Created on ‎09-03-2019 06:35 AM Edited on ‎05-24-2024 08:59 AM By akanibek
Description
This article describes how to ignore logons created by RDP sessions.
This is a useful feature for cases where Active Directory Administrators (or other users) require access to various computers across the network with their accounts.
Without an RDP override, the act of connecting to the remote desktop would overwrite the original user logon, removing that logon from the FSSO list.
That would result in blocked internet access due to a lack of policy match.
Scope
Windows Server 2022 Standard, Windows Server 2022 Datacenter, Windows Server 2019 Standard, Windows Server 2019 Datacenter, Windows Server 2019 Core, Windows Server 2016 Datacenter ,Windows Server 2016 Standard, Windows Server 2016 Core, Windows Server 2012 Standard, Windows Server 2012 R2 Standard
Windows Server 2012 Core. (Technically this feature worked also on Windows Server 2008 and 2003 , but they are not officially supported by Microsoft anymore).
FSSO standalone Collector Agent (DC Agent [optional]) since build 5.0.0253.
All currently supported Windows Servers are listed in FortiOS Release Notes -> Product Integration and support -> Fortinet Single Sign-On (FSSO).
For example:
Product integration and support
Solution
There are two supported methods to solve this issue:
Note:
An RDP override can be done via Collector Agent if WinSec/WinSec with WMI polling is used, or via the DC Agent (needs extra setup, follow reading).
While it is possible to use DC Agent mode it should be noted that users will be limited to using RDP via IP address!
The reason for this is when the user uses RDP via FQDN, the 'Disable RDP Override' option will not work as expected since the DC Agent will be triggered with a logon event that indicates it is Kerberos authentication.
When this happens the DC Agent can not tell if it is a normal user login or if it is an RDP logon and the event cannot be dropped.
This would overwrite the original user logon.
When the user uses RDP via IP address the DC Agent will be triggered with a logon event that indicates it is a NTLM authentication instead, and if 'Disable RDP Override' is checked, the DC Agent will discard this event.
Important:
In an Active Directory environment where NTLM is completely disabled, 'Disable RDP Override' will not work under any circumstances.
DCAgent RDP override configuration:
Note that this is windows registry only, this option is not in DC Agent Configuration Utility (as of 5.0.312 @2024.02).
Under HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent, create a registry value called disable_rdp_override and set its value to 1.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.