Sabp Z 086

Best Practice
SABP-Z-086 20 April 2016
RDP Security Controls and Mitigations Guidelines

Document Responsibility: Plants Networks Standards Committee
Saudi Aramco DeskTop Standards

Table of Contents
1 Introduction 2
2 Conflicts with Mandatory Standards 2
3 References 3
4 Definitions 3
5 Background 5
6 Risk Assessment 6
7 Different RDP/TSE authentication approaches 9
8 Remote Desktop Implementation 11
Previous Issue: New Next Planned Update: 3 May 2020

Page 1 of 20
Primary contact: Ouchn, Nabil J (ouchnnj) on +966-3-8801365
Copyright©Saudi Aramco 2016. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to secure the RDP Remote Access
Protocol settings, which might require software / hardware to ensure “secure
configuration” as per SAEP-99 “Process Automation Networks and Systems
Security” procedure.
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security configurations
by the PAN administrator(s), and shall not be considered “exclusive” to provide
“comprehensive” compliance to SAEP-99 or any other Saudi Aramco
Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from their
responsibility or duties to confirm and verify the accuracy of any information
presented herein and the thorough coordination with respective control system
steering committee chairman and vendor.
2 Conflicts with Mandatory Standards

In the event of a conflict between this Best Practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.
Page 2 of 20
3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
 Saudi Aramco References
Saudi Aramco Engineering Procedures
SAEP-99 Process Automation Networks and Systems
Security
Saudi Aramco Engineering Standards
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
General Instruction
GI-0710.002 Classification of Sensitive Information
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DHCP - |Dynamic Host Configuration Protocol
HTTPS - HyperText Transfer Protocol Secure
IP - Internet Protocol
NTP - Network Time Protocol
PCS - Process Control Systems
PAN - Process Automation Network
PKI - Public Key Infrastructure
RDP/TSE - Remote Desktop Protocol / Terminal Services
SSH - Secure Shell
SNMP - Simple Network Management Protocol
TLS/SSL - Transport Layer Security / Secure Sockets Layer
Page 3 of 20
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Process Automation Systems (PAS): PAS include Networks and Systems
hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable
Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
maintenance, quality assurance, and other process operations functionalities to
continuous, batch, discrete, and combined processes.
Logs: Files or prints of information in chronological order.
PAN: Process Automation Network, or sometimes referred to as Plant
Information Network (PIN), is a plant-wide network (switches, routers, firewalls,
computers, etc. interconnecting process control system and provides an interface
to the corporate network. PAN Administrator: Process Automation Networks
(PAN) Administrator administers and performs system configuration and
monitoring and coordinating with Process Control System Administrator, if
different, as designated by the plant management. The PAN Administrator
assumes the ownership of the IA&CS including the PAN Firewall and has the
function of granting, revoking, and tracking access privileges and
communications of users on ICS including the Firewall.
Password: A form of secret authentication data that is used to control access to
a resource. Password authentication determines authenticity based on testing for
a device or a user that is requesting access to systems using for example a personal
identification number (PIN) or password. Password authentication scheme is the
simplest and most common mechanism.
Server: A dedicated un-manned data provider.
Page 4 of 20
5 Background
5.1 Purpose
The following document highlights the P&CSD position regarding how to secure
the Remote Desktop Protocol / Terminal Services (RDP/TSE) traffic
communication within the Saudi Aramco Plants. The authentication mechanisms
enumerated take into account the inherent risk and the complexity of achievement.
SAEP-99 has new requirements to comply with in order to enable the RDP/TSE
capability within the plants. The protocol should be exclusively used within the
Plants with no impact on the IT Firewall side.
The Plants users whose accounts have been approved by their supervisors can use
the RDP/TSE. The appropriate permissions shall be granted accordingly. The
Process Automation Network (PAN) Administrators set and manage the list of the
approved users.
This document is applicable for standalone computers and servers. It should be

updated to include environments with Active Directories or Domain Controller.
5.2 Applicability
As mentioned in this document enabling the Remote Desktop using the TLS/SSL
authentication may need a wide plethora of pre-requisites such as setting up the
PKI infrastructure and dealing with the key management process.
In order to circumvent this complexity and provide a quick but yet risk acceptable
solution, P&CSD would recommend using the RDP/TSE with the build-in
encryption capability alongside the mitigations controls.
It is a quick-win to compensate the complexity, the maturity of the Plants system

and networks infrastructure and the additional controls applicability.
The maturity level provides a simple control implementation metric level. It is

composed with the following values:
- None: The mechanism is not integrated.

