How to make the RDP PCI DSS Compliant with TLS 1.2 - Windows Server 2012, R2 and 2016

PCI DSS is must require for companies that accept card payments. It recommends the best practices for server security for almost every service which can be accessed remotely from the server. RDP Encryption is not good enough alone, we will have to change the server defaults and remove any backward compatibility which is not recommended by the PCI compliance.

On this page I'm going to start from basics but will cover almost every point. First of all, its recommend to change Server defaults including the default Administrator username (as a safety from brute force attack), strict password policy, disable backward compatibility using Security Policy and enforce NTLM authentication with Encryption certificate template for TLS 1.2

PCI compliance require a verified TLS 1.2 certificate from an authority which we will setup using MMC and PowerShell and In the end we will verify TLS 1.2 certificate implementation using Microsoft Message analyzer

Steps to Change default Administrator username:

  • Right click on Windows icon on bottom left and select "Computer Management".
  • On the left pane select "Local Users and Group"
  • Select "Users" folder
  • Right click on the "Administrator" account and rename it to something uncommon, do not use any guessable name for any of the Windows account.
Strict Password Policy:
  • Right click on Windows icon on bottom left and select Run
  • Enter "SecPol.msc" & hit Enter or click OK
  • On left pane select "Account Policies", here you will see two more folders i.e. "Password Policy" and "Account Lockout Policy", you can setup values as per your discretion
Disable any backward compatibility:
  • Enter "SecPol.msc" & hit Enter or click OK, on left pane select "Local Policies"
  • Under "Security Options", change the following options to the give values:
    1. Network Security: LAN Manager authentication leve: change it to Send NTLMv2 response only. Refuse LM & NTLM
    2. Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients: Select both the options here
    3. Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers: Select both the options here
    4. Network Security: Restrict NTLM: Auditing for Incoming NTLM traffic: change it to Enable auditing for all accounts
NTLM authentication & TLS 1.2 certificate template Setup using Group Policy:
  • Right click on Windows icon on bottom left and select Run
  • Enter "gpedit.msc" & hit Enter or click OK
  • You will see the Group Policy Editor window, on left pane select:
    Computer Configuration ->
    Administrative Template ->
    Windows Components ->
    Remote Desktop Services ->
    Remote Desktop Session Host ->
    Security
  • Under Security we will change the following settings:
    1. Server authentication certificate template: Select Enabled
      inside the input box, enter TLS 1.2 click Apply and OK to close the window
    2. Set client connection encryption level: Select Enabled and on Encryption level dropdown select High Level
    3. Require use of specific security layer for remote (RDP) connections: Select Enabled and on Security layer dropdown select SSL
    4. Require user authentication for remote connections by using Network Level Authentication: Select Enabled
Install the verified TLS 1.2 certificate you bought from a certificate authority:
  • Right click on Windows icon on bottom left and select Run
  • Enter MMC & hit Enter or Click OK, a Console1 window will appear
  • On File menu select Add/Remove snap-in...
  • Select Certificates on left pane & click the Add button at the center
  • Select Computer Account & click Next
  • Select Local Computer & click finish
  • On left pane select Certificates (Local Computer) -> Personal
  • Inside Personal folder, you may or may not find a Certificates subfolder, but its ok in either case
  • If not already, we will import the TLS 1.2 certificate here inside Personal folder Right click -> All Tasks -> Import
  • By default, Local Machine is selected, click Next
  • Browse the file path and select the file here, click Next
  • Enter Password for the certificate & click Next
  • Select Place All certificates in the following Store, Click Browse to Select Personal folder, we can also select Remote Desktop folder here but only one is required...
  • Click Next and Click Finish
  • You should see your certificate inside Personal -> Certificates or Remote Desktop -> Certificate folder (whichever you selected)
  • Double click the certificate you want Remote Desktop to use and Click the Details tab
  • Select All under Show: and scroll down to the Thumbprint field and select the Thumbprint field.
  • Copy the text of the hash, paste it in a notepad and remove all spaces from your copied hash
  • Open PowerShell as an Administrator
  • Run these commands in power-shell (replace #YourHash# with your Thumbprint from the notepad). run these commands in each line one after the other. PowerShell should show a message that all went successful
    $TSGeneralSetting = Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
    $Hash = "#YourHash#"
    $TSGeneralSetting.SSLCertificateSHA1Hash = $Hash
    $TSGeneralSetting.put()

  • If PowerShell gave you any issue than ignore the above command and try these one below in Command Prompt (Admin):
  • wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="#YourHash#"

  • You can also try these below commands in PowerShell if you only have one certificate in personal folder in computer store, this will pick up the 1st certificate hash value and use it for RDP
  • $tsgs = gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
  • $thumb = (gci -path cert:/LocalMachine/My | select -first 1).Thumbprint
  • swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash="$thumb"}

