How do I enable or disable Remote Desktop via Group Policy Windows 10?
OverviewThe MS-ISAC observes specific malware variants consistently reaching The Top 10 Malware list. These specific malware variants have traits allowing them to be highly effective against State, Local, Tribal, and Territorial (SLTT) government networks, consistently infecting more systems than other types of malware. An examination of the characteristics of these malware variants revealed that they often abuse legitimate tools or parts of applications on a system or network. One such legitimate tool is Remote Desktop Protocol (RPD). Understanding the Threat SurfaceRDP is a Microsoft proprietary protocol that enables remote connections to other computers, typically over TCP port 3389. It provides network access for a remote user over an encrypted channel. Network administrators use RDP to diagnose issues, login to servers, and perform other remote actions. Remote employees use RDP to log into the organizations network to access email and files. Cyber threat actors (CTAs) use misconfigured RDP ports that are open to the Internet to gain network access. They are then in a position to potentially move laterally throughout a network, escalate privileges, access and exfiltrate sensitive information, harvest credentials, or deploy a wide variety of malware. This popular attack vector allows CTAs to maintain a low profile, as they are utilizing a legitimate network service that provides them with the same functionality as any other remote user. CTAs use tools, such as the Shodan search engine, to scan the Internet for open RDP ports and then use brute force password techniques to access vulnerable networks. Compromised RDP credentials are also widely available for sale on dark web marketplaces. RecommendationsAfter evaluating your environment and conducting appropriate testing, use Group Policy to disable RDP. If RDP is needed for legitimate work functions, the MS-ISAC recommends following the below recommendations:
For additional help hardening your system, the MS-ISAC recommends organizations use the CIS Benchmarks and CIS Build Kits, which are a part of CIS SecureSuite. Disabling RDPThe directions below are a general outline of how to disable RDP.
For more information on how to enable or disable RDP please go to Microsoft. The MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nations state, local, tribal, and territorial (SLTT) governments. More information about this topic, as well as 24×7 cybersecurity assistance is available at 866-787-4722, [emailprotected]. The MS-ISAC is interested in your comments an anonymous feedback survey is available. |