catalogue
1. Configure Server Authentication and Encryption Levels 2. Configure Network Level Authentication for Remote Desktop Services Connections 3. Configure Client Logon Information for Remote Desktop Services Connections 4. Configure Permissions for Remote Desktop Services Connections 5. SSL模式下記錄RDP來源IP
1. Configure Server Authentication and Encryption Levels
此策略設置指定是否需要使用一個特定的安全層在遠程桌面協議(RDP)連接期間保護的客戶端和 RD 會話主機服務器之間的通信嗎,如果啟用此策略設置,客戶端和 RD 會話主機服務器的遠程連接期間的所有通信都必須都使用此設置中指定的安全方法。可用的是下列安全方法
1. 協商(默認設置): 協商方法強制執行的客戶端程序支持的最安全方法 1) 如果客戶端支持傳輸層安全(TLS)版本 1.0,它用於 RD 會話主機服務器驗證身份(這種情況下system event log里未記錄登錄失敗者的來源IP) 2) 如果客戶端不支持 TLS,將采用RDP安全層進行加密 2. RDP security: RDP 方法使用本機 RDP 加密安全客戶端和 RD 會話主機服務器之間的通信,在這個模式下,system event log里正常記錄登錄失敗者的來源IP,我們可以通過syslogevent事件回調實時獲取登錄失敗事件 3. SSL: SSL 方法要求使用 TLS 1.0 對會話主機服務器進行身份驗證。如果不支持 TLS,則連接將失敗
對應注冊表項如下
RDP security Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Value Name SecurityLayer Value Type REG_DWORD Value 0 協商 Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Value Name SecurityLayer Value Type REG_DWORD Value 1 SSL Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Value Name SecurityLayer Value Type REG_DWORD Value 2
By default, Remote Desktop Services connections are encrypted at the highest level of security available. However, some older versions of the Remote Desktop Connection client do not support this high level of encryption. If your network contains such legacy clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.
Four encryption levels are available.
1. FIPS Compliant: This level encrypts and decrypts data sent from the client to the server and from the server to the client by using Federal Information Process Standard (FIPS) 140-1 validated encryption methods. Clients that do not support this level of encryption cannot connect. 2. High: This level encrypts data sent from the client to the server and from the server to the client by using 128-bit encryption. Use this level when the RD Session Host server is running in an environment containing 128-bit clients only (such as Remote Desktop Connection clients). Clients that do not support this level of encryption will not be able to connect. 3. Client Compatible(默認設置): This is the default setting. This level encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this level when the RD Session Host server is running in an environment containing mixed or legacy clients. 4. Low: This level encrypts data sent from the client to the server by using 56-bit encryption. Data sent from the server to the client is not encrypted.
在默認情況下,在未配置的情況下由server和client協商使用最安全的通訊協議進行rdp登陸(協商模式),而協商的結果和client和server的os版本有關
gpedit.msc 打開 計算機配置->管理模板->windows組件->遠程桌面服務->遠程桌面會話主機->安全
若Client操作系統是Vista/Win7+,Server系統是Server2008以上,那么默認情況下都將會采用SSL方式驗證
Relevant Link:
https://technet.microsoft.com/en-us/library/cc770833(v=ws.11).aspx http://winintro.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SECURITY_LAYER_POLICY&Language=zh-cn https://rdpguard.com/windows-server-how-to-catch-failed-logons.aspx https://technet.microsoft.com/en-us/library/cc770833(v=ws.11).aspx https://technet.microsoft.com/en-us/magazine/ff458357.aspx
2. Configure Network Level Authentication for Remote Desktop Services Connections
3. Configure Client Logon Information for Remote Desktop Services Connections
4. Configure Permissions for Remote Desktop Services Connections
5. SSL模式下記錄RDP來源IP
google上很多這種相似的問題,當用戶配置SSL模式進行RDP驗證,windows system eventlog就無法正常記錄來源IP,這是因為
This is because client authenticating via network logon. 配置了SSL模式后,系統的驗證將由網絡驗證模塊完成,而不再通過RDP模塊
0x1: 解決方法1
secpol.msc open Local Policies | Security Options set Network security: Restrict NTLM: Incoming NTLM traffic to Deny all accounts
0x2: 解決方法2
用ntlmssp api直接抓網絡行為,因為RDP SSL是通過NTLM進行的網絡層(4層)驗證,並沒有到應用層的RDP Services
0x3: 解決方法3
gpedit.msc 打開 計算機配置->管理模板->windows組件->遠程桌面服務->遠程桌面會話主機->安全 將遠程(RDP)連接要求使用指定的安全層顯式地修改為"RDP安全層"
0x4: wmi方式修改組策略
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetSecurityLayer(0) (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'")
0x5: 修改注冊表
1. 導入注冊表配置
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] "SecurityLayer"=dword:00000000 //0代表RDP security
2. 用powershell修改注冊表
Set-ItemProperty HKCU:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services SecurityLayer 0 -type REG_Dword
Relevant Link:
http://serverfault.com/questions/399878/security-log-in-event-viewer-does-not-store-ips http://wutils.com/wmi/root/cimv2/terminalservices/win32_tsgeneralsetting/#setsecuritylayer_methods http://wutils.com/wmi/root/cimv2/terminalservices/win32_tsgeneralsetting/#setsecuritylayer_methods http://www.2cto.com/Article/201505/402965.html https://msdn.microsoft.com/en-us/library/aa383640(v=vs.85).aspx http://wutils.com/wmi/root/cimv2/terminalservices/win32_tsaccount/vbscript-samples.html http://www.gszadc.com/6509226.html http://www.chipa.org/2015/11/remote-desktop-certificates-with-internal-enterprise-ca/ http://www.dotnetspider.com/attachments/Resources/16540-15624-wmi_terminalserver_scripts.htm http://www.cnblackhat.com/Article/201512/132400.html http://www.activexperts.com/admin/scripts/wmi/vbscript/0648/ https://gallery.technet.microsoft.com/Powershell-script-to-9d66257a http://www.lazywinadmin.com/2014/04/powershell-getset-network-level.html http://www.serhatakinci.com/index.php/windows-rdp-guvenligi.html
Copyright (c) 2016 LittleHann All rights reserved