Remote Desktop Manager Security Dashboard

The Security dashboard is a tool to offer guidance on how to improve the security of the Remote Desktop Manager platform and also tips on reducing the workload for administrators. Some tips are common infosec best practices, others are a consensus between our owns teams.

The scores are admittedly open to question and we do not pretend each topic has the same relative value for all of our community members. Achieving 100% is surely not an end goal in itself, we simply aim to raise awareness and provide ideas for your own security hardening.

Remote Desktop Manager security dashboard
Remote Desktop Manager security dashboard

Improvement actions items

A default password template should be configured

Password templates set requirements for passwords generated with the password generators.

Mitigation

In File – Templates, select Password Templates to create a template. Then, the default template can be selected in Administration – System Settings – Password Templates.


A security provider should be used

By default, passwords are not protected at rest. When a security provider is configured, sensitive data contained in a data source is encrypted.

Mitigation

Security providers are configured in Administration – Security Providers.


A master key should be used with the data source

Using a master key encrypts sensitive content of XML-based data source files.

Mitigation

The master key can be set under File – Change Master Key.


A minimal client version should be configured

Setting a minimal Remote Desktop Manager version is recommended to ensure clients are up to date and have the latest security features.


Configuration files should be encrypted using an application password

The application password should be used to encrypt sensitive information in Remote Desktop Manager configuration files.

Mitigation

In File – Options – Security – Application Security (local), choose Use application password and check Encrypt local files using the application password.


HTTPS should be used to connect to the data source

HTTPS is used to protect the communication between the client and the server hosting the data source. Traffic over HTTP is unencrypted and is susceptible to be intercepted and tampered by a malicious third party.

Mitigation

Configure a TLS certificate on the server and set the data source URL to start with https://. See Configure SSL.


Legacy security should be disabled

Legacy security has been deprecated and will be completely removed starting with version 2023.3 of Remote Desktop Manager.

Mitigation

In Administration – System Settings – Vault Management – Security Settings – Security, disable Use legacy security. See Disable legacy security in Remote Desktop Manager.


Multi-factor authentication (MFA) should be enforced

Multi-factor authentication (MFA) requires an additional mean of authentication when connecting to a data source. This control prevents abuse of compromised, leaked, or weak passwords. The software can be configured to enforce MFA requirements to all users.

Mitigation

In Administration – System Settings – Security Settings, enable Force data source 2-factor configuration.


Offline mode should be disabled

By default, offline mode is enabled and allows Remote Desktop Manager to automatically cache credentials stored in entries on the client system. This feature should be turned off in high security environments to avoid unnecessary sensitive data exposure.


Password expiration should be enabled for custom users

Some security standards require passwords to be changed at regular intervals. PCI DSS 4.0 requires passwords to be changed every 90 days when the password is the only authentication factor.

Mitigation

Password expiration can be configured in Administration – System Settings – Security Settings – Custom user password expiration (days).


Risky events should be disabled or generate a warning

Some entry events can perform powerful actions such as running an external program or script. These events represent a risk if they are modified by a malicious actor. These event types can be disabled if they are not needed, or Remote Desktop Manager can be configured to show a warning when such an event is about to be executed.

Mitigation

In Administration – System Settings – Security Settings, set Risky events to Disabled or Enabled with warnings.


SMS should not be used for multi-factor authentication

SMS is not recommended for 2FA. A stronger mechanism based on an authenticator application or a physical security key should be used instead.


SQL connections should use TLS

TLS protects communications between Remote Desktop Manager and the SQL Server instance.

Mitigation

Configure SQL Server to support TLS connections and add encrypt=true to the SQL Server connection.


The data source password variable should be disabled

When this option is enabled, the variable DATA_SOURCE_PASSWORD will resolve to the data source password. This option should be disabled if it is not needed.

Mitigation

In Administration – System Settings – Password Policy, uncheck Allow data source password variable.


The password strength analyzer should use zxcvbn

Zxcvbn is recommended over the legacy password strength analyzer as it is more reliable.

Mitigation

In Administration – System Settings – Password Policy, set Password strength calculator to Zxcvbn.


Tls certificate validation should be enabled

Validating certificates guarantees that the connection is established with the intended party and protects against data interception attacks.

Mitigation

In File – Options – Security – Certificate security, uncheck Ignore application certificate errors.


Transparent data encryption (TDE) should be used with sql server

Transparent data encryption encrypts the database data at rest, which mitigates risks should physical drives or backup tapes be stolen.


User vault activity should be logged

Activity logs on the user vault can provide additional information during incident response.

Mitigation

In Administration – System Settings – User vault, check Log user vault activities.


Vaults should be created with restricted permissions by default

It is preferable to provide rights to users as needed. When enabling this option, vaults will be created with a more limited set of permissions.

Mitigation

In Administration – System Settings – Security, check Create vaults with restricted access by default.


Warnings for untrusted rdp connections should be enabled

When presented with an unknown certificate, the RDP client should be configured to either present a warning (Warn me) or abort the connection (Do not connect).

Mitigation

In File – Options – Types – Remote Desktop, set Authentication level to Warn me or Do not connect.


Zip encryption should use the aes mode

The ZipCrypto algorithm is considered insecure and AES should be used instead. It is susceptible to known-plaintext attacks which can allow recovering the content of the archive without knowing the password (see Why You Should Never Use the NativeZip Crypto in Windows for details on this attack).

Mitigation

In File – Options – Advanced, uncheck Use ZipCrypto compression (not recommended).


Give us Feedback