of Group Policy settings by switching from the Device and Resource Redirection folder to the Security folder.
  • Make the following changes:
    • In the main pane of the Group Policy Editor window, double-click the Set client connection encryption level setting.
      The Set client connection encryption level window appears.
    • Configure the setting as Enabled at the top of the window.
    • In the field next to Encryption level, Select High Level.
    • Click OK.
    • In the main pane of the Group Policy Editor window, double-click the Require user authentication for remote connections by using Network Level Authentication setting.
      The Require user authentication for remote connections by using Network Level Authentication window appears.
    • Configure the setting as Enabled at the top of the window.
    • Click OK.
  • Close the Group Policy Editor window, when done.

 

Link the Group Policy object (GPO)

To link the previously created Group Policy Object, perform these steps, while still in the Group Policy Management Console (GPMC):

  • In the left navigation pane of the Group Policy Management Console (GPMC) navigate to the Domain Controllers Organizational Unit (OU).
  • Right-click the OU and select Link an existing GPO… from the menu.
  • In the Select GPO window, select the GPO you created earlier from the list of available Group Policy objects:.
  • Click OK to link the GPO.

 

Concluding

Hardening Remote Desktop Protocol (RDP) connections to Domain Controllers is vital to Active Directory security, as many APT groups use these connections to move laterally and perform malicious actions.

Applying the Group Policy object (GPO) to the Domain Controllers Organizational Unit (OU) without a security filter might not be the most brilliant idea, as the GPO would have all Domain Controllers in scope. Using a security filter might prove invaluable to weed out unwanted settings for all Domain Controllers.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.