- Partial: The mechanism can be implemented with moderate effort
(security controls, mitigations)
- Complete : Documentation, controls and security settings are set up and
fit the whole context. Mechanism can be implemented with low effort
Page 5 of 20
Authentication mechanism Plants Maturity Level
TLS/SSL Infrastructure None
Built-in Microsoft encryption Partial
6 Risk Assessment
6.1 Risk classification

The best practice may refer to the following Open Standards for risk classification
and categorization:
The security threats are reported using their CVE1s. Common
Vulnerabilities and Exposures (CVE®) is a dictionary of common names
(i.e., CVE Identifiers) for publicly known information security
vulnerabilities.
CVE’s common identifiers make it easier to share data across separate
network security databases and tools, and provide a baseline for evaluating
the coverage of an organization’s security tools.
This advisory is relying on the open framework CVSS2 (Common

Vulnerability Scoring System) to provide a quantitative impact scoring for
the reported vulnerabilities and exposures.
The CVSS consists of 3 groups: Base, Temporal and Environmental. Each
group produces a numeric score ranging from 0 to 10, and a Vector, a
compressed textual representation that reflects the values used to derive
the score.The following advisory uses the CVSS model to calculate the
severity and to prioritize the remediation activities
CPE3 is a structured naming scheme for information technology systems,

software, and packages. Based upon the generic syntax for Uniform
Resource Identifiers (URI), CPE includes a formal name format, a method
1 http://cve.mitre.org
2 https://www.first.org/cvss
3 https://nvd.nist.gov/cpe.cfm
Page 6 of 20
for checking names against a system, and a description format or binding

text and tests to a name.
Icon Classification
Low
Moderate
High
Page 7 of 20
6.2 The attack vectors and the mitigations

The RDP/TSE is used to perform administration tasks and support operations on
remote computers and servers. A misunderstanding of security rules can expose
the industrial infrastructure to different level of risks. The following table
highlights few attack vectors to be addressed in order to mitigate the risks
associated:
Attack Vector Likelihood Mitigation
Mitigated by enabling a dedicated account to be

used for only RDP access. The generic account
should be compliant to the all set of directives
“Pass the Hash”
depicted in SAEP-99. This will prevent the reuse
of a high privileged administrative account
(usually the PAN admin password)
Mitigated by always prompting the client for

password upon connection. This will prevent
The memory
user from saving the password (Hash) on the
hash extraction
client computer and avoid its extraction and
reusing it to pivot to other computers using RDP.
Reduce the attack surface
Mitigated by allowing only the authorized IP to
access remote desktop using firewalls or IP
whitelisting. The automatic attacks based on IPs
will be mitigated since they are not generated
from the authorized computer (usually the PAN
Admin Computer or a dedicated administration
Common attacks
based on viruses computers)
or malwares
Change the default TCP configuration
The terminal services are by default using TCP
port 3389. Modifying this value may fool the
automatic exploits and attacks (brute force,
protocol exploits …). This technique may not be
efficient against the targeted attacks.
Page 8 of 20
Attack Vector Likelihood Mitigation

Enabling the encryption makes the protocol
at least more secure than using it by default.
However due to the implementation of the
protocol itself in Windows XP, the
Man in the authentication using the certificate is not
Middle attacks supported natively (not a built-in feature).
Therefore, the RDP is prohibited to use

through the Plant firewall as stated in
SAEP-99.
7 Different RDP/TSE authentication approaches

7.1 TLS/SSL authentication
The TLS/SSL authentication is a slightly complex process since it requires many
pre-requisites to be aware of. From the server side perspective, one of the most
important requirements are the TLS/SSL based certificate and the key
management workflow (the process to generate, manage, exchange and revoke
the keys). Therefore, there are 3 ways to deal with the computer based TLS/SSL
certificate on the Terminal Server4
1. Generating a self-signed certificate which does not require a PKI

infrastructure or CA (Certificate Authority). This could be achieved using
a Microsoft tool called SelfSSL.exe included within IIS 6.0 Resource
Toolkit. This method is very easy but less secure since the certificate is
self-signed and not trusted by a CA. The tool could be obtained freely from
Microsoft Website5. The installation, deployment and use of SelfSSL.exe
are not part of this document.
2. Obtaining an SSL Certificate from a trusted third party entity (commonly

called TTP) such as Verisign, Thawte, Comodo, DigiCert, GeoTrust etc.
This method has a cost but efficient since major TTPs have good
4 Running at least Windows Server 2003 SP1.

