Hardening RDS Hosts for Session Connector

Overview

A session connector allows users to manage and interact with multiple remote sessions for both Remote Desktop Protocol (RDP) and SSH in a unified environment.

DelineaSecret Server has a broad range of launching methods. One is Microsoft Remote Desktop Services (RDS) combined with Secret Server session connector. This allows users to create privileged sessions via an RDS host without installing any components on the client workstation. The only requirement is a Remote Desktop Protocol (RDP) client which can open RDP files provided by Secret Server.

Because the RDS hosts are comparable with client workstations, we strongly recommend hardening them to a higher security level. This document details how to harden the RDS hosts used in the session connector configuration.

Prerequisites

Before hardening the respective RDS hosts ensure the installation and configuration of the Secret Server session connector has been completed and validated in a basic state.

The Issue

As stated in the overview, the RDS hosts for launching sessions are proving access to a published application running on the RDS host. Although users are usually connected with a unique, randomly generated, non-privileged user on the RDS host, they can access the OS in broadest sense. For example, a user pressing the CTRL-ALT-END key combination in the published application. This pulls up the task manager running on the RDS host and allows the user to start additional applications. That user would also have access to the local file system of the RDS host.

The Solution

To prevent this, the RDS hosts need hardening. Server hardening is commonly done with Group Policy Objects (GPO) from Active Directory. In the case of TSSSC this is partially true, this due to the fact the randomly generated users are local users on the RDS host. Local users cannot be controlled via GPO's. Configuration of local users needs to be perfomed by adjustments in the default user profile on the RDS machines. There are however also machine based settings available that can be configured via GPO.

For both the advised default user profile adjustments and GPO setting we have developed a base line that can easily be adopted for your specific requirements.

The default user profile adjustments can be performed via the provided PowerShell script seen below, as can instructions for using it.

The machine based settings can be configured via the available GPO backup file which can be imported into your environment. Details on the GPO settings can also be found below.

Local user settings via PowerShell

In the included PowerShell script a variety of settings will be deployed into the default user profile. The items in the script are explained in the listing below in order they are used in the PowerShell script.

Hide local drives of RDS Server

To prevent users seeing the local drives of the RDS host they need to be hidden by using the following registry setting:

Copy
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoDrives, REG_DWORD, <value from calculation>

The value from calculation can be retrieved by utilizing the following website: https://ss64.com/nt/syntax-nodrives.html You select the drive letter that need to be hidden and adjust the powershell script with the resulting number.

No view of local drives of RDS Server

Similar to the hiding of the drivers is the No View setting. This setting actually goes a step further in not just hiding the drives but also refusing access to them.

Copy
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewOnDrive, REG_DWORD, <value from calculation>

The value from calculation can be retrieved by utilizing the following website: https://ss64.com/nt/syntax-nodrives.html You select the drive letter that need to be hidden and adjust the PowerShell script with the resulting number. Normally the used value would be the same as the hide drives value.

Lock CTRL-ALT-DEL Screen

To prevent users from locking the system, changing the password or opening task manager a local down of the CTRL-ALT-DEL screen would be required.

To accommodate this the following registry settings will be applied.

Copy
HCKU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableChangePassword, REG_DWORD, 1
HCKU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableLockWorkstation, REG_DWORD, 1
HCKU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr, REG_DWORD, 1

Remove Shutdown Button

Standard users will not have the permissions to shutdown the RDS host, however to prevent users from seeing the shutdown buttons the following registry key will be applied.

Copy
HCKU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoClose, REG_DWORD, 1

Disable Screensaver and Lock Screen

As the users do not know the password of the randomly generated user a setting is required to prevent the screensaver to be activated or that the session can be locked.

he following registry settings will be applied.

Copy
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop,ScreenSaveActive,REG_SZ,0
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop,ScreenSaverIsSecure,REG_SZ,0

lock Internet Explorer Settings

Although Internet Explorer is likely not being used it is still recommended to adjust the configuration of Internet Explorer by applying the following registry keys

Copy
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions,NoBrowserContextMenu,REG_DWORD,1
HKCU\Software\Policies\Microsoft\Internet Explorer\IEDevTools,Disabled,REG_DWORD,1
HKCU\Software\Policies\Microsoft\Internet Explorer\Main,DisableFirstRunCustomize,REG_DWORD,2
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel,SecurityTab,REG_DWORD,1

Machine Settings via GPO

You can use CIS Benchmark as a baseline for machine settings. The GPO file can easily be imported in your active directory environment and following check / adjustment of settings be applied to your RDS hosts being utilized for TSSSC. Within the GPO file there is usage of the Google Chrome ADMX which would need to be deployed in your environment to correctly manage these settings. The Google Chrome ADMX files can be found on the following location:

Copy
https://chromeenterprise.google/browser/download/

On this page the following two components are required to be downloaded:

  • Chrome ADM/ADMX Templates
  • Google Updater ADMX Template Update

Application Lockdown

Hardening can be further enhanced by blocking what applications can be run by users. This can for example be achieved by utilizing Microsoft AppLocker or Delinea Privilege Manager.

