search

dev-sec / ansible-windows-hardening

This Ansible role provides windows hardening configurations for the DevSec Windows baseline profile.
http://dev-sec.io/
147 stars 58 forks source link

Interactive logon question #8

Open chr00ted opened 4 years ago

chr00ted commented 4 years ago

This isnt so much a "bug", I have a 2016 RDP host that will be used as a terminal server, but rather than logon with username password, users will be using their respective smart card. This works as expected prior to hardening, after hardening I get a prompt: the system administrator has restricted the types of logon (network or interactive) that you may use. I revert back to the snapshot taken prior to hardening and all is well. I see you have have variables such as win_security_SeRemoteInteractiveLogonRight. I am listed in the local admins group prior to the change. Not sure after. I tried with: --extra-vars "win_security_SeNetworkLogonRight=S-1-1-0" and still had issues

chr00ted commented 4 years ago

My question is how do I go about allowing RDP sessions again?

rndmh3ro commented 4 years ago

Good question @chr00ted, I'll have to check, it's been some time since I last used Windows.

crsuarez commented 4 years ago

from your fork try removing this:

---
- name: Windows Remote Desktop Configured to Always Prompt for Password | windows-rdp-100
  win_regedit:
    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
    name: "fPromptForPassword"
    state: absent