Which rules from finding_list_cis_microsoft_windows_server_2022_21h1_1.0.0_machine affect RDP?

[gustavosaes]

Hello,

I'm trying harden a Windows Server 2022 VM on Azure using the list finding_list_cis_microsoft_windows_server_2022_21h1_1.0.0_machine. When I run the hardeningkitty the RDP is disabled and then I can't access via RDP using a admin user or any other local user.

[0x6d69636b]

Hi Gustavo,

See rules 2.2.21 and 2.2.26 for a member server, they disable access over network/RDP for local user accounts.

[gustavosaes]

I already removed this rules but that didn't worked.

I realized that the VM is blocking the connection over RDP port from any other machine in the same network. But If I run this command into the VM: (I'm using the "Run Command" on Azure portal to execute these commands)
Test-NetConnection -ComputerName "localhost" -CommonTCPPort "RDP" -InformationLevel "Detailed"

OUTPUT:

ComputerName            : localhost
RemoteAddress           : 127.0.0.1
RemotePort              : 3389
NameResolutionResults   : 127.0.0.1
MatchingIPsecRules      : 
NetworkIsolationContext : Loopback
InterfaceAlias          : Loopback Pseudo-Interface 1
SourceAddress           : 127.0.0.1
NetRoute (NextHop)      : 0.0.0.0
TcpTestSucceeded        : True

The connection works as you can see the output above.

Do you have any other suggestion?

I already tried to exempt these rules:

$filters = {
    # $_.RegistryItem -ne "AllowRemoteShellAccess" -and
    $_.RegistryItem -ne "AllowAutoConfig" -and
    $_.RegistryItem -ne "FilterAdministratorToken" -and
	$_.RegistryItem -ne "DontDisplayLastUserName" -and
	$_.RegistryItem -ne "DllName" -and
    $_.RegistryItem -ne "fPromptForPassword" -and 
	$_.MethodArgument -ne "SeDenyRemoteInteractiveLogonRight" -and
    $_.MethodArgument -ne "SeDenyNetworkLogonRight" -and
    $_.id -ne "18.9.65.2.2" -and
    $_.id -ne "18.9.65.3.2.1" -and
    $_.id -ne "18.9.65.3.3.1" -and
    $_.id -ne "18.9.65.3.3.2" -and
    $_.id -ne "18.9.65.3.3.3" -and
    $_.id -ne "18.9.65.3.3.4" -and
    $_.id -ne "18.9.65.3.3.5" -and
    $_.id -ne "18.9.65.3.3.6" -and
    $_.id -ne "18.9.65.3.9.2" -and
    $_.id -ne "18.9.65.3.9.3" -and
    $_.id -ne "18.9.65.3.9.4" -and
    $_.id -ne "18.9.65.3.9.5" -and
    $_.id -ne "18.9.65.3.10.1" -and
    $_.id -ne "18.9.65.3.10.2" -and
    $_.id -ne "18.9.65.3.11.1" -and
    $_.id -ne "18.9.65.3.11.2" -and
    $_.id -ne "18.8.36.1" -and
    $_.id -ne "18.8.36.2" -and
    $_.id -ne "2.2.21" -and
    $_.id -ne "2.2.26"
}

[0x6d69636b]

1. Did you undo the changes of the rules 2.2.21 and 2.2.26 and remove the entries for the local accounts?
2. If you can't reach the RDP port over the network, it could be a firewall problem. Perhaps the RDP rule is not active or you have an additional blocking rule?

[dmeagor]

Just reopening this as I believe I know the answer. When you run hardening kitty on a previously taken backup, for some reason it add's a bunch of DENY firewall rules that wern't there previously. One of these is RDP.

[0x6d69636b]

What? That's super weird. Can you upload the backup file?

[dmeagor]

initial-kitty-backup.csv

This was auto generated from our deployment runbook script. The server is remote, RDP opened by default by the server host, so other than the emergency IPMI console there's no other way to get in if RDP were disabled. That said I had disabled RDP UDP, shadow desktop the app desktop one and basicially just left the standard RDP TCP port open (which was restricted to a VPN IP address range)

[0x6d69636b]

OK, I get it. The first backup is based on my recommendation, not CIS. My list contains firewall rules and will block RDP and other services. You can also use the -FileFindingList parameter for backups to define your chosen list

[dmeagor]

Ok I'm lost. I did create the backup without specifying a list, but I don't understand why that would add values to the backup that are not present in the current config. If I later apply your list and then roll back am I still not going to get the eronious RDP rule added? Why doesn't the backup contain a list of the previous server values?

