[continued] Security baseline with Hyper-V enhanced session

%3CLINGO-SUB%20id%3D%22lingo-sub-758379%22%20slang%3D%22en-US%22%3E%5Bcontinued%5D%20Security%20baseline%20with%20Hyper-V%20enhanced%20session%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-758379%22%20slang%3D%22en-US%22%3E%3CP%3EContinued%20from%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsecguide%2F2019%2F05%2F23%2Fsecurity-baseline-final-for-windows-10-v1903-and-windows-server-v1903%2F%23comment-40805%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20discussion%3C%2FA%3Eon%20the%20old%20TechNet%20blog.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F171536%22%20target%3D%22_blank%22%3E%40Aaron%20Margosis%3C%2FA%3E.%20I've%20figured%20out%20what%20is%20preventing%20clipboard%20file%20copying.%20It%20is%20the%20GPO%20setting%20%22Do%20not%20allow%20drive%20redirection%22%20(%3CEM%3EComputer%20Configuration%5CAdministrative%20Templates%5CWindows%20Components%5CRemote%20Desktop%20Services%5CRemote%20Desktop%20Session%20Host%5CDevice%20and%20Resource%20Redirection%3C%2FEM%3E).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20description%20mentions%20that%20it%20disables%20Clipboard%20file%20copy%20redirection%20for%20Windows%208%20and%20earlier%2C%20but%20I%20have%20tested%20and%20it%20also%20disables%20file%20copy%20on%20Windows%2010%20guests.%20(Enabling%20on%20the%20guest%20disables%20copying%20files%20both%20into%20and%20out%20of%20the%20VM%20(note%3A%20restart%20required%20to%20take%20effect)%2C%20but%20enabling%20on%20the%20host%20is%20ok.)%20Doesn't%20prevent%20copying%20out%20clipboard%20%3CEM%3Etext%3C%2FEM%3Ethough%20(I%20misspoke%2C%20sorry)%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20there%20any%20non-obvious%20security%20implications%20if%20I%20leave%20out%20this%20setting%20(assuming%20of%20course%20I%20only%20try%20to%20copy%20out%20trusted%20files)%3F%20The%20alternative%20is%20to%20attach%20a%20VHDX%20to%20the%20VM%2C%20copy%20the%20file%20into%20the%20virtual%20drive%2C%20then%20detach%20and%20mount%20on%20the%20host%20as%20Admin%20-%20but%20it's%20a%20lot%20easier%20to%20just%20copy%20and%20paste.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegarding%20internet%20connectivity%20-%20haven't%20figured%20out%20why%20applying%20the%20security%20baseline%20on%20the%20host%20messes%20with%20guest%20VM%20connectivity%20through%20the%20NAT%20based%20%22Default%20Switch%22%20(automatically%20created%2C%20Client%20Hyper-V%20only)%2C%20but%20my%20solution%20has%20been%20to%20connect%20guest%20VMs%20directly%20to%20the%20external%20network%20adapter%20using%20the%20%22External%20Switch%22.%20This%20approach%20also%20has%20the%20added%20benefit%20of%20allowing%20internet%20on%20guest%20VMs%20while%20blocking%20all%20network%20connectivity%20on%20the%20host.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20a%20related%20note%2C%20I%20was%20hoping%20to%20get%20your%20thoughts%20on%20the%20new%20GPO%20setting%20in%20Windows%2010%20version%201903%20called%20%22Use%20WDDM%20graphics%20display%20driver%20for%20Remote%20Desktop%20Connections%22%20(%3CEM%3EComputer%20Configuration%5CAdministrative%20Templates%5CWindows%20Components%5CRemote%20Desktop%20Services%5CRemote%20Desktop%20Session%20Host%5CRemote%20Session%20Environment)%3C%2FEM%3E.%20If%20RemoteFX%20is%20enabled%20on%20a%201903%20VM%2C%20I%20can't%20connect%20to%20it%20using%20Enhanced%20Session%20mode%20or%20RDP%20unless%20I%20%3CEM%3Edisable%3C%2FEM%3Ethis%20new%20setting.%20No%20issues%20connecting%20with%20an%201809%20VM%20(which%20doesn't%20have%20this%20setting)%2C%20so%20I'm%20guessing%20disabling%20this%20setting%20just%20reverts%20to%20the%20default%20behaviour%20in%201809.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%2C%20any%20material%20security%20risks%20if%20I%20disable%20this%20new%20setting%3F%20(EDIT%3A%20I'm%20guessing%20it%20is%20because%20WDDM%20runs%20in%20user-mode%20and%20doesn't%20have%20permission%20to%20connect%20via%20RDP.%20I've%20tried%20adding%20Users%20and%20even%20Everyone%20to%20%22Allow%20log%20on%20through%20Remote%20Desktop%20Services%22%20security%20policy%2C%20but%20that%20didn't%20work%20-%20in%20fact%2C%20doing%20that%20still%20doesn't%20let%20standard%20users%20log%20on%20through%20Enhanced%20Session%20mode%2C%20I%20still%20have%20to%20add%20the%20user%20to%20the%20Remote%20Desktop%20Users%20group.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3EDavid%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Continued from this discussion on the old TechNet blog.