5 http://support.microsoft.com/kb/840671
Page 9 of 20
reputation (not all6). However, the enrollment process could be tedious

due to the fact the Plants are not connected to Internet. So, the deployment
and installation should be manual from key generation to importing and
deployment.
3. Using Saudi Aramco CA (Certificate Authority) infrastructure build

around Microsoft Certificates Services which is the best approach in term
of cost and usability. Since the key management is enrolled internally
however the deployment may be hard to achieve through the Data Diode.
7.2 RDP built-in 128 bit encryption

RDP/TSE comes also with a native built-in feature to encrypt the traffic.
Nevertheless, the protocol does not give any guarantee to verify the identity of the
RD Session host server that initiates the communication.
In fact, this enhancement is discussed previously with TLS/SSL transport that

allows the appropriate authentication. From a risk perspective, the RDP 128-bit
RC4 algorithm is less secure than SSL for different reasons as aforementioned:
- No guarantee to verify the session host server

- Possibility to perform attacks such Man in the Middle
- The encryption algorithm not efficient
Nevertheless the solution should be considered and evaluated with the associated
implementation conditions such as: complexity, compensatory controls and the
threats addressed within the Plants.
6The DigiNotar intrusion case and issuance of fake public keys. http://www.esecurityplanet.com/browser-
security/fraudulent-ssl-cert-for-google-revoked.html
Page 10 of 20
8 Remote Desktop Implementation
Following are the steps to leverage the encryption and apply the mitigation controls to
reduce the risk mentioned previously.
8.1 Activation
Enable the RDP if disabled (Only Remote Desktop. Ignore Remote Assistance)
Page 11 of 20
8.2 User accounts restriction

Create a new generic user with only permissions to perform remote desktop
connection compliant with all SAEP-99 directives for passwords and users
account (lockout policy, logging ...)7 etc. This will prevent using remotely the
PAN Admin administrative privileged credentials.
Limit the users who can connect remotely Click on Select Remote Users to
Specify the users
Re-check the following settings for RDP to ensure that other default users are not
allowed to connect.
Go to the Programs - Administrative Tools - Local Security Policy. Under
Local Policies - User Rights Assignment, and look for “Allow logon through
Terminal Services."
7 Please refer to Hardening Best Practices associated with each Operating System
Page 12 of 20
Remove all users and ensure only the approved logins you have created for this
purpose are reflected in Allow Logons through Terminal Services
Page 13 of 20
8.3 Setting the encryption

Enable the Encryption channel by starting
"%SystemRoot%\system32\gpedit.msc /s" to get Group Policy Editor then
switch to Computer Configuration - Administrative Templates - Windows
Components - Terminal Services - Encryption and Security
Change the "Set client connection encryption level" from "Not Configured" to
"Enabled" and "High Level" to force the client to use 128-bit security. This
protects your passwords as well as anything transmitted during your terminal
service session.
Page 14 of 20
8.4 Additional controls

8.4.1 Authorized RDP clients
The RDP/TSE should be authorized to approved users with fully
compliant with SAEP-99 requirements.
PAN administrators computers or servers must also be hardened and
secured.
8.4.2 Prompt for password
Always prompt for the password to prevent the remote user from saving
the credential on the client computer. This could be done by enabling
“Always prompt client for password upon connection".
8.4.3 Change default TCP port

It is possible to reduce the attack surface by modifying the default port
from 3389 another value (33389 for example). This can be done through
Registry settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Termin
al Server\WinStations\RDP-Tcp\PortNumber
Page 15 of 20
8.4.4 Local Windows Firewall and IP whitelisting

As mentioned in the attack vectors table, the remote desktop should be
authorized to only legitimate computers such as PAN Admin or
Administrative server. To enable the windows firewall rules and
whitelisting, see the following instructions:
Page 16 of 20
Click EDIT if you are still using the default TCP port 3389
Once done, you need to provide the list of authorized IP. These is done
by clicking on “Change Scope” and then type the IPs in the Custom list
Page 17 of 20
8.4.5 Monitor the log files

