Puppet Class: cis_security_hardening_windows::remote_desktop
- Defined in:
- manifests/remote_desktop.pp
Overview
Windows remote_desktop class. It is called from the cis_security_hardening_windows class when $allow_remote_desktop is true.
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 |
# File 'manifests/remote_desktop.pp', line 11
class cis_security_hardening_windows::remote_desktop (
$trusted_rdp_subnets,
$remote_local_accounts,
) {
# Ensure this class is only called from within the module
assert_private()
# Configure firewall. If $trusted_rdp_subnets is empty, 'any' will be used
windows_firewall_rule { 'Remote Desktop - User Mode (TCP-In)' :
ensure => 'present',
description => 'Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389]',
action => 'allow',
enabled => true,
local_address => $facts[networking][ip],
remote_address => $trusted_rdp_subnets.empty ? { true => 'any', false => $trusted_rdp_subnets, }, #lint:ignore:selector_inside_resource
local_port => '3389',
protocol => 'tcp',
remote_port => 'any',
direction => 'inbound',
profile => ['domain', 'private'],
program => 'C:\Windows\system32\svchost.exe',
service => 'termservice',
interface_type => ['any'],
edge_traversal_policy => 'block',
}
windows_firewall_rule { 'Remote Desktop - User Mode (UDP-In)' :
ensure => 'present',
description => 'Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3389]',
action => 'allow',
enabled => true,
local_address => $facts[networking][ip],
remote_address => $trusted_rdp_subnets.empty ? { true => 'any', false => $trusted_rdp_subnets, }, #lint:ignore:selector_inside_resource
local_port => '3389',
protocol => 'udp',
remote_port => 'any',
direction => 'inbound',
profile => ['domain', 'private'],
program => 'C:\Windows\system32\svchost.exe',
service => 'termservice',
interface_type => ['any'],
edge_traversal_policy => 'block',
}
# Add registry overrides for RDP to function
$rdp_registry_keys = {
# Allow users to connect remotely by using Remote Desktop Services is NOT set to Disabled
'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' => 0,
'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections' => 0,
# Ensure 'Require user authentication for remote connections by using Network Level Authentication' is NOT set to 'Enabled'
'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' => 0,
'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\UserAuthentication' => 0,
# Remote Desktop Services (TermService) is NOT set to Disabled
'HKLM\SYSTEM\CurrentControlSet\Services\TermService\Start' => 2,
}
# Apply registry keys
$rdp_registry_keys.each |$key, $value| {
Registry_value <| title == $key |> { data => $value }
}
# Allow LOCAL_ACCOUNT to logon via RDP. This ensures that non-domain joined computers can be remotely accesses
if $remote_local_accounts {
Local_security_policy <| title == 'Deny log on through Remote Desktop Services' |> { policy_value => 'Guests' }
Local_security_policy <| title == 'Deny access to this computer from the network' |> { policy_value => 'Guests' }
}
# Ensure service is enabled and running
service { 'TermService':
ensure => running,
enable => true,
}
}
|