We help IT Professionals succeed at work.

Windows Server 2012 Security Policy Default Settings Locking Access From Remote Desktop

1,953 Views
Last Modified: 2014-10-10
I am having a problem that I've encountered with multiple iterations and multiple rebuilds where I am getting to the point in securing the server using the Administrative Tools, Security Configuration Wizard and then creating a new Security Policy.

I've gone through originally enabling the defaults as well as the listed items below

Server Roles:

ASP.NET State Service
SMTP server
Volume Shadow Copy
Windows Process Activation Service
Windows Server Backup

Client Features:

Background Intelligent Transfer Service (BITS)
DNS Client
Time Synchronization
Windows Update

Administration and Other Options:

.NET Framework 3.0
Application Experience Lookup Service
Diagnostic Policy Service
Local application installation
Performance Logs & Alerts
Remote Desktop

In Additional Services I left the defaults selected

The Port and Network Service section were different to what I was expecting having used 2008 previously, so I left everything as default but checked the Remote Desktop port at 3389.

In Outbound Authentication Methods both check boxes were unticked.

In Inbound Authentication Methods both check boxes were unticked.

I skipped the Audit Policy Screen

After saving the policy I clicked apply now. Mid way through the policy applying process I was kicked off Remote Desktop Services and no attempts to get in worked.

I appreciate greatly any help made towards this issue.
Comment
Watch Question

Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
specifically for RDP in 2012, see below and review "Allow Log on through Remote Desktop Services." and "Restricted Groups"> “Remote Desktop Users”. By default, all Administrators can log in to Remote Desktop. If you have multiple Administrator accounts on your computer, you should limit remote access only to those accounts that need it. If Remote Desktop is not used for system administration, remove all administrative access via RDP and only allow user accounts requiring RDP service.

Also for considerations below.

Windows Firewall: Allow Inbound Remote Desktop exceptions: Enabled
Allow user to connect remotely by using Remote Desktop Services: Enabled
Do not allow local administrators to customize permissions: Enabled
Require user authentication for remote connections by using NLA: Disabled

Force (gpupdate /force) your computers to update Group Policy. Now any users that are a member of your security group can RDP to your computers.
http://deployhappiness.com/gpupdate-or-gpupdate-force/

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.