18.9.59.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'

Information

This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication.
You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
The recommended state for this setting is: Enabled.

Rationale:
Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require secure RPC communication
Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

Impact:
Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.

Default Value:
Disabled. (Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.)

References:
1. CCE-35723-6

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv6|3.4, CSCv7|4.5

Plugin: Windows

Control ID: cef8b8ff4d658cf54b8f48093c0113586c1b3b320fc5537be492608e2b1110ea