[0x6d69636b]

I have found the logical error. The firewall rule is stored as false, but the restore process ignores this state. I will fix this

[0x6d69636b]

Can you test the fix? It is in another repo: 0x6d69636b/windows_hardening@509f8af

[dmeagor]

I have no way to test it now as the server is live and running a production load.

[dhirajjbhasin153]

Below is the RUN Command – " RDPSettings " ( Verify RDP Listener Settings ) Autogenerated Script by Azure Portal and its Output on Azure Test VM i.e. Windows Server 2022 Azure Edition Datacenter version 21H1 in Azure Sandbox environment - which is Not Joined to any Domain on Azure Cloud or On-Premises -

RunCommand Auto-Generated Script by Microsoft on Azure Portal for Verifying RDPSettings -

 
$RDPTCPpath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp'
$TSpath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
$msg = 'Set Computer Configuration\Policies\Administrative Templates: Policy definitions\Windows Components\Remote Desktop Services\Remote Desktop Session Host'

$domainJoined = (gwmi win32_computersystem).partofdomain
if ($domainJoined) {
  Write-Host Domain: (gwmi win32_computersystem).Domain
} else {
  Write-Host Not domain joined
  Set-ItemProperty -Path $RDPTCPpath -name LanAdapter -Value 0
}
function ReadReg()
{
  Param($Path,$Name,$Expected,$Text)
  $Value=(Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name
  Write-Host ($Path+''+$Name+': '+$Value)
  if (!($Expected -eq $null) -and !($Expected -eq $Value)) {
    if ($domainJoined) {
      if (!($Value -eq $null)) {
        Write-Host ($msg+$Text)
      }
    } else {
      Write-Host Reset value to expected: $Expected
      Set-ItemProperty -Path $Path -Name $Name -Value $Expected -ErrorAction SilentlyContinue
    }
  }
}

ReadReg -Path $RDPTCPpath -Name PortNumber
ReadReg -Path $TSpath -Name fDenyTSConnections -Text 'Connections\Allow users to connect remotely by using Remote Desktop Services'

$t = 'Connections\Configure keep-alive connection interval'
ReadReg -Path $TSpath -Name KeepAliveEnable -Expected 1 -Text $t
ReadReg -Path $TSpath -Name KeepAliveInterval -Expected 1 -Text $t
ReadReg -Path $TSpath -Name KeepAliveTimeout -Expected 1 -Text $t

$t = 'Connections\Automatic reconnection'
ReadReg -Path $TSpath -Name fDisableAutoReconnect -Expected 0 -Text $t
ReadReg -Path $RDPTCPpath -Name fInheritReconnectSame -Expected 1 -Text $t
ReadReg -Path $RDPTCPpath -Name fReconnectSame -Expected 1 -Text $t
ReadReg -Path $RDPTCPpath -Name fInheritMaxSessionTime -Expected 1 -Text 'Session Time Limits\Set time limit for active Remote Desktop Session Services sessions'

$t = 'Session Time Limits\Set time limit for disconnected sessions'
ReadReg -Path $RDPTCPpath -Name fInheritMaxDisconnectionTime -Expected 1 -Text $t
ReadReg -Path $RDPTCPpath -Name MaxDisconnectionTime -Expected 0 -Text $t
ReadReg -Path $RDPTCPpath -Name MaxConnectionTime -Expected 0 -Text 'Session Time Limits\End session when time limits are reached'

$t = 'Session Time Limits\Set time limit for active but idle Remote Desktop Services sessions'
ReadReg -Path $RDPTCPpath -Name fInheritMaxIdleTime -Expected 1 -Text $t
ReadReg -Path $RDPTCPpath -Name MaxIdleTime -Expected 0 -Text $t
ReadReg -Path $RDPTCPpath -Name MaxInstanceCount -Expected 4294967295 -Text 'Connections\Limit number of connections'
ReadReg -Path $RDPTCPpath -Name LanAdapter -Expected 0 -Text 'TermSrv Defaults\Listen on all LAN Adapters'
ReadReg -Path $RDPTCPpath -Name TSServerDrainMode -Expected 0 -Text 'TermSrv Defaults\Disable drain mode'
ReadReg -Path $RDPTCPpath -Name fQueryUserConfigFromLocalMachine -Expected 1 -Text 'TermServ Defaults\Load user config locally'

