Sunday, September 4, 2016

Group policy changes to enable ping response and remote desktop (and remote desktop firewall exception)

I recommend these changes on Windows domains to enable ping/ICMP responses from domain connected computers and remote desktop enabling (with network level authentication) and a remote desktop exception on the firewall.  Not all of these items are default on Windows 10 and/or Group Policy.  I think these are best practices so here is how you can add them to Group Policy.

Open Group Policy Management on a domain controller.  Right click on default domain policy and choose edit.

Enable ping responses via Computer Configuration -> Policies -> Administrative Templates Policy -> Network -> Network Connections -> Windows Firewall -> Domain Profile and enable Windows Firewall: Allow ICMP exceptions

Choose the option for "allow inbound echo request."

To enable a remote desktop firewall exception, in the same location, change "Windows Firewall: Allow inbound Remote Desktop exceptions"

To enable network level authentication, go to:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

Enable "Allow users to connect remotely by using Remote Desktop Services"

To make all remote desktop connections use network level authentication, go to:
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security

Enable "Require user authentication for remote connections by using network level authentication"

No comments: