18.9.62.3.2.1 Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting allows you to configure remote access to computers by using Remote Desktop Services.

The recommended state for this setting is: Disabled.

Rationale:

Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges.

Impact:

None - this is the default configuration, unless Remote Desktop Services has been manually enabled on the Remote tab in the System Properties sheet.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to Disabled:

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Administrative Templates)

Click Create

Enter a Name

Click Next

Configure the following Setting

Path: Computer Configuration/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections
Setting Name: Allow users to connect remotely by using Remote Desktop Services
Configuration: Disabled

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Default Value:

Disabled. (Users cannot connect remotely to the target computer by using Remote Desktop Services, unless it has been manually enabled from the Remote tab in the System Properties sheet.)

See Also

https://workbench.cisecurity.org/files/3358