18.10.56.3.2.1 (L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'

Information

This policy setting allows you to configure remote access to computers by using Remote Desktop Services.

The recommended state for this setting is: Disabled

Any account with the

Allow log on through Remote Desktop Services

user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow users to connect remotely by using Remote Desktop Services

Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named

Allow users to connect remotely using Terminal Services

, but it was renamed to

Allow users to connect remotely using Remote Desktop Services

in the Windows 7 & Server 2008 R2 Administrative Templates. It was finally renamed (again) to

Allow users to connect remotely by using Remote Desktop Services

starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.

Impact:

None - this is the default configuration, unless Remote Desktop Services has been manually enabled on the Remote tab in the System Properties sheet.

See Also

https://workbench.cisecurity.org/benchmarks/16515

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Windows

Control ID: 98b924082059b5ecc75097b2eef83b3f197c106c59c98d03e0022b38c0dcbc31