The system must be configured to prevent unsolicited remote assistance offers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
WN08-CC-000058	WN08-CC-000058	WN08-CC-000058_rule		Medium

Description
Remote assistance allows another user to view or take control of the local session of a user. Unsolicited remote assistance is help that is offered by the remote user. This may allow unauthorized parties access to the resources on the computer.

STIG	Date
Windows 8 Security Technical Implementation Guide	2012-11-21

Details

Check Text ( C-WN08-CC-000058_chk )
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowUnsolicited Type: REG_DWORD Value: 0 Offer remote assistance may be enabled on workstations if mitigations are in place. This must be documented with the IAO. Mitigations: -Users must be trained to include the following: -Users must know who they can accept an assistance offer from. The offer must be in response to a help desk request or confirmed with the help desk if an unsolicited offer comes through. -Users must know how to accept a request, allow view or control, and disconnect a remote assistance session. -Users must monitor the assistance activity at the workstation while it is occurring. -The support personnel allowed to offer assistance (helpers) must be limited and documented. -Port 3389 must be blocked at the perimeter to prevent other access. Accounts and groups authorized to offer remote assistance (helpers) are identified in the following registry key: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\ Each Account or group will be listed under a separate value name, with the value equaling the value name as in the following examples: Value Name: Administrators Type: REG_SZ Value: Administrators Value Name: TestUser Type: REG_SZ Value: TestUser

Check Text ( C-WN08-CC-000058_chk )

If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Subkey: \Software\Policies\Microsoft\Windows NT\Terminal Services\

Value Name: fAllowUnsolicited

Type: REG_DWORD
Value: 0

Offer remote assistance may be enabled on workstations if mitigations are in place. This must be documented with the IAO.

Mitigations:
-Users must be trained to include the following:
-Users must know who they can accept an assistance offer from. The offer must be in response to a help desk request or confirmed with the help desk if an unsolicited offer comes through.
-Users must know how to accept a request, allow view or control, and disconnect a remote assistance session.
-Users must monitor the assistance activity at the workstation while it is occurring.

-The support personnel allowed to offer assistance (helpers) must be limited and documented.

-Port 3389 must be blocked at the perimeter to prevent other access.

Accounts and groups authorized to offer remote assistance (helpers) are identified in the following registry key:

Registry Hive: HKEY_LOCAL_MACHINE
Subkey: \Software\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\

Each Account or group will be listed under a separate value name, with the value equaling the value name as in the following examples:

Value Name: Administrators
Type: REG_SZ
Value: Administrators

Value Name: TestUser
Type: REG_SZ
Value: TestUser

Fix Text (F-WN08-CC-000058_fix)
Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Assistance -> "Configure Offer Remote Assistance" to "Disabled".