RDP. The three letter game.
As you know, the Remote Desktop Protocol (RDP) allows
you to connect remotely to computers running Windows and is available to any Windows user, as long as they do not have the Home version, where there is only an RDP client, but not a host. It is a convenient, efficient and practical tool for remote access for administration purposes or everyday work. Recently, it has caught the eye of miners who use RDP for remote access to their farms. RDP support It has been included in Windows since NT 4.0 and XP, but not everyone knows how to use it. Meanwhile, you can open the Microsoft Remote Desktop from Windows or Mac OS X computers, as well as from Android mobile devices or from iPhone and iPad.
If you properly understand the settings, then RDP will be a good means of remote access. It allows you not only to see the remote desktop, but also to use the resources of the remote computer, connect local disks or peripherals to it. In this case, the computer must have an external IP (static or dynamic), or it must be possible to "forward" the port from the router with an external IP address.
RDP servers are often used for collaboration in the 1C system, or users ' jobs are deployed on them, allowing them to connect to their workplace remotely. The RDP client allows you to work with text and image applications, and remotely receive some data from your home PC. To do this, you need to forward port 3389 on the router in order to access the home network via NAT. This also applies to setting up an RDP server in your organization.
RDP is considered by many to be an insecure method of remote access compared to using special programs such as RAdmin, TeamViewer, VNC, etc. Another prejudice is high RDP traffic. However, today RDP is no less secure than any other remote access solution (we will return to the security issue later), and with the help of settings, you can achieve high response speed and low bandwidth requirements.
How to protect RDP and configure its performance
| Encryption and Security | You need to open gpedit. msc, in "Computer Configuration-Administrative Templates-Windows Components-Remote Desktop Services-Security" set the parameter "Require using a special security level for remote connections using the RDP method "and in" Security level "select" SSL TLS". In "Set encryption level for client connections", select "High". To enable the use of FIPS 140-1, go to "Computer Configuration-Windows Configuration-Security Settings-Local Policies — Security Settings "and select" System Cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing". The "Computer Configuration-Windows Settings-Security Settings-Local Policies — Security Settings" option the "Accounts: Allow empty passwords only for console login" option must be enabled. Check the list of users who can connect via RDP. |
| Optimization | Open "Computer Configuration-Administrative Templates-Windows Components-Remote Desktop Services — Remote Session Environment". In "Maximum color depth", select 16 bits, this is enough. Uncheck "Force cancellation of remote desktop background". In "Setting an RDP compression algorithm", select " Optimize bandwidth usage. In Optimize Visual Effects for Remote Desktop Services Sessions, set the value to Text. Disable "Font Smoothing". |
Basic configuration is completed. How do I connect to a remote desktop?
Connecting to a remote desktop
To
connect via RDP, you must have an account with a password on the remote computer, remote connections must be allowed in the system, and in order not to change access data with a constantly changing dynamic IP address, you can assign a static IP address in the network settings. Remote access is only possible on Windows Pro, Enterprise, or Ultimate computers.
To connect remotely to a computer, you need to allow the connection in "System Properties" and set a password for the current user, or create a new user for RDP. Users of regular accounts do not have the right to provide their own computer for remote management. The administrator can grant them this right. An obstacle to using the RDP protocol may be its blocking by antivirus programs. In this case, RDP should be allowed in the settings of antivirus programs.
It is worth noting the peculiarity of some server operating systems: if the same user tries to log in to the server locally and remotely, the local session is closed and the remote one opens in the same place. Conversely, logging in locally will close the remote session. If you log in locally under one user and remotely under another, the system will terminate the local session.
An RDP connection is made between computers located on the same local network or over the Internet, but this requires additional actions – forwarding port 3389 on the router, or connecting to a remote computer via VPN.
To connect to a remote desktop in Windows 10, you can allow remote connection in Settings-System-Remote Desktop and specify the users to grant access to, or create a separate user to connect to. By default, the current user and administrator have access. On the remote system, run the connection utility.
Press Win+R, type MSTSC, and press Enter. In the window, enter the IP address or computer name, select "Connect", enter the user name and password. The remote computer screen appears.