User Profile Hardening Script

Overview

You can use the following script for default user-profile hardening. The script does the following:

  • Hide local drives of RDS Server
  • Disallows viewing local drives
  • Adjusts CTRL-ALT-DEL options:

    • Blocks task manager
    • Blocks changing passwords
    • Block Locks
  • Disables the Internet Explorer context menu
  • Disables screensaver and screen locks
  • Disables developer mode in Internet Explorer
The script needs to be run as administrator to access the default user profile.

Script

Copy
<# 
Script to be used for default user profile hardening.
In this script the following items will be performed:
    - Hide local drives of RDS Server
    - No View on local drives
    - Adjust CTRL-ALT-DEL options
        - Block Task Manager
        - Block Change Password
        - Block Lock
    - Disable Internet Explorer Context menu
    - Disable Screensaver / Disable Lock Screen
    - Disable Developer mode on Internet Explorer
Script needs to be run as administrator as it will need access to the default user profile
#>

# Creating backup of ntuser.dat to current directory extending current date
copy-item -path c:\users\default\ntuser.dat -Destination .\ntuser.dat-$(get-date -format "yyyy_MM_dd_hh_mm_ss")

# Load registry hive on predefined location
$defaultprofile_registry = "C:\users\default\NTUSER.DAT"
$load_registry = "HKEY_Users\RDSProfile"
$null = REG LOAD $load_registry $defaultprofile_registry
$key = "registry::$load_registry"

# Hide Drive Setting
# Calculate required value using: https://ss64.com/nt/syntax-nodrives.html
$key_hidedrive = "$key\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
if (! (Test-Path $key_hidedrive))
{
    new-item $key_hidedrive -Force
}
New-ItemProperty -Path $key_hidedrive -Name NoDrives -PropertyType DWORD -Value 12 -Force

# No View Drive Setting
# Calculate required value using: https://ss64.com/nt/syntax-nodrives.html
$key_viewdrive = "$key\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
if (! (Test-Path $key_viewdrive))
{
    new-item $key_viewdrive -Force
}
New-ItemProperty -Path $key_viewdrive -Name NoViewOnDrive -PropertyType DWORD -Value 12 -Force

# Lock Down CTRL/ALT/DEL Screen
$key_ctrlaltdel = "$key\Software\Microsoft\Windows\CurrentVersion\Policies\System"
if (! (Test-Path $key_ctrlaltdel))
{
    new-item $key_ctrlaltdel -Force
}
New-ItemProperty -Path $key_ctrlaltdel -Name DisableChangePassword -PropertyType DWORD -Value 1 -Force
New-ItemProperty -Path $key_ctrlaltdel -Name DisableLockWorkstation -PropertyType DWORD -Value 1 -Force
New-ItemProperty -Path $key_ctrlaltdel -Name DisableTaskMgr -PropertyType DWORD -Value 1 -Force

# Remove Shutdown Buttons
$key_shutdown = "$key\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
if (! (Test-Path $key_shutdown))
{
    new-item $key_shutdown -Force
}
New-ItemProperty -Path $key_shutdown -Name NoClose -PropertyType DWORD -Value 1 -Force

# Disable Screensaver / Lockscreen
$key_screensaver = "$key\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
if (! (Test-Path $key_screensaver))
{
    new-item $key_screensaver -Force
}
New-ItemProperty -Path $key_screensaver -Name ScreenSaveActive -PropertyType String -Value 0 -Force
New-ItemProperty -Path $key_screensaver -Name ScreenSaverIsSecure -PropertyType String -Value 0 -Force

# Block Internet Explorer Context Menu
$key_iecontext = "$key\Software\Policies\Microsoft\Internet Explorer\Restrictions"
if (! (Test-Path $key_iecontext))
{
    new-item $key_iecontext -Force
}
New-ItemProperty -Path $key_iecontext -Name NoBrowserContextMenu -PropertyType DWORD -Value 1 -Force

# Disable Internet Explorer Dev Tools
$key_iedevtools = "$key\Software\Policies\Microsoft\Internet Explorer\IEDevTools"
if (! (Test-Path $key_iedevtools))
{
    new-item $key_iedevtools -Force
}
New-ItemProperty -Path $key_iedevtools -Name Disabled -PropertyType DWORD -Value 1 -Force

# Disable Internet Explorer first run
$key_iefirstrun = "$key\Software\Policies\Microsoft\Internet Explorer\Main"
if (! (Test-Path $key_iefirstrun))
{
    new-item $key_iefirstrun -Force
}
New-ItemProperty -Path $key_iefirstrun -Name DisableFirstRunCustomize -PropertyType DWORD -Value 2 -Force

# Disable Internet Explorer Settings Tabs
$key_iepanel = "$key\Software\Policies\Microsoft\Internet Explorer\Control Panel"
if (! (Test-Path $key_iepanel))
{
    new-item $key_iepanel -Force
}
New-ItemProperty -Path $key_iepanel -Name SecurityTab -PropertyType DWORD -Value 1 -Force

# Unload registry hive
$null = REG UNLOAD $load_registry