# SIG # Begin signature block
# MIIoOQYJKoZIhvcNAQcCoIIoKjCCKCYCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
......
# Nl+wxv2mz5AXo1voR94PIU0faG+0PyNEqP5gv4mZbcpWn6JHN0svlEXEJmwwAe/u
# StF626fxKE4KqOE2E07D0xIsW+BJm9np1+u7Cbw=
# SIG # End signature block

RunCommand Output of Verifying RDPSettings on Azure Portal for this Standalone Windows Server 2022 -

Not domain joined
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\PortNumber: 3389
HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections:
HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveEnable: 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveInterval: 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveTimeout:
Reset value to expected: 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableAutoReconnect:
Reset value to expected: 0
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fInheritReconnectSame: 1
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fReconnectSame: 0
Reset value to expected: 1
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fInheritMaxSessionTime: 1
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fInheritMaxDisconnectionTime: 1
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\MaxDisconnectionTime: 0
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\MaxConnectionTime: 0
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fInheritMaxIdleTime: 1
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\MaxIdleTime: 0
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\MaxInstanceCount: 4294967295
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\LanAdapter: 0
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\TSServerDrainMode:
Reset value to expected: 0
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fQueryUserConfigFromLocalMachine:

Reset value to expected: 1

After executing this RUN Command Script when I tried to login into Test Server via Azure Bastion service, I am getting this -

[0x6d69636b]

Could you please check the Deny log on through Remote Desktop Services setting? If it contains NT AUTHORITY\Local account then RDP access will no longer be possible on a standalone system (not domain-joined)

[dhirajjbhasin153]

Thank you very much @0x6d69636b for you prompt and swift response, so this is the Process I followed on below Windows Server 2022 Datacenter Azure Edition Version 21H2-

Before Applying CIS Benchmark via Hardeninkitty these are the Local Security Poilcies on Standalone Windows Server 2022 Version 21H2 in contention ....

Then, I executed the below PowerShell script on Windows Server 2022 Datacenter Azure Edition version 21H2 in PowerShell ISE as Admin since Local User Account is part of Administrator Group only by Default during initial VM Deployment on Azure Cloud (Local User account is not part of RDP Users and Users Groups by default during initial VM Deployment - VM Created Manually) –

New-Item -Path 'C:\tmp' -ItemType Directory
cd C:\tmp
Function InstallHardeningKitty() {
$Version = (((Invoke-WebRequest https://api.github.com/repos/0x6d69636b/windows_hardening/releases/latest -UseBasicParsing) | ConvertFrom-Json).Name).SubString(2)
$HardeningKittyLatestVersionDownloadLink = ((Invoke-WebRequest https://api.github.com/repos/0x6d69636b/windows_hardening/releases/latest -UseBasicParsing) | ConvertFrom-Json).zipball_url
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest $HardeningKittyLatestVersionDownloadLink -Out HardeningKitty$Version.zip
Expand-Archive -Path ".\HardeningKitty$Version.zip" -Destination ".\HardeningKitty$Version" -Force
$Folder = Get-ChildItem .\HardeningKitty$Version | Select-Object Name -ExpandProperty Name
Move-Item ".\HardeningKitty$Version$Folder*" ".\HardeningKitty$Version"
Remove-Item ".\HardeningKitty$Version$Folder"
New-Item -Path $Env:ProgramFiles\WindowsPowerShell\Modules\HardeningKitty$Version -ItemType Directory
Set-Location .\HardeningKitty$Version
Copy-Item -Path .\HardeningKitty.psd1,.\HardeningKitty.psm1,.\lists\ -Destination $Env:ProgramFiles\WindowsPowerShell\Modules\HardeningKitty$Version\ -Recurse
Import-Module "$Env:ProgramFiles\WindowsPowerShell\Modules\HardeningKitty$Version\HardeningKitty.psm1"
}
InstallHardeningKitty

Import-Module .\HardeningKitty.psm1

Invoke-HardeningKitty -Mode Config -Backup -BackupFile .\myBackup.csv -FileFindingList .\lists\finding_list_cis_microsoft_windows_server_2022_21h2_1.0.0_machine.csv

Invoke-HardeningKitty -Mode HailMary -Log -Report -FileFindingList .\lists\finding_list_cis_microsoft_windows_server_2022_21h2_1.0.0_machine.csv -SkipRestorePoint

After Applying CIS Benchmark via Hardeningkitty Machine and User Setttings this was the situation on Local Security Policies

So I removed the Local Account from this Local Security Policy as stated in last comment and restarted the server

However even after doing that I am not able to login into server. I tried this way multiple times on multiple servers but every time when I restarted the server both from windows server CLI and Azure portal however still the result is negative and RDP access is still blocked.

