The Security dashboard is a tool to offer guidance on how to improve the security of the Remote Desktop Manager platform and also tips on reducing the workload for administrators. Some tips are common infosec best practices, others are a consensus between our owns teams.
The scores are admittedly open to question and we do not pretend each topic has the same relative value for all of our community members. Achieving 100% is surely not an end goal in itself, we simply aim to raise awareness and provide ideas for your own security hardening.
Improvement Actions Items
A default password template should be configured
Description
Password templates set requirements for passwords generated with the password generators.
Mitigation
In File - Templates , select Password Templates to create a template. Then, the default template can be selected in Administration - System Settings - Password Templates
A security provider should be used
Description
By default, passwords are not protected at rest. When a security provider is configured, sensitive data contained in a data source is encrypted.
Mitigation
Security providers are configured in Administration - Security Providers
A master key should be used with the data source
Description
Using a master key encrypts sensitive content of XML-based data source files.
Mitigation
The master key can be set under File - Change Master Key
A minimal client version should be configured
Description
Setting a minimal Remote Desktop Manager version is recommended to ensure clients are up to date and have the latest security features.
Configuration files should be encrypted using an application password
Description
The application password should be used to encrypt sensitive information in Remote Desktop Manager configuration files.
Mitigation
In File - Options - Security - Application Security (local) , choose Use application password and check Encrypt local files using the application password
HTTPS should be used to connect to the data source
Description
HTTPS is used to protect the communication between the client and the server hosting the data source. Traffic over HTTP is unencrypted and is susceptible to be intercepted and tampered by a malicious third-party.
Mitigation
Configure a TLS certificate on the server and set the data source URL to start with https://
See Configure SSL
Legacy security should be disabled
Description
Security groups have been replaced by the permissions system. Legacy security is deprecated and will be removed in a future version.
Mitigation
In Administration - System Settings - Security Settings , uncheck Use legacy security
Multi-factor authentication (mfa) should be enforced
Description
Multi-factor authentication (MFA) requires an additional mean of authentication when connecting to a data source. This control prevents abuse of compromised, leaked or weak passwords. The software can be configured to enforce MFA requirement to all users.
Mitigation
In Administration - System Settings - Security Settings , enable Force data source 2-factor configuration
Offline mode should be disabled
Description
By default, offline mode is enabled and allows Remote Desktop Manager to automatically cache credentials stored in entries on the client system. This feature should be turned off in high security environments to avoid unnecessary sensitive data exposure.
Password expiration should be enabled for custom users
Description
Some security standards require passwords to be changed at regular intervals. PCI DSS 4.0 requires passwords to be changed every 90 days when the password is the only authentication factor.
Mitigation
Password expiration can be configured in Administration - System Settings - Security Settings - Custom user password expiration (days)
Risky events should be disabled or generate a warning
Description
Some entry events can perform powerful actions such as running an external program or script. These events represent a risk if they are modified by a malicious actor. These event types can be disabled if they are not needed, or Remote Desktop Manager can be configured to show a warning when such an event is about to be executed.
Mitigation
In Administration - System Settings - Security Settings , set Risky events to Disabled or Enabled with warnings
SMS should not be used for multi-factor authentication
Description
SMS is not recommended for 2FA. A stronger mechanism based on an authenticator application or a physical security key should be used instead.
SQL connections should use tls
Description
TLS protects communications between Remote Desktop Manager and the SQL Server instance.
Mitigation
Configure SQL Server to support TLS connections and add encrypt=true to the SQL Server connection string.
The data source password variable should be disabled
Description
When this option is enabled, the variable DATA_SOURCE_PASSWORD will resolve to the data source password. This option should be disabled if it is not needed.
Mitigation
In Administration - System Settings - Password Policy , uncheck Allow data source password variable
The password strength analyzer should use zxcvbn
Description
Zxcvbn is recommended over the legacy password strength analyzer as it is more reliable.
Mitigation
In Administration - System Settings - Password Policy , set Password strength calculator to Zxcvbn
Tls certificate validation should be enabled
Description
Validating certificates guarantees that the connection is established with the intended party and protects against data interception attacks.
Transparent data encryption (tde) should be used with sql server
Description
Transparent Data Encryption encrypts the database data at-rest, which mitigates risks should physical drives or backup tapes be stolen.
User vault activity should be logged
Description
Activity logs on user vaults can provide additional information during incident response.
Mitigation
In Administration - System Settings - User Vault , check Log user vault activities
Vaults should be created with restricted permissions by default
Description
It is preferable to provide rights to users as needed. When enabling this option, vaults will be created with a more limited set of permissions.
Mitigation
In Administration - System Settings - Security , check Create vaults with restricted access by default
Warnings for untrusted rdp connections should be enabled
Description
When presented with an unknown certificate, the RDP client should be configured to either present a warning ( Warn me ) or abort the connection ( Do not connect ).
Mitigation
In File - Options - Types - Remote Desktop , set Authentication level to Warn me or Do not connect
Zip encryption should use the aes mode
Description
The ZipCrypto algorithm is considered insecure and AES should be used instead. It is susceptible to known-plaintext attacks which can allow recovering the content of the archive without knowing the password (see Why You Should Never Use the NativeZip Crypto in Windows for details on this attack).
Mitigation
In File - Options - Advanced , uncheck Use ZipCrypto compression (not recommended)