Allow Remote Shell Access RRS feed

  • Question

  • We are having a hard time understanding the "Allow Remote Shell Access" Windows 7 SP1 policy that SCM sets in its template.

    Can someone help us understand why the GPO is set to "Enabled" when the the SCM countermeasure recommendation is to set it to Disabled?

    Is there any real reason to enable this on a Windows 7 machine?  Seems more like a server setting than a desktop/laptop configuration.

    Below is the data from the Windows 7 SP1 SCM template.  As you can see, MS and Customized values are set to Enabled, but it doesn't match the Countermeasure recommendation.  Way confusing.

    Default = Not Configured
    Microsoft = Enabled
    Customized = Enabled
    Severity = Critical

    This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands.

    Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec.

    Potential Impact:
    If you enable this policy setting, remote access is allowed to all supported shells to execute scripts and commands. If you disable or do not configure this policy setting, remote access is not allowed to all supported shells to execute scripts and commands.

    Configure Allow Remote Shell Access to Disabled.

    Friday, May 11, 2012 3:26 AM

All replies

  • Tech Fiend;

    I think you misunderstand the goals of our baselines, they are not intended to impose the most restrictive configuration possible, they suggest a combination of setting values that provide a high level of security while still taking into consideration manageability and usability. The countermeasure statements do not share that goal, they state the way to configure each setting in a restrictive manner. So there are many settings where the countermeasure statement contradicts what's in the baseline.

    Its enabled in our baseline because our baselines target enterprise environments where remote management of systems is a common requirement. We try to make it clear in the prose guides attached to the baselines in SCM that organizations should review the settings, as you are obviously doing, and adjust the settings to match their own requirements. So if your organization does not need the remote shell on client computers then disable it:)


    Kurt Dillard

    Friday, May 11, 2012 4:46 PM