Remote Desktop Manager Security Dashboard

The Security dashboard is a tool to offer guidance on how to improve the security of the Remote Desktop Manager platform and also tips on reducing the workload for administrators. Some tips are common infosec best practices, others are a consensus between our owns teams.

The scores are admittedly open to question and we do not pretend each topic has the same relative value for all of our community members. Achieving 100% is surely not an end goal in itself, we simply aim to raise awareness and provide ideas for your own security hardening.

KB4707.png

Improvement Actions Items

A default password template should be configured

Description Password templates set requirements for passwords generated with the password generators.
Mitigation In File - Templates , select Password Templates to create a template. Then, the default template can be selected in Administration - System Settings - Password Templates

A security provider should be used

Description By default, passwords are not protected at rest. When a security provider is configured, sensitive data contained in a data source is encrypted.
Mitigation Security providers are configured in Administration - Security Providers

A master key should be used with the data source

Description Using a master key encrypts sensitive content of XML-based data source files.
Mitigation The master key can be set under File - Change Master Key

A minimal client version should be configured

Description Setting a minimal Remote Desktop Manager version is recommended to ensure clients are up to date and have the latest security features.

Configuration files should be encrypted using an application password

Description The application password should be used to encrypt sensitive information in Remote Desktop Manager configuration files.
Mitigation In File - Options - Security - Application Security (local) , choose Use application password and check Encrypt local files using the application password

HTTPS should be used to connect to the data source

Description HTTPS is used to protect the communication between the client and the server hosting the data source. Traffic over HTTP is unencrypted and is susceptible to be intercepted and tampered by a malicious third-party.
Mitigation Configure a TLS certificate on the server and set the data source URL to start with https:// See Configure SSL

Legacy security should be disabled

Description Security groups have been replaced by the permissions system. Legacy security is deprecated and will be removed in a future version.
Mitigation In Administration - System Settings - Security Settings , uncheck Use legacy security

Multi-factor authentication (mfa) should be enforced

Description Multi-factor authentication (MFA) requires an additional mean of authentication when connecting to a data source. This control prevents abuse of compromised, leaked or weak passwords. The software can be configured to enforce MFA requirement to all users.
Mitigation In Administration - System Settings - Security Settings , enable Force data source 2-factor configuration

Offline mode should be disabled

Description By default, offline mode is enabled and allows Remote Desktop Manager to automatically cache credentials stored in entries on the client system. This feature should be turned off in high security environments to avoid unnecessary sensitive data exposure.

Password expiration should be enabled for custom users

Description Some security standards require passwords to be changed at regular intervals. PCI DSS 4.0 requires passwords to be changed every 90 days when the password is the only authentication factor.
Mitigation Password expiration can be configured in Administration - System Settings - Security Settings - Custom user password expiration (days)

Risky events should be disabled or generate a warning

Description Some entry events can perform powerful actions such as running an external program or script. These events represent a risk if they are modified by a malicious actor. These event types can be disabled if they are not needed, or Remote Desktop Manager can be configured to show a warning when such an event is about to be executed.
Mitigation In Administration - System Settings - Security Settings , set Risky events to Disabled or Enabled with warnings

SMS should not be used for multi-factor authentication

Description SMS is not recommended for 2FA. A stronger mechanism based on an authenticator application or a physical security key should be used instead.

SQL connections should use tls

Description TLS protects communications between Remote Desktop Manager and the SQL Server instance.
Mitigation Configure SQL Server to support TLS connections and add encrypt=true to the SQL Server connection string.

The data source password variable should be disabled

Description When this option is enabled, the variable DATA_SOURCE_PASSWORD will resolve to the data source password. This option should be disabled if it is not needed.
Mitigation In Administration - System Settings - Password Policy , uncheck Allow data source password variable

The password strength analyzer should use zxcvbn

Description Zxcvbn is recommended over the legacy password strength analyzer as it is more reliable.
Mitigation In Administration - System Settings - Password Policy , set Password strength calculator to Zxcvbn

Tls certificate validation should be enabled

Description Validating certificates guarantees that the connection is established with the intended party and protects against data interception attacks.
Mitigation In File - Options - Security - Certificate security , uncheck Ignore application certificate errors

Transparent data encryption (tde) should be used with sql server

Description Transparent Data Encryption encrypts the database data at-rest, which mitigates risks should physical drives or backup tapes be stolen.

User vault activity should be logged

Description Activity logs on user vaults can provide additional information during incident response.
Mitigation In Administration - System Settings - User Vault , check Log user vault activities

Vaults should be created with restricted permissions by default

Description It is preferable to provide rights to users as needed. When enabling this option, vaults will be created with a more limited set of permissions.
Mitigation In Administration - System Settings - Security , check Create vaults with restricted access by default

Warnings for untrusted rdp connections should be enabled

Description When presented with an unknown certificate, the RDP client should be configured to either present a warning ( Warn me ) or abort the connection ( Do not connect ).
Mitigation In File - Options - Types - Remote Desktop , set Authentication level to Warn me or Do not connect

Zip encryption should use the aes mode

Description The ZipCrypto algorithm is considered insecure and AES should be used instead. It is susceptible to known-plaintext attacks which can allow recovering the content of the archive without knowing the password (see Why You Should Never Use the NativeZip Crypto in Windows for details on this attack).
Mitigation In File - Options - Advanced , uncheck Use ZipCrypto compression (not recommended)