  • Note: Source for the above commands is serverfault
Verify the TLS 1.2 certificate implementation using Microsoft Message analyzer:
  • Run these commands in Command Prompt (Admin) on a client computer, replace #ServerIP# with server's IP address:
    C:\Windows\System32> netsh trace start capture = yes ipv4.address = #ServerIP#
    C:\Windows\System32> mstsc -v #ServerIP#
    C:\Windows\System32> netsh trace stop
    Tracing session was successfully stopped.
  • You will get the Trace File location as a filepath to \NetTrace.etl
  • Open the saved NetTrace.etl file in Microsoft Message analyzer and look for the Client Handshake inside the Module column against TLS value
  • Expand the details below and you should see Version: TLS 1.2
Furthermore, but not a requirement by PCI compliance:
  • Install an Intrusion Detection System on your server, I recommend ServerCloak
  • Set Firewall policy to allow RDP, FTP and other development team access to authorized IP address only.




How to capture IP Addreess in Event ID 4625

Server Cloak do work even when Event ID 4625 failed to capture the Source IP Address by monitoring log from RemoteDesktopServices's Core. I've tested the same on Server 2012 & R2 & Server 2016. Its possible and secure to use Server Cloak with NTLM enable and with encrypted connection.

The issue:
While using any other Intrusion Detection systems like Cyberarms IDDS or Syspeace on Microsoft servers the Remote Desktop connection can be used with or without NTLM. But the point is that you won't be able to capture failed login attempts while using a secure NTLM or NTLMv2. Apparently this is a known bug in NTLM authentication and Microsoft has not fixed it till date.

The solution for other Intrusion Detection systems is to use the User32 as logon process instead of NTML. This works good with Windows Server 2008 R2 and newer Windows Servers, I've tested the same upto Windows Server 2016.

Workaround: for other Intrusion Detection systems Change the below settings to switch from NTLM to User32 logon process, the process to setup User32 logon process is mostly similar in Windows Operating Systems/Servers.

System Properties -> Remote ->
* Select Allow Remote Connections to this computer
* Do not select Allow connections only from computers running Remote Desktop with Network Level Authentication

Security Policy (secpol.msc) -> Local Policy -> Security Options
* Network Security -> Incoming NTLM Traffic : Deny All Account
* Network Security -> NTLM authentication in this domain : Deny All

Watch this on Youtube

Note : User32 is not a recommend method as its not secured or encrypted




Server Cloak - Intrusion Prevention System

Server Cloak is an Intrusion Prevention System that works with windows firewall developed to protect windows servers from attacks that are intended to hack the server or provide any operational damage. By keeping eye on event logs in windows event viewer and sniffing system's network activities Server Cloak capture and log any failed/denied inbound calls from IPv4 as well as IPv6. Once the calls reaches its limit, the service immediately tells windows firewall to block the attacking IP by adding a denial inbound firewall rule.

Download ServerCloak

Features
Server Cloak verifies and keep windows firewall enabled all the times. With having intrusion detection and prevention system enabled and firewall defense system for windows Server Cloak protects the following windows features

  1. Active Directory
  2. Mail Server
  3. Microsoft Sql Server
  4. File Transfer Protocol
  5. Remote Desktop Protocol - ServerCloak capture the IP address even when Event ID 4625 is missing source IP
  6. File Maker
  7. Kerberos
  8. Windows Security
  9. Routing and Remote Access
  10. Windows Firewall if firewall got disabled, Server Cloak re-enables it within minutes

Supported Operating Systems

  1. Windows 7 or later. Developed and tested on Windows 8.1
  2. Windows Server 2008 R2 or later. Tested and deployed on Windows Server 2008 R2 & Windows Server 2012 R2 based production servers
    Note : Windows Server 2008 is based on Windows Vista so Server Cloak is not compatible with Windows Server 2008 (non-R2 version), whereas it is fortunate that Windows Server 2008 R2 is based on Windows 7, I've tried and tested Server Cloak on Windows 2008 R2 and is fully compatible.

System Requirements

  1. Microsoft .Net Framework 4.5, Latest version available here
  2. 1Ghz higher multi-core CPU, Intel Dual Core or better
  3. 1GB RAM
  4. Windows firewall must be enabled, If not enabled Server Cloak will try to enable windows firewall automatically.

Download ServerCloak



Previous version is available on github.




Minify and compress content files like .axd, .js and .css on runtime with caching

The content files are not minimized by default. I've created a module that handle all the content files like .axd, .css, .js file requests and render it after minify and caching with http compression.

Useage:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="ContentModule" type="ContentModule"/>
</modules>
</system.webServer>

Download Now

View Project on Github