> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/rdm/knowledge-base/knowledge-base-articles/remote-desktop-manager-security-dashboard.md). # Remote Desktop Manager security dashboard The Security dashboard is a tool to offer guidance on how to improve the security of the Remote Desktop Manager platform and also tips on reducing the workload for administrators. Some tips are common infosec best practices, others are a consensus between our owns teams. The scores are admittedly open to question and we do not pretend each topic has the same relative value for all of our community members. Achieving 100% is surely not an end goal in itself, we simply aim to raise awareness and provide ideas for your own security hardening. ### Improvement actions items #### A default password policy should be configured Password policies set requirements for passwords generated with the password generators. **Mitigation** In ***Administration*** – ***Password policies***, select ***Add*** to create a password policy. Then, the default password policy can be selected in ***Administration*** – ***System settings*** – ***Password policy***. *** #### A security provider should be used By default, passwords are not protected at rest. When a security provider is configured, sensitive data contained in a workspace is encrypted. **Mitigation** Security providers are configured in ***Administration*** – ***Security Providers***. *** #### A master key should be used with the workspace Using a master key encrypts sensitive content of XML-based workspace files. **Mitigation** The master key can be set under ***File*** – ***Change master key***. *** #### A minimal client version should be configured Setting a minimal Remote Desktop Manager version is recommended to ensure clients are up to date and have the latest security features. *** #### Configuration files should be encrypted using an application password The application password should be used to encrypt sensitive information in Remote Desktop Manager configuration files. **Mitigation** In ***File*** – ***Settings*** – ***Security*** – ***Application Security (local)***, choose ***Use application password*** and check ***Encrypt local files using the application password***. *** #### HTTPS should be used to connect to the workspace HTTPS is used to protect the communication between the client and the server hosting the workspace. Traffic over HTTP is unencrypted and is susceptible to be intercepted and tampered by a malicious third party. **Mitigation** Configure a TLS certificate on the server and set the workspace URL to start with **https\://**. See [Configure SSL](https://docs.devolutions.net/server/kb/how-to-articles/configure-ssl/). *** #### Legacy security should be disabled Legacy security has been deprecated and will be completely removed starting with version 2023.3 of Remote Desktop Manager. **Mitigation** In ***Administration*** – ***System Settings – Vault Management – Security Settings – Security***, disable ***Use legacy security***. See [Disable legacy security in Remote Desktop Manager](https://docs.devolutions.net/rdm/kb/how-to-articles/migrate-legacy-security-permissions/). *** #### Multifactor authentication (MFA) should be enforced Multifactor authentication (MFA) requires an additional mean of authentication when connecting to a workspace. This control prevents abuse of compromised, leaked, or weak passwords. The software can be configured to enforce MFA requirements to all users. **Mitigation** In ***Administration*** – ***System Settings*** – ***Security Settings***, enable ***Force workspace 2-factor configuration***. *** #### Offline mode should be disabled By default, offline mode is enabled and allows Remote Desktop Manager to automatically cache credentials stored in entries on the client system. This feature should be turned off in high security environments to avoid unnecessary sensitive data exposure. *** #### Password expiration should be enabled for custom users Some security standards require passwords to be changed at regular intervals. PCI DSS 4.0 requires passwords to be changed every 90 days when the password is the only authentication factor. **Mitigation** Password expiration can be configured in ***Administration*** – ***System Settings*** – ***Security Settings*** – ***Custom user password expiration (days)***. *** #### Risky events should be disabled or generate a warning Entry events can perform powerful actions such as running an external program or script upon opening an entry. These events represent a risk if they are modified by a malicious actor and can be disabled if they are not needed. Alternatively, Remote Desktop Manager can be configured to show a warning when such an event is about to be executed. **Mitigation** In ***Administration*** – ***System Settings*** – ***Security***, set ***Session events*** to ***Warn on risky events***, ***Disable risky events*** or ***Disable all events***. *** #### SMS should not be used for multifactor authentication SMS is not recommended for 2FA. A stronger mechanism based on an authenticator application or a physical security key should be used instead. *** #### SQL connections should use TLS TLS protects communications between Remote Desktop Manager and the SQL Server instance. **Mitigation** Configure SQL Server to support TLS connections and add **encrypt=true** to the SQL Server connection. *** #### The workspace password variable should be disabled When this option is enabled, the variable `DATA_SOURCE_PASSWORD` will resolve to the workspace password. This option should be disabled if it is not needed. **Mitigation** In ***Administration – System Settings – Password Policy***, uncheck ***Allow workspace password variable***. *** #### The password strength analyzer should use zxcvbn Zxcvbn is recommended over the legacy password strength analyzer as it is more reliable. **Mitigation** In ***Administration – System Settings – Password Policy***, set ***Password strength calculator*** to ***Zxcvbn***. *** #### TLS certificate validation should be enabled Validating certificates guarantees that the connection is established with the intended party and protects against data interception attacks. **Mitigation** In ***File – Settings – Security – Certificate security***, uncheck ***Ignore application certificate errors***. *** #### Transparent data encryption (TDE) should be used with sql server Transparent data encryption encrypts the database data at rest, which mitigates risks should physical drives or backup tapes be stolen. *** #### User vault activity should be logged Activity logs on the user vault can provide additional information during incident response. **Mitigation** In ***Administration – System Settings – User vault***, check ***Log user vault activities***. *** #### Vaults should be created with restricted permissions by default It is preferable to provide rights to users as needed. When enabling this option, vaults will be created with a more limited set of permissions. **Mitigation** In ***Administration*** – ***System Settings*** – ***Security***, check ***Create vaults with restricted access by default***. *** #### Warnings for untrusted RDP connections should be enabled When presented with an unknown certificate, the RDP client should be configured to either present a warning (***Warn me***) or abort the connection (***Do not connect***). **Mitigation** In ***File*** – ***Settings*** – ***Types*** – ***Remote Desktop***, set ***Authentication level*** to ***Warn me*** or ***Do not connect***. *** #### Zip encryption should use the aes mode The ZipCrypto algorithm is considered insecure and AES should be used instead. It is susceptible to known-plaintext attacks which can allow recovering the content of the archive without knowing the password (see [Why You Should Never Use the NativeZip Crypto in Windows](https://blog.devolutions.net/2020/08/why-you-should-never-use-zipcrypto/) for details on this attack). **Mitigation** In ***File – Settings – Advanced***, uncheck ***Use ZipCrypto compression (not recommended)***. *** #### See also * [Devolutions Blog - Spotlight on: Remote Desktop Manager security dashboard](https://blog.devolutions.net/2024/11/spotlight-on-remote-desktop-manager-security-dashboard/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/rdm/knowledge-base/knowledge-base-articles/remote-desktop-manager-security-dashboard.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.