Detections
Analytics
18.10.57.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' - Enabled
Information
This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session.The recommended state for this setting is: Enabled.
Rationale:
In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer.
Impact:
Users in a Remote Desktop Services session will not be able to redirect their supported (local client) Plug and Play devices to the remote computer.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled:Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow supported Plug and Play device redirection
Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Default Value:
Disabled. (Remote Desktop Services allows redirection of supported Plug and Play devices.)
18.10.57.3.4 Licensing
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
18.10.57.3.5 Printer Redirection
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
18.10.57.3.6 Profiles
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
18.10.57.3.7 RD Connection Broker (formerly TS Connection Broker)
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Note: This section was initially named TS Connection Broker but was renamed by Microsoft to RD Connection Broker starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
18.10.57.3.8 Remote Session Environment
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
18.10.57.3.9 Security
This section contains recommendations related to Remote Desktop Session Host Security.
This Group Policy section is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
See Also
Item Details
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-7b.
Plugin: Windows
Control ID: 9437ce9900b88dd2102bccfaaabee6ee7482e311a4ff2c361e4dd140a83fba9b