L1 BIO 12.06.01 ISO A.12.6.1 CIS Windows Security

Remote Desktop Services Uitgeschakeld

📅 2025-10-30

•

⏱️ 7 minuten lezen

•

🔴 Must-Have

💼 Management Samenvatting

Remote Desktop Protocol (RDP) moet worden uitgeschakeld op workstations om brute force attacks, ransomware lateral movement, en unauthorized remote access te voorkomen - RDP is een van de meest misbruikte aanvalsvectors.

Aanbeveling

IMPLEMENT

Risico zonder

Critical

Risk Score

9/10

Implementatie

4u (tech: 2u)

Van toepassing op:

✓ Windows 10
✓ Windows 11
✓ Workstations

RDP is TOP aanvalsvector: Port 3389 is #1 scanned port door attackers, #2 ransomware entry point (na phishing). ATTACK SCENARIOS: BRUTE FORCE: Attackers scan internet voor RDP (port 3389) → Brute force credentials → Gain access. LATERAL MOVEMENT: Attacker compromises één account → gebruikt RDP to jump tussen machines → Domain-wide spread. RANSOMWARE: 70% ransomware gebruikt RDP for: Initial access (brute force weak passwords), Lateral movement (spread over network), Deployment (execute ransomware via RDP session). REAL-WORLD: SamSam ransomware (RDP brute force → millions in damages), Dharma/Crysis (RDP-based), REvil (RDP lateral movement). STATISTICS: 50% of organizations hebben RDP exposed to internet (often accidentally), 1 million+ RDP brute force attempts per exposed endpoint per month, Average time to compromise: 1-2 days of brute forcing. waarom WORKSTATIONS DON'T NEED RDP: INBOUND RDP to workstation is rare legitimate gebruiken case, IT ondersteunen can use: Intune remote assistance, Quick Assist (ingebouwde Windows), TeamViewer/AnyDesk (if approved), Physical access. SERVERS may need RDP (but zou moeten be restricted via firewall/JIT access).

PowerShell Modules Vereist

Primary API: Intune / Group Policy
Connection: Registry / Service
Required Modules:

Implementatie

Schakel uit RDP op workstations via Registry: HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections is 1 (Disabled). EFFECT: kan niet RDP INTO Deze machine (inbound blocked), Can nog steeds RDP van Deze machine to servers (outbound works), Port 3389 closed, Remote Desktop service kan zijn stopped.

Vereisten

Windows 10/11 workstations (NOT servers)
Alternative remote support: Intune Remote Assistance, Quick Assist
Verify: No business processes require inbound RDP to workstations
Exception process: voor legitimate RDP needs (heavily restricted)

Implementatie

Gebruik PowerShell-script allow-users-to-connect-remotely-by-using-remote-desktop-services-is-set-to-disabled.ps1 (functie Invoke-Remediation) – Schakel uit RDP via registry.

Intune: System → Remote Desktop is Disabled. toepassen to alle workstations.

For SERVERS needing RDP: doen niet disable, Instead: Restrict via firewall (only van jump hosts), implementeren Azure Bastion of JIT access, Require MFA voor RDP, monitoren RDP sessions

Monitoring

Gebruik PowerShell-script allow-users-to-connect-remotely-by-using-remote-desktop-services-is-set-to-disabled.ps1 (functie Invoke-Monitoring) – Verifieer fDenyTSConnections is 1.

Monitor: RDP service status, Port 3389 scan results (zou moeten zijn filtered/closed), Failed RDP login attempts (Event ID 4625)

Compliance en Auditing

CIS Windows Benchmark - RDP disabled op workstations
BIO 12.06 - aanvalsoppervlak reduction
ISO 27001 A.12.6.1
NIS2 Artikel 21 - Reduce aanvalsoppervlak

Remediatie

Gebruik PowerShell-script allow-users-to-connect-remotely-by-using-remote-desktop-services-is-set-to-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

CIS M365: Control Windows Security (L1) - RDP disabled op workstations
BIO: 12.06.01 - aanvalsoppervlak reduction
ISO 27001:2022: A.12.6.1 - Management of technical vulnerabilities
NIS2: Artikel - Security measures

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell

<#
.SYNOPSIS
    Intune Security Options: RDP Disabled
.DESCRIPTION
    CIS - Remote Desktop moet disabled (unless business need).
.NOTES
    Filename: rdp-disabled.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections|Expected: 1 (Disabled)
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"; $RegName = "fDenyTSConnections"; $ExpectedValue = 1
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
    $r = [PSCustomObject]@{ScriptName = "rdp.ps1"; PolicyName = "Remote Desktop"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Disabled"; Details = @() }; function Invoke-Revert { Set-ItemProperty -Path $RegPath -Name $RegName -Value 0 -Type DWord }
    try { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "RDP disabled" }else { $r.Details += "RDP enabled - review if needed" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Remote Desktop disabled" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Set-ItemProperty -Path $RegPath -Name $RegName -Value 0 -Type DWord }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Critical: KRITIEK: RDP is #2 ransomware entry (70% ransomware gebruikt RDP). Brute force attacks constant. Schakel uit op workstations, heavily restrict op servers.

Management Samenvatting

Schakel uit RDP op workstations (fDenyTSConnections=1). voorkomt brute force + lateral movement. gebruiken Intune Remote Assistance instead. toepassen to workstations only. Implementatie: 2-4 uur. CRITICAL RANSOMWARE PREVENTION.

Implementatietijd: 4 uur
FTE required: 0.05 FTE

Remote Desktop Services Uitgeschakeld

💼 Management Samenvatting

Implementatie

Vereisten

Implementatie

Monitoring

Compliance en Auditing

Remediatie

Compliance & Frameworks

Automation

Risico zonder implementatie

Management Samenvatting

Share artikel