Remote Desktop, VDI & Kiosk Security

[vishantgawali1811]

• 10.1 Remote Desktop (RDP) Security
• 10.2 Virtual Desktop Infrastructure (VDI) Security
• 10.3 Kiosk Mode Security

[JeffreyShran]

thanks @vishantgawali1811, I appreciate the submission, I can't help but notice that the tone and style of your submission is very different from the rest of the document. It would help the overall flow if you could revise it to better match the original style please.

I can't accept unusual characters like ↓ and emojis as they risk breaking the PDF document creation automation and if anyone is ingesting the document it might impact them too. I will take an action to create more detailed contributing instructions so that others know in the future.

Finally, each testing item should be written so that it is actionable by the reader, our audience is usually a tester of some sort. For example in the original document a controls description might read like: Verify that tokens and keys are not sent in plain text or otherwise easily decodable/decryptable by MITM attack, which is something a tester can actually test for, but yours say things like "Do not expose RDP to the Internet. Use VPN or jump server.".. a better way would be to say something like "Ensure that RDP is not exposed to the internet" and then in the text area underneath the control you would elaborate. The difference is subtle, I grant you, but by framing them in this way it makes the standard more usable in practical situations.

[vishantgawali1811]

Thank you for the feedback! I completely understand your points regarding tone, formatting, and phrasing. I’ll revise my submission to match the original style and make the controls more actionable as per your examples. I’ll also remove any unusual characters to ensure smooth PDF generation. Appreciate your detailed guidance — I’ll make the necessary changes shortly.

[vishantgawali1811]

Hello! @JeffreyShran
I’ve updated all the details exactly as requested.
Kindly review the changes and let me know if everything looks correct or if anything needs to be adjusted.

Thankyou!

[JeffreyShran]

Hello! @JeffreyShran I’ve updated all the details exactly as requested. Kindly review the changes and let me know if everything looks correct or if anything needs to be adjusted.

Thankyou!

thanks. looks good on first glance. I will need some time to review properly, but wanted to ping you just to say i saw and thanks! :)

[JeffreyShran]

@vishantgawali1811 this jsut a quick message to say i haven't forgotten you. But my review will have to happen next year now. I'm tied up with end of year stuff in my day to day. I apologise about the delay.

[vishantgawali1811]

Thanks for the update. I understand and appreciate you letting me know. Looking forward to it.

[matreurai]

Hi guys,

Thanks for contributing to the project @vishantgawali1811 — there’s a lot of solid security guidance here.

That said, I don’t think this fits TASVS very well. TASVS is focused on testable security requirements of the thick client application itself, and most of the items in this PR (RDP/VDI hardening, firewall rules, MFA on remote access, hypervisors, physical kiosk controls, etc.) are environment or infrastructure concerns, not things the application can enforce or be tested against.

A simple way to look at it is: can this be validated by testing or reviewing the thick client? For most of these items, it depends entirely on how the app is deployed, not on the app itself.

These are good practices, but they’d fit better in a separate deployment or environment security guide rather than in TASVS. Happy to discuss splitting this out or reworking a small subset into application-level requirements if that helps.

Would you agree @JeffreyShran ?

Cheers,