Disabling indirect file transfer through remote desktop
Certain security zones may require that file transfer is prohibited in or out of the network. This is frequently addressed by blocking file transfer permissions at a firewall. There are a number of ways to do this; off the top of my head, I can think of the following file transfer mechanisms:
- ports 80 and 443 for web-based file transfer sites
- port 21 for FTP
- port 445 for server message block (Windows file transfer)
- port 135 for remote procedure call
- The list can go on and on…
Like any firewall administrator worth his weight in Ethernet cable will tell you, don’t list the ports individually; instead, block everything and allow explicitly what is required. Fair enough, but if Windows Servers are involved, chances are the administration mechanism will be Remote Desktop over TCP 3389. Remote Desktop is the best administration tool for Windows Systems, but there is a caveat related to what all it will send over the wire if you are concerned about file transfer.
Remote Desktop has a broad category of device redirection. This is straightforward for sound and print functions, but also includes drive redirection. With Windows XP and Windows Server 2003 and higher systems, remote desktop connections can be made that redirect drive letters which will permit file transfer through port 3389. Should this be a problem, Windows has the solution with a group policy object (GPO) that can prohibit drive redirection within Remote Desktop. Within Group Policy, the Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Device and Resource Redirection section has configuration options for device redirection. Figure A below shows drive redirection prohibited in a GPO:
Figure A
A GPO like this can be applied to a user, group, specific organizational unit, or many other customized criteria within Active Directory.
While there is no single configuration that will meet every requirement, this matched with firewall rules preventing file transfer will reduce the likelihood of casual back-door file transfers.