id: rdp-drive-redirection-allowed

info:
  name: Remote Desktop Users Can Redirect Drives
  author: princechaddha
  severity: medium
  description: Checks if Remote Desktop users are allowed to redirect local drives, which can pose a security risk.
  impact: |
    Allowing drive redirection during remote desktop sessions can expose sensitive files and data to remote users.
  remediation: |
    Disable drive redirection in Remote Desktop settings.
  tags: rdp,drive-redirection,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      New-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services' -Name 'fDisableCdm' -Value 1 -PropertyType 'DWord'

    matchers:
      - type: word
        words:
          - "fDisableCdm  : 0"
# digest: 4a0a0047304502205b6c0e50927bee80df46e24439e164d908b8dccb47d000e75850f79a2d3c7ccb022100ed235a919429c305313255215299c1c252a259c3ace09468f2d871313e5397ff:922c64590222798bb761d5b6d8e72950