How to remediate – Microsoft Remote Desktop Web Access Detection

1. Introduction

Microsoft Remote Desktop Web Access Detection indicates the presence of a web interface used for deploying operating systems and accessing RemoteApp and Desktop Connection through a browser. This application, if exposed to the internet, can be targeted by attackers attempting unauthorised access to internal resources. Affected systems are typically Windows servers running the Remote Desktop Services role. A successful attack could compromise confidentiality, integrity, and availability of connected systems.

2. Technical Explanation

Remote Desktop Web Access allows users to connect to remote desktops and applications via a web browser without needing a dedicated Remote Desktop client. The application is often left exposed due to misconfiguration or oversight during server deployment. An attacker could exploit this exposure to gain access to the underlying system, potentially leading to further compromise of the network.

• Root cause: The web interface for RDWA is accessible over a public network without sufficient security measures.
• Exploit mechanism: An attacker can attempt brute-force attacks or exploit known vulnerabilities in the RDWA service to gain access to the server and connected resources. For example, an attacker could use default credentials if they haven’t been changed.
• Scope: Windows Server 2008 R2 and 2008 are primarily affected.

3. Detection and Assessment

To confirm whether a system is vulnerable, first check for the presence of the RDWA service. Then perform a more thorough scan to identify any open ports or vulnerabilities associated with it.

• Quick checks: Use PowerShell to list installed roles and features. Look for “Remote Desktop Services” and specifically “Remote Desktop Web Access”.
• Scanning: Nessus plugin ID 139827 can detect exposed RDWA instances. This is an example only; other scanners may provide similar coverage.
• Logs and evidence: Check the IIS logs (typically located in %SystemDrive%inetpublogsLogFiles) for requests to the RDWA virtual directory. Look for unusual activity or access attempts.

Get-WindowsFeature -Online | Where-Object {$_.Name -like "*Remote Desktop Services*"}

4. Solution / Remediation Steps

The following steps provide a precise method to disable or secure the RDWA service, mitigating the risk of unauthorised access.

4.1 Preparation

• Ensure you have administrator privileges and a rollback plan to re-enable RDWA if needed.
• A change window may be required depending on your environment and impact assessment. Approval from relevant stakeholders is recommended.

4.2 Implementation

1. Step 1: Open IIS Manager.
2. Step 2: Expand the server node in the Connections pane.
3. Step 3: Right-click on “Sites” and select “Add Website”.
4. Step 4: Remove the RDWA website if it exists.
5. Step 5: If RDWA is a virtual directory, right-click on the parent website and select “Manage Website” > “Advanced Settings”.
6. Step 6: Remove the RDWA virtual directory from the Applications list.

4.3 Config or Code Example

Before

After

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue and reduce the overall attack surface.

• Practice 1: Least privilege – limit access to sensitive services like RDWA to only authorised users.

4.5 Automation (Optional)

# PowerShell example to remove the RDWA website (use with caution)
# Get-Website -Name "RDWA" | Remove-Website
# This command will delete the RDWA website; test thoroughly before use in production.

5. Verification / Validation

Confirm the fix by verifying that the RDWA service is no longer accessible from external networks and that related ports are closed.

• Post-fix check: Use PowerShell to list websites; confirm RDWA is not present.
• Re-test: Scan the system again using Nessus plugin ID 139827; it should no longer report a vulnerability.
• Smoke test: Verify that other Remote Desktop Services functionality (e.g., RDP client connections) remains operational.

Get-Website -Name "RDWA" # Should return no results

6. Preventive Measures and Monitoring

Implement preventive measures such as regular security baselines and automated checks in your CI/CD pipelines to avoid similar issues in the future.

• Baselines: Update a Windows Server security baseline or Group Policy Object (GPO) to disable RDWA by default.
• Asset and patch process: Review server configurations regularly as part of a vulnerability management program.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 1: Users may be unable to connect remotely via the web interface if RDWA is removed without providing an alternative solution.
• Risk or side effect 2: Removing a website in IIS can cause service disruption if not done carefully.
• Roll back:
  1. Step 1: Open IIS Manager.
  2. Step 3: Start the “Remote Desktop Services” service if it was stopped.

8. References and Resources

• Vendor advisory or bulletin: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731923(v=ws.11)
• NVD or CVE entry: Not applicable for this information vulnerability.
• Product or platform documentation relevant to the fix: https://docs.microsoft.com/en-us/windows-server/remote-desktop-services/deploy-rdwa