Windows Server 2012 Security Policy Default Settings Locking Access From Remote Desktop

Posted on 2014-08-08
Last Modified: 2014-10-10
I am having a problem that I've encountered with multiple iterations and multiple rebuilds where I am getting to the point in securing the server using the Administrative Tools, Security Configuration Wizard and then creating a new Security Policy.

I've gone through originally enabling the defaults as well as the listed items below

Server Roles:

ASP.NET State Service
SMTP server
Volume Shadow Copy
Windows Process Activation Service
Windows Server Backup

Client Features:

Background Intelligent Transfer Service (BITS)
DNS Client
Time Synchronization
Windows Update

Administration and Other Options:

.NET Framework 3.0
Application Experience Lookup Service
Diagnostic Policy Service
Local application installation
Performance Logs & Alerts
Remote Desktop

In Additional Services I left the defaults selected

The Port and Network Service section were different to what I was expecting having used 2008 previously, so I left everything as default but checked the Remote Desktop port at 3389.

In Outbound Authentication Methods both check boxes were unticked.

In Inbound Authentication Methods both check boxes were unticked.

I skipped the Audit Policy Screen

After saving the policy I clicked apply now. Mid way through the policy applying process I was kicked off Remote Desktop Services and no attempts to get in worked.

I appreciate greatly any help made towards this issue.
Question by:Psychotext
    LVL 60

    Accepted Solution

    Suggest checking out CIS Windows 2012 guide which has recommended setting and explanation the "why" to balance out security and business, I also suggest MS Security Compliance Manager (SCM), which has 2012 document

    Specifically, after insallting SCM, you can find Documentation:  "Recommended Security Baseline Settings.docx" is a Word doc that categorizes and describes all the new and updated settings (you should probably start here); this folder also contains "SCM Windows 8.1 and 2012 R2 Settings.xlsx", an Excel spreadsheet that describes the full set of recommended settings.

    We recommend not creating (and deleting where they now exist) server role baselines for AD Certificate Services, DHCP, DNS, File Server, Hyper-V, Network Policy and Access, Print Server, Remote Access Services, Remote Desktop Services or Web Server..

    The reason for this change is because those baselines contain only configuration for service startup and simply try to enforce the defaults for their respective roles.  The problems with these baselines are that
    1) they are time-consuming to define and maintain, as service startup defaults may change between OS versions;
    2) as one can safely assume that the built-in Server Manager or other configuration tools do their job correctly, the baselines provide almost no security benefit; and
    3) they can create serious problems when they get it wrong.  
    For example, in some scenarios, Windows temporarily configures the Windows Installer service (which is normally a Manual start service) to be an Automatic start service so that it can perform actions immediately following a reboot.  The security baseline that forces it back to Manual-start thus causes updates not to be correctly installed.

    For those reasons, we have also decided to remove all the service startup settings from the Server baselines that include them (e.g., Windows Server 2012 Domain Controller Security Compliance”).

    Noted there is a Security Configuration Wizard, parses the selected server and the information collected, and compares that with Microsoft’s security recommendations for that server profile (file, database, web, etc). May be useful for comparing your setting with baseline.  Also Security Configuration Wizard analysis and its suggestions for amendments, which can be changed and adapted according to a specific need. Once the Security Configuration Wizard has completed its analysis and recommendations, you can then either save or apply the policy.
    LVL 60

    Expert Comment

    specifically for RDP in 2012, see below and review "Allow Log on through Remote Desktop Services." and "Restricted Groups"> “Remote Desktop Users”. By default, all Administrators can log in to Remote Desktop. If you have multiple Administrator accounts on your computer, you should limit remote access only to those accounts that need it. If Remote Desktop is not used for system administration, remove all administrative access via RDP and only allow user accounts requiring RDP service.

    Also for considerations below.

    Windows Firewall: Allow Inbound Remote Desktop exceptions: Enabled
    Allow user to connect remotely by using Remote Desktop Services: Enabled
    Do not allow local administrators to customize permissions: Enabled
    Require user authentication for remote connections by using NLA: Disabled

    Force (gpupdate /force) your computers to update Group Policy. Now any users that are a member of your security group can RDP to your computers.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Suggested Solutions

    What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
    OfficeMate Freezes on login or does not load after login credentials are input.
    In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
    In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now