Therefore, I had also removed the Local Account and Members of Administrators Group from another Local Security Policy which gets modified also after applying CIS Finding list as selected below -

Finally, only after modifying both these Local security policies, I am successful in RDP Access i.e.

I also noticed that only 2 Settings were listed as failed during this HardeningKitty implementation –

This CIS Setting always fails even if we run it on

Windows Server 2022 Datacenter Azure Edition 21H2 or
Windows Server 2022 Datacenter version 21H1 / 21H2

Second setting which failed is Not Applicable in our case since Windows Server 2022 Datacenter Azure Edition version21H2 is just a Standalone Server and tis Not an Exchange Server -

So at this point the issue seems to be resolved .......

However, I have small queries -

1 Query - Can we use the Audit Mode to retrieve all the Current Settings of Windows Server 2022 and give a custom name itself rather than a name which includes by default the Windows Server Name + Standard under List Files + Timestamp ?

2 Query - For Remediation, We can only use HailMary Mode else we can also use the Config Mode ?

3 Query - When I tried executing the below commands on Windows Server 2022 Datacenter Azure Edition version 21H2 -

Then again the same issue persists of RDP Access is Blocked on multiple servers,
So in this case also I modified both the Local Security Policy settings as stated above before restarting the server however still the Issue is Not Resolved and RDP Access is still Blocked now it might be the reason that Windows Server 2022 version 21H2 and Windows Server 2022 version 22H2 are different products in Microsoft Catalog but base OS Image is same.

However when I looked at the CIS Workbench Website, Below are all the Official Benchmarks published for Windows Server 2022 -

CIS Azure Compute Microsoft Windows Server 2022 Benchmark v1.0.0 (Published on Jan 26th 2023)
https://workbench.cisecurity.org/benchmarks/11730

CIS Microsoft Windows Server 2022 Benchmark v1.0.0 (Published on Feb 14th 2022)
https://workbench.cisecurity.org/benchmarks/8932

CIS Microsoft Windows Server 2022 Benchmark v2.0.0 (Published on Apr 14th 2023)
https://workbench.cisecurity.org/benchmarks/12626

CIS Microsoft Windows Server 2022 Benchmark v3.0.0 (Published on Mar 19th 2024)
https://workbench.cisecurity.org/benchmarks/16913

I noticed that CIS stated under all the above Benchmarks that they are applicable to all version of Windows Server 2022 Datacenter irrespective of the Server version itself ..... If I understood correctly .....

Since every Windows Server 2022 Benchmark states that its applicable for Older version and we do not have Benchmark or version 2.0.0 available for Windows Server 2022 Datacenter version 21H2 or Windows Server 2022 Datacenter Azure Edition version 21H2 then how should we proceed further ?

Can we apply below CIS Finding list published in Hardeninkitty on Windows Server 2022 Datacenter 21H2 Azure Edition ?

https://github.com/scipag/HardeningKitty/blob/master/lists/finding_list_cis_microsoft_windows_server_2022_22h2_2.0.0_machine.csv

https://github.com/scipag/HardeningKitty/blob/master/lists/finding_list_cis_microsoft_windows_server_2022_22h2_2.0.0_user.csv

Current Situation is that after applying both the above CIS Finding lists on Windows Server 2022 Datacenter Azure Edition version 21H2 , RDP access is again Blocked again ........

[0x6d69636b]

1 Query - Can we use the Audit Mode to retrieve all the Current Settings of Windows Server 2022 and give a custom name itself rather than a name which includes by default the Windows Server Name + Standard under List Files + Timestamp ?

Yes, you can use the ReportFile or LogFile parameters to specify your own name and path. Alternatively, you may be interested in the Backup feature.

2 Query - For Remediation, We can only use HailMary Mode else we can also use the Config Mode ?

Only HailMary mode changes the settings. However, I strongly advise you to create your own hardening list. You can start with the CIS list, but change/remove items according to your needs. For example, the CIS benchmark assumes you are using domain joined systems and therefore recommends blocking local users. This does not work for standalone systems, as you found out the hard way. So I recommend copying the CSV file and changing the values to suit your environment.

3 Query - When I tried executing the below commands on Windows Server 2022 Datacenter Azure Edition version 21H2...

CIS updates its benchmark when a new version (and new features) is released, a change log is provided at the end of the document. You can apply a CIS benchmark to an older/newer version of Windows Server. Settings for new features will have no effect, but should not be harmful.