The Security dashboard is a tool to offer guidance on how to improve the security of the Remote Desktop Manager platform and also tips on reducing the workload for administrators. Some tips are common infosec best practices, others are a consensus between our owns teams.
The scores are admittedly open to question and we do not pretend each topic has the same relative value for all of our community members. Achieving 100% is surely not an end goal in itself, we simply aim to raise awareness and provide ideas for your own security hardening.
Improvement actions items
A default password template should be configured
Password templates set requirements for passwords generated with the password generators.
In File – Templates, select Password Templates to create a template. Then, the default template can be selected in Administration – System Settings – Password Templates.
A security provider should be used
By default, passwords are not protected at rest. When a security provider is configured, sensitive data contained in a data source is encrypted.
Security providers are configured in Administration – Security Providers.
A master key should be used with the data source
Using a master key encrypts sensitive content of XML-based data source files.
The master key can be set under File – Change Master Key.
A minimal client version should be configured
Setting a minimal Remote Desktop Manager version is recommended to ensure clients are up to date and have the latest security features.
Configuration files should be encrypted using an application password
The application password should be used to encrypt sensitive information in Remote Desktop Manager configuration files.
In File – Options – Security – Application Security (local), choose Use application password and check Encrypt local files using the application password.
HTTPS should be used to connect to the data source
HTTPS is used to protect the communication between the client and the server hosting the data source. Traffic over HTTP is unencrypted and is susceptible to be intercepted and tampered by a malicious third party.
Configure a TLS certificate on the server and set the data source URL to start with https://. See Configure SSL.
Legacy security should be disabled
Legacy security has been deprecated and will be completely removed starting with version 2023.3 of Remote Desktop Manager.
In Administration – System Settings – Vault Management – Security Settings – Security, disable Use legacy security. See Disable legacy security in Remote Desktop Manager.
Multi-factor authentication (MFA) should be enforced
Multi-factor authentication (MFA) requires an additional mean of authentication when connecting to a data source. This control prevents abuse of compromised, leaked, or weak passwords. The software can be configured to enforce MFA requirements to all users.
In Administration – System Settings – Security Settings, enable Force data source 2-factor configuration.
Offline mode should be disabled
By default, offline mode is enabled and allows Remote Desktop Manager to automatically cache credentials stored in entries on the client system. This feature should be turned off in high security environments to avoid unnecessary sensitive data exposure.
Password expiration should be enabled for custom users
Some security standards require passwords to be changed at regular intervals. PCI DSS 4.0 requires passwords to be changed every 90 days when the password is the only authentication factor.
Password expiration can be configured in Administration – System Settings – Security Settings – Custom user password expiration (days).
Risky events should be disabled or generate a warning
Some entry events can perform powerful actions such as running an external program or script. These events represent a risk if they are modified by a malicious actor. These event types can be disabled if they are not needed, or Remote Desktop Manager can be configured to show a warning when such an event is about to be executed.
In Administration – System Settings – Security Settings, set Risky events to Disabled or Enabled with warnings.
SMS should not be used for multi-factor authentication
SMS is not recommended for 2FA. A stronger mechanism based on an authenticator application or a physical security key should be used instead.
SQL connections should use TLS
TLS protects communications between Remote Desktop Manager and the SQL Server instance.
Configure SQL Server to support TLS connections and add encrypt=true to the SQL Server connection.
The data source password variable should be disabled
When this option is enabled, the variable
DATA_SOURCE_PASSWORD will resolve to the data source password. This option should be disabled if it is not needed.
In Administration – System Settings – Password Policy, uncheck Allow data source password variable.
The password strength analyzer should use zxcvbn
Zxcvbn is recommended over the legacy password strength analyzer as it is more reliable.
In Administration – System Settings – Password Policy, set Password strength calculator to Zxcvbn.
Tls certificate validation should be enabled
Validating certificates guarantees that the connection is established with the intended party and protects against data interception attacks.
In File – Options – Security – Certificate security, uncheck Ignore application certificate errors.
Transparent data encryption (TDE) should be used with sql server
Transparent data encryption encrypts the database data at rest, which mitigates risks should physical drives or backup tapes be stolen.
User vault activity should be logged
Activity logs on the user vault can provide additional information during incident response.
In Administration – System Settings – User vault, check Log user vault activities.
Vaults should be created with restricted permissions by default
It is preferable to provide rights to users as needed. When enabling this option, vaults will be created with a more limited set of permissions.
In Administration – System Settings – Security, check Create vaults with restricted access by default.
Warnings for untrusted rdp connections should be enabled
When presented with an unknown certificate, the RDP client should be configured to either present a warning (Warn me) or abort the connection (Do not connect).
In File – Options – Types – Remote Desktop, set Authentication level to Warn me or Do not connect.
Zip encryption should use the aes mode
The ZipCrypto algorithm is considered insecure and AES should be used instead. It is susceptible to known-plaintext attacks which can allow recovering the content of the archive without knowing the password (see Why You Should Never Use the NativeZip Crypto in Windows for details on this attack).
In File – Options – Advanced, uncheck Use ZipCrypto compression (not recommended).