 

Thanks @Aaron Margosis. I've figured out what is preventing clipboard file copying. It is the GPO setting "Do not allow drive redirection" (Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection).

 

The description mentions that it disables Clipboard file copy redirection for Windows 8 and earlier, but I have tested and it also disables file copy on Windows 10 guests. (Enabling on the guest disables copying files both into and out of the VM (note: restart required to take effect), but enabling on the host is ok.) Doesn't prevent copying out clipboard text though (I misspoke, sorry),

 

Are there any non-obvious security implications if I leave out this setting (assuming of course I only try to copy out trusted files)? The alternative is to attach a VHDX to the VM, copy the file into the virtual drive, then detach and mount on the host as Admin - but it's a lot easier to just copy and paste.

 

Regarding internet connectivity - haven't figured out why applying the security baseline on the host messes with guest VM connectivity through the NAT based "Default Switch" (automatically created, Client Hyper-V only), but my solution has been to connect guest VMs directly to the external network adapter using the "External Switch". This approach also has the added benefit of allowing internet on guest VMs while blocking all network connectivity on the host.

 

On a related note, I was hoping to get your thoughts on the new GPO setting in Windows 10 version 1903 called "Use WDDM graphics display driver for Remote Desktop Connections" (Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment). If RemoteFX is enabled on a 1903 VM, I can't connect to it using Enhanced Session mode or RDP unless I disable this new setting. No issues connecting with an 1809 VM (which doesn't have this setting), so I'm guessing disabling this setting just reverts to the default behaviour in 1809.

 

Still, any material security risks if I disable this new setting? (EDIT: I'm guessing it is because WDDM runs in user-mode and doesn't have permission to connect via RDP. I've tried adding Users and even Everyone to "Allow log on through Remote Desktop Services" security policy, but that didn't work - in fact, doing that still doesn't let standard users log on through Enhanced Session mode, I still have to add the user to the Remote Desktop Users group.)

 

Best regards

David

5 Replies

@DavidYangAU did you ever figure out what in the Security Baseline was blocking the "Default Switch" in Windows 10 Hyper-V to allow the virtual machines to have internet access? I am really wanting to have an environment where the Security Baseline is applied, but need the same capability you have mentioned. I don't want to do the workaround of creating another external Virtual Switch, as I've actually found that has impacted internet connectivity bandwidth on the host device.

@mattgailer I believe it was an inbound firewall issue.

 

The Security Baseline disables local firewall rules for Public networks, so the auto-generated Hyper-V Container Networking allow rules (inbound) aren't applied - you'll have to manually allow UDP inbound on local ports 53, 67, 68 via GPO or allow local firewall rules.

 

From memory that was the only issue, and things like ''Prohibit use of Internet Connection Sharing on your DNS domain network'' are fine to leave as Enabled.

 

(BTW, if you have time, I'd recommend taking a look at the relevant CIS Benchmark: https://downloads.cisecurity.org/ - there is about 90% overlap with the Microsoft Security Baseline, but the rationale/side-effects of various settings are better documented in CIS. For example, with the ICS policy setting above, the CIS document explains that it no longer affects the ICS service, and only affects Mobile Hotspot feature, so it's safe to disable.) 

 

Hope that helps!

 

I think I'm facing similar issues here; Intune enrolled PC with Security Baseline applied, Default Swtich won't work. VM does not seems to get an IP address.

 

Can anyone be more specific on the firewall rule that has to be made?

 

I ended up changing the following two settings that helped me to work (helped by David's replies)

1. "Connection security rules from group policy not merged" - NOT CONFIGURED
2. "Policy rules from group policy not merged" - NOT CONFIGURED

David mentioned creation of rules to open ports in the firewall, but when I looked locally there was already a rule existing (no doubt created when I enabled the Hyper-V role), so I didn't punch any additional holes through the firewall. I think the wording of these policies is probably poor, as I believe the intention is to say "don't acknowledge rules created in any other way - just do what Intune tells you". Could be wrong in my summary, but I'm certainly working happily now on the Default Switch with that change.

@mattgailer 

Thank you sir. Will test this and come back with results. :)

 

Edit: It worked right away! Had a VM open, unassigned me from Security Baseline, synced with Company Portal, and suddenly the VM got a IP and all is good.

www.000webhost.com