[Last Call] Learn how to a build a cloud-first strategyRegister Now


Windows Server 2012 Security Policy Default Settings Locking Access From Remote Desktop

Posted on 2014-08-08
Medium Priority
Last Modified: 2014-10-10
I am having a problem that I've encountered with multiple iterations and multiple rebuilds where I am getting to the point in securing the server using the Administrative Tools, Security Configuration Wizard and then creating a new Security Policy.

I've gone through originally enabling the defaults as well as the listed items below

Server Roles:

ASP.NET State Service
SMTP server
Volume Shadow Copy
Windows Process Activation Service
Windows Server Backup

Client Features:

Background Intelligent Transfer Service (BITS)
DNS Client
Time Synchronization
Windows Update

Administration and Other Options:

.NET Framework 3.0
Application Experience Lookup Service
Diagnostic Policy Service
Local application installation
Performance Logs & Alerts
Remote Desktop

In Additional Services I left the defaults selected

The Port and Network Service section were different to what I was expecting having used 2008 previously, so I left everything as default but checked the Remote Desktop port at 3389.

In Outbound Authentication Methods both check boxes were unticked.

In Inbound Authentication Methods both check boxes were unticked.

I skipped the Audit Policy Screen

After saving the policy I clicked apply now. Mid way through the policy applying process I was kicked off Remote Desktop Services and no attempts to get in worked.

I appreciate greatly any help made towards this issue.
Question by:Psychotext
  • 2
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 40250160
Suggest checking out CIS Windows 2012 guide which has recommended setting and explanation the "why" to balance out security and business, I also suggest MS Security Compliance Manager (SCM), which has 2012 document

Specifically, after insallting SCM, you can find Documentation:  "Recommended Security Baseline Settings.docx" is a Word doc that categorizes and describes all the new and updated settings (you should probably start here); this folder also contains "SCM Windows 8.1 and 2012 R2 Settings.xlsx", an Excel spreadsheet that describes the full set of recommended settings.

We recommend not creating (and deleting where they now exist) server role baselines for AD Certificate Services, DHCP, DNS, File Server, Hyper-V, Network Policy and Access, Print Server, Remote Access Services, Remote Desktop Services or Web Server..

The reason for this change is because those baselines contain only configuration for service startup and simply try to enforce the defaults for their respective roles.  The problems with these baselines are that
1) they are time-consuming to define and maintain, as service startup defaults may change between OS versions;
2) as one can safely assume that the built-in Server Manager or other configuration tools do their job correctly, the baselines provide almost no security benefit; and
3) they can create serious problems when they get it wrong.  
For example, in some scenarios, Windows temporarily configures the Windows Installer service (which is normally a Manual start service) to be an Automatic start service so that it can perform actions immediately following a reboot.  The security baseline that forces it back to Manual-start thus causes updates not to be correctly installed.

For those reasons, we have also decided to remove all the service startup settings from the Server baselines that include them (e.g., Windows Server 2012 Domain Controller Security Compliance”).

Noted there is a Security Configuration Wizard, parses the selected server and the information collected, and compares that with Microsoft’s security recommendations for that server profile (file, database, web, etc). May be useful for comparing your setting with baseline.  Also Security Configuration Wizard analysis and its suggestions for amendments, which can be changed and adapted according to a specific need. Once the Security Configuration Wizard has completed its analysis and recommendations, you can then either save or apply the policy.
LVL 65

Expert Comment

ID: 40251309
specifically for RDP in 2012, see below and review "Allow Log on through Remote Desktop Services." and "Restricted Groups"> “Remote Desktop Users”. By default, all Administrators can log in to Remote Desktop. If you have multiple Administrator accounts on your computer, you should limit remote access only to those accounts that need it. If Remote Desktop is not used for system administration, remove all administrative access via RDP and only allow user accounts requiring RDP service.

Also for considerations below.

Windows Firewall: Allow Inbound Remote Desktop exceptions: Enabled
Allow user to connect remotely by using Remote Desktop Services: Enabled
Do not allow local administrators to customize permissions: Enabled
Require user authentication for remote connections by using NLA: Disabled

Force (gpupdate /force) your computers to update Group Policy. Now any users that are a member of your security group can RDP to your computers.

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question