Windows

Disabling indirect file transfer through remote desktop

Preventing file transfer isn't limited to the firewall. IT pro Rick Vanover showcases an additional setting that may be needed to prevent file transfers through certain networks.

Certain security zones may require that file transfer is prohibited in or out of the network. This is frequently addressed by blocking file transfer permissions at a firewall. There are a number of ways to do this; off the top of my head, I can think of the following file transfer mechanisms:

  • ports 80 and 443 for web-based file transfer sites
  • port 21 for FTP
  • port 445 for server message block (Windows file transfer)
  • port 135 for remote procedure call
  • The list can go on and on…

Like any firewall administrator worth his weight in Ethernet cable will tell you, don’t list the ports individually; instead, block everything and allow explicitly what is required. Fair enough, but if Windows Servers are involved, chances are the administration mechanism will be Remote Desktop over TCP 3389. Remote Desktop is the best administration tool for Windows Systems, but there is a caveat related to what all it will send over the wire if you are concerned about file transfer.

Remote Desktop has a broad category of device redirection. This is straightforward for sound and print functions, but also includes drive redirection. With Windows XP and Windows Server 2003 and higher systems, remote desktop connections can be made that redirect drive letters which will permit file transfer through port 3389. Should this be a problem, Windows has the solution with a group policy object (GPO) that can prohibit drive redirection within Remote Desktop. Within Group Policy, the Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Device and Resource Redirection section has configuration options for device redirection. Figure A below shows drive redirection prohibited in a GPO: Figure A

Figure A

Click image to enlarge.

A GPO like this can be applied to a user, group, specific organizational unit, or many other customized criteria within Active Directory.

While there is no single configuration that will meet every requirement, this matched with firewall rules preventing file transfer will reduce the likelihood of casual back-door file transfers.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

3 comments
ivoyhip
ivoyhip

In Windows 2003 server, it is the Computer Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | Client / Server data redirection section

oldbaritone
oldbaritone

Great article and useful information. Unfortunately, there's no perfect way to block files from crossing the RDP divide. Truly creative users will figure out ways around any defense. Harsh reality. But thanks for a VERY useful tip. Thumbs up!