Monitoring logs is useful to check for failed attempts to log or lockouts.
Navigate to Local Computer Policy | Computer Configuration |

Windows Settings | Security Settings | Local Policies | Audit Policy |
Audit logon events.
Following are the recommended audit settings. They should not compete
with Hardening documentation controls. If any conflict occurs, the most
restrictive shall be applied and P&CSD advised.
Page 18 of 20
Events Recommended Settings
Audit Account Logon Events Not Auditing Success and Failure
Audit Account Management Audit Success and Failure
Audit Directory Services Access No Auditing
Audit Logon Events Audit Success and Failure
Audit Object Access Audit Failure
Audit Policy Change Audit Success and Failure
Audit Privilege Use Auditing Success and Failure
Audit Process Tracking Audit Failure
Audit System Events Audit Success and Failure
Whenever an account connects to the computer using Remote Desktop, an event will be
created in the “Security Event Log” as Event 528 with Logon Type 10.
Page 19 of 20
The following table depicts the possible logon types
type Description
2 Interactive (logon at keyboard and screen of system)
3 Network (i.e. connection to shared folder on this computer from elsewhere on

network or IIS logon )
4 Batch (i.e. scheduled task)
5 Service (Service startup)
7 Unlock (i.e. unnattended workstation with password protected screen saver)
8 NetworkCleartext (Logon with credentials sent in the clear text. Most often
indicates a logon to IIS with "basic authentication")
9 NewCredentials
10 RemoteInteractive (Terminal Services, Remote Desktop or Remote

Assistance)
11 CachedInteractive (logon with cached domain credentials such as when
logging on to a laptop when away from the network)
Page 20 of 20

Sabp Z 086

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sabp Z 086

Uploaded by

Copyright:

Available Formats

Best Practice

SABP-Z-086 20 April 2016

RDP Security Controls and Mitigations Guidelines

Saudi Aramco DeskTop Standards

Previous Issue: New Next Planned Update: 3 May 2020

Copyright©Saudi Aramco 2016. All rights reserved.

2 Conflicts with Mandatory Standards

This document is applicable for standalone computers and servers. It should be

It is a quick-win to compensate the complexity, the maturity of the Plants system

The maturity level provides a simple control implementation metric level. It is

- None: The mechanism is not integrated.

Authentication mechanism Plants Maturity Level

TLS/SSL Infrastructure None

Built-in Microsoft encryption Partial

6.1 Risk classification

This advisory is relying on the open framework CVSS2 (Common

CPE3 is a structured naming scheme for information technology systems,

for checking names against a system, and a description format or binding

6.2 The attack vectors and the mitigations

Attack Vector Likelihood Mitigation

Mitigated by enabling a dedicated account to be

Mitigated by always prompting the client for

Attack Vector Likelihood Mitigation

Therefore, the RDP is prohibited to use

7 Different RDP/TSE authentication approaches

1. Generating a self-signed certificate which does not require a PKI

2. Obtaining an SSL Certificate from a trusted third party entity (commonly

4 Running at least Windows Server 2003 SP1.

reputation (not all6). However, the enrollment process could be tedious

3. Using Saudi Aramco CA (Certificate Authority) infrastructure build

7.2 RDP built-in 128 bit encryption

In fact, this enhancement is discussed previously with TLS/SSL transport that

- No guarantee to verify the session host server

8 Remote Desktop Implementation

8.2 User accounts restriction

8.3 Setting the encryption

8.4 Additional controls

8.4.3 Change default TCP port

8.4.4 Local Windows Firewall and IP whitelisting

8.4.5 Monitor the log files

Navigate to Local Computer Policy | Computer Configuration |

Events Recommended Settings

Audit Account Logon Events Not Auditing Success and Failure

Audit Account Management Audit Success and Failure

Audit Directory Services Access No Auditing

Audit Logon Events Audit Success and Failure

Audit Object Access Audit Failure

Audit Policy Change Audit Success and Failure

Audit Privilege Use Auditing Success and Failure

Audit Process Tracking Audit Failure

Audit System Events Audit Success and Failure

The following table depicts the possible logon types

2 Interactive (logon at keyboard and screen of system)

3 Network (i.e. connection to shared folder on this computer from elsewhere on

5 Service (Service startup)

7 Unlock (i.e. unnattended workstation with password protected screen saver)

10 RemoteInteractive (Terminal Services, Remote Desktop or Remote

You might also like