So I was setting up a KIOSK environment using Windows 10 1709 for a client recently and we wanted to take the route of applying as few GPOs as possible (as it should be in 2018)!
Ensuring that this stayed disabled was something that we decided to deploy using ConfigMgr Configuration Baselines.
So the Check compliance script is as follows:
##################################################################################################################
#
# Author: Richie Schuster - C5 Alliance - SCCMOG.com
# Date: 06/07/2018
# Script: Action-CheckRDPCompliance.ps1
# Usage: Powershell.exe -ExecutionPolicy Bypass -File .\Action-CheckRDPCompliance.ps1
#
##################################################################################################################
#Variables
$TSRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"
$TSRegProperty = "fDenyTSConnections"
$RDPTcpRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
$RDPTcpRegProperty = "UserAuthentication"
#Set initial values
$TSSet = $True
$RDPTCPSet = $True
$RDPUserinTCPReturn = $True
$RDPUserinUDPReturn = $True
$RDPShadinTCPReturn = $True
#Test fDenyTSConnections state
$TSReturn = (Get-ItemProperty -Path $TSRegPath -Name $TSRegProperty -ErrorAction SilentlyContinue).fDenyTSConnections
If ($TSReturn -eq 1) {
$TSSet = $false
}
#Test RDP-TCP State
$RDPTCPReturn = (Get-ItemProperty -Path $RDPTcpRegPath -Name $RDPTcpRegProperty -ErrorAction SilentlyContinue).UserAuthentication
If ($RDPTCPReturn -eq 0) {
$RDPTCPSet = $false
}
#Get Firewall states
$RDPUserinTCPReturn = (Get-NetFirewallRule -Name $RDPUserinTCP -ErrorAction SilentlyContinue).Enabled
$RDPUserinUDPReturn = (Get-NetFirewallRule -Name $RDPUserinUDP -ErrorAction SilentlyContinue).Enabled
$RDPShadinTCPReturn = (Get-NetFirewallRule -Name $RDPShadinTCP -ErrorAction SilentlyContinue).Enabled
#Evaluate and report
If (!($RDPUserinTCPReturn) -and ($RDPUserinUDPReturn) -and ($RDPShadinTCPReturn) -and ($TSSet) -and ($RDPTCPSet)) {
Write-Host "Compliant!"
}
##################################################################################################################
Ok, so now the check script is out the way, here is the remediation script:
################################################################################################################## # # Author: Richie Schuster - C5 Alliance - SCCMOG.com # Date: 06/07/2018 # Script: Action-RemediateRDPCompliance.ps1 # Usage: Powershell.exe -ExecutionPolicy Bypass -File .\Action-RemediateRDPCompliance.ps1 # ################################################################################################################## #Variables $TSRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" $TSRegProperty = "fDenyTSConnections" $RDPTcpRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" $RDPTcpRegProperty = "UserAuthentication" #Remediate and Block RDP Set-ItemProperty $TSRegPath -Name $TSRegProperty -Value 1 -Force Set-ItemProperty $RDPTcpRegPath -Name $RDPTcpRegProperty -Value 0 -Force Disable-NetFirewallRule -DisplayGroup "Remote Desktop" #The End :) ##################################################################################################################
As Always scripts are as is, and if you do use them remeber where you got them from 😉
If you would like to see the setup of this baseline let me know in the comments below.
Cheers,
SCCMOG
Please share the setup of this baseline
Thank You
The setup is there, one is a check and the other is a remediation.
Cheers,
SCCMOG
HI Im trying ot use this but everytime it runs its coming back as compliant, i has to amend the script as the variables for the firewall dont exist:
#Variables
$TSRegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server”
$TSRegProperty = “fDenyTSConnections”
$RDPTcpRegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp”
$RDPTcpRegProperty = “UserAuthentication”
#Set initial values
$TSSet = $True
$RDPTCPSet = $True
$RDPUserinTCPReturn = $True
$RDPUserinUDPReturn = $True
#Test fDenyTSConnections state
$TSReturn = (Get-ItemProperty -Path $TSRegPath -Name $TSRegProperty -ErrorAction SilentlyContinue).fDenyTSConnections
If ($TSReturn -eq 1) {
$TSSet = $False
}
#Test RDP-TCP State
$RDPTCPReturn = (Get-ItemProperty -Path $RDPTcpRegPath -Name $RDPTcpRegProperty -ErrorAction SilentlyContinue).UserAuthentication
If ($RDPTCPReturn -eq 0) {
$RDPTCPSet = $False
}
#Get Firewall states
$RDPUserinTCPReturn = (Get-NetFirewallRule -Name RemoteDesktop-UserMode-In-TCP -ErrorAction SilentlyContinue).Enabled
$RDPUserinUDPReturn = (Get-NetFirewallRule -Name RemoteDesktop-UserMode-In-UDP -ErrorAction SilentlyContinue).Enabled
$RDPShadinTCPReturn = (Get-NetFirewallRule -Name RemoteDesktop-Shadow-In-TCP -ErrorAction SilentlyContinue).Enabled
#Evaluate and report
If ( ! ($TSSet) -and ($RDPTCPSet) -and ($RDPUserinTCPReturn) -and ($RDPUserinUDPReturn) -and ($RDPShadinTCPReturn))
{
Write-Host “Yes”
}
Thanks I wrote this a while back so I’m not surprised they have changed something. I will update it when I get time.
Cheers,
SCCMOG