Public/Set-HardenedRDP.ps1
|
function Set-HardenedRDP { param ( [Parameter(Mandatory=$False, HelpMessage="Set time limit for disconnected sessions")] [Nullable[Int]]$MaxDisconnectionTime, [Parameter(Mandatory=$False, HelpMessage="Set time limit for active but idle Remote Desktop")] [Nullable[Int]]$MaxIdleTime, [Parameter(Mandatory=$False, HelpMessage="Do not allow COM port redirection")] [Nullable[Boolean]]$DisableRedirectCOM, [Parameter(Mandatory=$False, HelpMessage="Do not allow Drive redirection")] [Nullable[Boolean]]$DisableRedirectCdm, [Parameter(Mandatory=$False, HelpMessage="Do not allow LPT port redirection")] [Nullable[Boolean]]$DisableRedirectLPT, [Parameter(Mandatory=$False, HelpMessage="Do not allow supported Plug and Play device redirection")] [Nullable[Boolean]]$DisableRedirectPNP, [Parameter(Mandatory=$False, HelpMessage="Strong Encryption for Windows Remote Desktop")] [ValidateSet('High Level', 'Low Level', 'Client Compatible')] [string]$MinEncryptionLevel, [Parameter(Mandatory=$False, HelpMessage="Disable server side")] [Nullable[Boolean]]$DisableRestrictedAdmin, [Parameter(Mandatory=$False, HelpMessage="Configure Restricted Admin mode")] [ValidateSet('Disabled', 'Require Restricted Admin', 'Require Remote Credential Guard', 'Restrict credential delegation')] [string]$EnforceRestrictedAdmin ) # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Set time limit for disconnected sessions # CIS Index : 18.9.52.3.10.2 if ($MaxDisconnectionTime) { Write-Verbose "+ Set time limit for disconnected sessions to '$MaxDisconnectionTime'" Set-RegistryKey -Path "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "MaxDisconnectionTime" -Type "Dword" -Value $MaxDisconnectionTime } # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Set time limit for active but idle Remote Desktop # CIS Index : 18.9.52.3.10.1 if ($MaxIdleTime) { Write-Verbose "+ Set time limit for active but idle Remote Desktop to '$MaxIdleTime'" Set-RegistryKey -Path "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "MaxIdleTime" -Type "Dword" -Value [Int]$MaxIdleTime } # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Do not allow COM port redirection # CIS Index : 18.9.52.3.3.1 if ($DisableRedirectCOM) { Write-Verbose "+ Do not allow COM port redirection to '$DisableRedirectCOM'" Set-RegistryKey -Path "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fDisableCcm" -Type "Dword" -Value [Int]$DisableRedirectCOM } # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Do not allow Drive redirection # CIS Index : 18.9.52.3.3.2 if ($DisableRedirectCdm) { Write-Verbose "+ Do not allow drive redirection to '$DisableRedirectCdm'" Set-RegistryKey -Path "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fDisableCdm" -Type "Dword" -Value [Int]$DisableRedirectCdm } # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Do not allow LPT port redirection # CIS Index : 18.9.52.3.3.3 if ($DisableRedirectLPT) { Write-Verbose "+ Do not allow LPT port redirection to '$DisableRedirectLPT'" Set-RegistryKey -Path "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fDisableLPT" -Type "Dword" -Value [Int]$DisableRedirectLPT } # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Do not allow supported Plug and Play device redirection # CIS Index : 18.9.52.3.3.4 if ($DisableRedirectPNP) { Write-Verbose "+ Do not allow supported Plug and Play device redirection to '$DisableRedirectPNP'" Set-RegistryKey -Path "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fDisablePNPRedir" -Type "Dword" -Value [Int]$DisableRedirectPNP } # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Strong Encryption for Windows Remote Desktop Required # CIS Index : 18.9.52.3.9.3 if($MinEncryptionLevel) { Write-Verbose "+ Strong Encryption for Windows Remote Desktop Required to '$MinEncryptionLevel'" switch ($MinEncryptionLevel) { 'High Level' { $MinEncryptionLevelSetting = '3' } 'Low Level' { $MinEncryptionLevelSetting = '1' } 'Client Compatible' { $MinEncryptionLevelSetting = '2' } } Set-RegistryKey -Path "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "MinEncryptionLevel" -Type "Dword" -Value $MinEncryptionLevelSetting } # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Disable server side if($DisableRestrictedAdmin) { Write-Verbose "+ Disable Restricted Admin to '$DisableRestrictedAdmin'" Set-RegistryKey -Path "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Type "Dword" -Value [Int]$DisableRestrictedAdmin } # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Enforce client side # See https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.CredentialsSSP::RestrictedRemoteAdministration if($EnforceRestrictedAdmin) { Write-Verbose "+ Enforce client side to '$EnforceRestrictedAdmin'" switch ($EnforceRestrictedAdmin) { 'Require Restricted Admin' { $RaSetting = '1' } 'Require Remote Credential Guard' { $RaSetting = '2' } 'Restrict credential delegation' { $RaSetting = '3' } Default { $RaSetting = '0' } } Set-RegistryKey -Path "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation" -Name "RestrictedRemoteAdministration" -Type "Dword" -Value $RaSetting } } |