Windows Server 2012 Security Policy Default Settings Locking Access From Remote Desktop

I am having a problem that I've encountered with multiple iterations and multiple rebuilds where I am getting to the point in securing the server using the Administrative Tools, Security Configuration Wizard and then creating a new Security Policy.

I've gone through originally enabling the defaults as well as the listed items below

Server Roles:

ASP.NET State Service
SMTP server
Volume Shadow Copy
Windows Process Activation Service
Windows Server Backup

Client Features:

Background Intelligent Transfer Service (BITS)
DNS Client
Time Synchronization
Windows Update

Administration and Other Options:

.NET Framework 3.0
Application Experience Lookup Service
Diagnostic Policy Service
Local application installation
Performance Logs & Alerts
Remote Desktop

In Additional Services I left the defaults selected

The Port and Network Service section were different to what I was expecting having used 2008 previously, so I left everything as default but checked the Remote Desktop port at 3389.

In Outbound Authentication Methods both check boxes were unticked.

In Inbound Authentication Methods both check boxes were unticked.

I skipped the Audit Policy Screen

After saving the policy I clicked apply now. Mid way through the policy applying process I was kicked off Remote Desktop Services and no attempts to get in worked.

I appreciate greatly any help made towards this issue.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Suggest checking out CIS Windows 2012 guide which has recommended setting and explanation the "why" to balance out security and business, I also suggest MS Security Compliance Manager (SCM), which has 2012 document

Specifically, after insallting SCM, you can find Documentation:  "Recommended Security Baseline Settings.docx" is a Word doc that categorizes and describes all the new and updated settings (you should probably start here); this folder also contains "SCM Windows 8.1 and 2012 R2 Settings.xlsx", an Excel spreadsheet that describes the full set of recommended settings.

We recommend not creating (and deleting where they now exist) server role baselines for AD Certificate Services, DHCP, DNS, File Server, Hyper-V, Network Policy and Access, Print Server, Remote Access Services, Remote Desktop Services or Web Server..

The reason for this change is because those baselines contain only configuration for service startup and simply try to enforce the defaults for their respective roles.  The problems with these baselines are that
1) they are time-consuming to define and maintain, as service startup defaults may change between OS versions;
2) as one can safely assume that the built-in Server Manager or other configuration tools do their job correctly, the baselines provide almost no security benefit; and
3) they can create serious problems when they get it wrong.  
For example, in some scenarios, Windows temporarily configures the Windows Installer service (which is normally a Manual start service) to be an Automatic start service so that it can perform actions immediately following a reboot.  The security baseline that forces it back to Manual-start thus causes updates not to be correctly installed.

For those reasons, we have also decided to remove all the service startup settings from the Server baselines that include them (e.g., Windows Server 2012 Domain Controller Security Compliance”).

Noted there is a Security Configuration Wizard, parses the selected server and the information collected, and compares that with Microsoft’s security recommendations for that server profile (file, database, web, etc). May be useful for comparing your setting with baseline.  Also Security Configuration Wizard analysis and its suggestions for amendments, which can be changed and adapted according to a specific need. Once the Security Configuration Wizard has completed its analysis and recommendations, you can then either save or apply the policy.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
specifically for RDP in 2012, see below and review "Allow Log on through Remote Desktop Services." and "Restricted Groups"> “Remote Desktop Users”. By default, all Administrators can log in to Remote Desktop. If you have multiple Administrator accounts on your computer, you should limit remote access only to those accounts that need it. If Remote Desktop is not used for system administration, remove all administrative access via RDP and only allow user accounts requiring RDP service.

Also for considerations below.

Windows Firewall: Allow Inbound Remote Desktop exceptions: Enabled
Allow user to connect remotely by using Remote Desktop Services: Enabled
Do not allow local administrators to customize permissions: Enabled
Require user authentication for remote connections by using NLA: Disabled

Force (gpupdate /force) your computers to update Group Policy. Now any users that are a member of your security group can RDP to your computers.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.