18.9.59.3.2.1 (L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'

Information

This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
The recommended state for this setting is: Disabled.

Rationale:
Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow users to connect remotely by using Remote Desktop Services
Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow users to connect remotely using Terminal Services, but it was renamed to Allow users to connect remotely using Remote Desktop Services in the Windows 7 & Server 2008 R2 Administrative Templates. It was finally renamed (again) to Allow users to connect remotely by using Remote Desktop Services starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.

Impact:
None - this is the default configuration, unless Remote Desktop Services has been manually enabled on the Remote tab in the System Properties sheet.

Default Value:
Disabled. (Users cannot connect remotely to the target computer by using Remote Desktop Services, unless it has been manually enabled from the Remote tab in the System Properties sheet.)

References:
1. CCE-35255-9

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|9.2

Plugin: Windows

Control ID: f4eb21066059a7f2fd783bfef5432710b35c2e86d321b34eaea5b725483f75ae