BIO 13.02

Blokkeer Clipboard Redirection

📅 2025-10-29
⏱️ 2 minuten lezen
🟢 Should-Have

💼 Management Samenvatting

Blokkeer clipboard redirection in Remote Desktop sessies om data exfiltratie via kopiëren en plakken te voorkomen.

Aanbeveling
CONSIDER
Risico zonder
Medium
Risk Score
5/10
Implementatie
0.5u (tech: 0.5u)
Van toepassing op:
Windows

Zonder deze blokkade kunnen gebruikers gevoelige data kopiëren van de remote sessie naar hun lokale systeem, wat leidt tot ongecontroleerde data exfiltratie en mogelijk datalekken.

PowerShell Modules Vereist
Primary API: Microsoft Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Deze instelling configureert AllowClipboardRedirection op 'Not Allowed' via Microsoft Intune om clipboard synchronisatie tussen lokale en remote systemen te blokkeren.

Vereisten

Microsoft Intune via device configuratiebeleidsregels

Implementeeratie

Intune policy: Blokkeer clipboard RDP

Compliance en Auditing

BIO 13.02

Monitoring

Gebruik PowerShell-script allow-clipboard-redirection-is-set-to-not-allowed.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script allow-clipboard-redirection-is-set-to-not-allowed.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Security Options: Clipboard Redirection Not Allowed .DESCRIPTION CIS - Clipboard redirection (RDP) moet disabled. .NOTES Filename: clipboard-redir.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableClip|Expected: 1 #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"; $RegName = "fDisableClip"; $ExpectedValue = 1 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "clip-redir.ps1"; PolicyName = "Clipboard Redirection"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Disabled"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Clipboard disabled" }else { $r.Details += "Clipboard enabled" } }else { $r.Details += "Niet geconfigureerd" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Clipboard redirection disabled" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium - Clipboard data exfiltration via RDP.

Management Samenvatting

Blokkeer RDP clipboard. BIO 13.02. Setup: 30 min.