When connecting to a remote desktop via the Command line (MSTSC), you can set additional RDP parameters:
| Parameter | Meaning |
| /v:<server [: port]> | The remote computer that you are connecting to. |
| /admin | Connecting to a session for server administration. |
| /edit | Editing the RDP file. |
| /f | Launch remote Desktop in full screen mode. |
| /w:<width> | Width of the remote desktop window. |
| /h:<height> | Height of the remote desktop window. |
| /public | Start the remote desktop in general mode. |
| /span | Map the width and height of the remote desktop to the local virtual desktop and deploy to multiple monitors. |
| /multimon | Configures the placement of RDP session monitors according to the current client-side configuration. |
| /migrate | Migrating connection files from previous versions to new RDP files. |
For Mac OS, Microsoft has released an official RDP client that works stably when connected to any version of Windows. On Mac OS X, to connect to a Windows computer, you need to download the Microsoft Remote Desktop app from the App Store. You can use the "Plus" button to add a remote computer: enter its IP address, user name, and password. Double-click on the remote desktop name in the list to connect to opens the Windows desktop.
On smartphones and tablets running Android and iOS, you need to install the Microsoft Remote Desktop application ("Microsoft Remote Desktop") and run it. Select " Add " and enter the connection parameters — the computer's IP address, login and password to log in to Windows. Another way is to forward port 3389 on the router to the computer's IP address and connect to the router's public address with this port specified. This is done using the Port Forwarding option of the router. Select Add and enter:
Code:
Name: RDP
Type: TCP & UDP
Start port: 3389
End port: 3389
Server IP: The IP address of the computer to connect to.
What about Linux? RDP is a closed protocol of Microsoft, it does not release RDP clients for Linux, but you can use the Remmina client. For Ubuntu users, there are special repositories with Remmina and RDP.
The RDP protocol is also used for connecting to Hyper-V VMs. Unlike the hypervisor connection window, when connecting via RDP, the VM sees various devices connected to the physical computer, supports working with sound, gives a better image of the guest OS desktop, and so on.
For virtual hosting providers Windows VPS servers are usually also available for connecting via the standard RDP protocol by default. When using the standard Windows operating system to connect to the server, just select: "Start-Programs-Accessories-Remote Desktop connection" or press Win+R and type MSTSC in the window that opens. Enter the IP address of the VPS server in the window.
By clicking the "Connect" button, you will see a window with authorization fields.
To make sure that the server has access to USB devices and network printers connected to your PC, select "Show Settings" in the lower-left corner when connecting to the server for the first time. In the window, open the "Local Resources" tab and select the required parameters.
Using the option to save authorization data on a remote computer, you can save the connection parameters (IP address, username, and password) in a separate RDP file and use it on another computer.
You can also use RDP to
connect to Azure VMs.
Configuring other remote access functionality
In the Remote computer connection window, there are tabs with configurable parameters.
| Tab | Appointment |
| "Screen" | Sets the screen resolution of the remote computer, i.e. the utility window after connection. You can set a low resolution and sacrifice color depth. |
| "Local resources" | To save system resources, you can disable audio playback on the remote computer. In the Local devices and section, you can select the printer and other devices of the main computer that will be available on the remote PC, such as USB devices, memory cards, and external disks. |
Learn more about configuring remote desktop in Windows 10 in this video. Now back to RDP security.
How to hijack an RDP session?
Can I intercept RDS sessions? And how to protect yourself from this? The possibility of hijacking an RDP session in Microsoft Windows has been known since 2011, and a year ago the researcher Alexander Korznikov in his blog described in detail the methods of theft. It turns out that it is possible to connect to any running session in Windows (with any rights), being logged in under some other one.
Some techniques allow you to intercept a session without a username and password. You only need access to the NT AUTHORITY/SYSTEM command line. If you run tscon.exe As a SYSTEM user, you can connect to any session without a password. RDP doesn't ask for a password, it just connects you to the user's desktop. You can, for example, dump the server's memory and get user passwords. By simply launching it tscon.exe with the session number, you can get the desktop of the specified user — without external tools. Thus, with a single command, we have a hacked RDP session. You can also use the utility psexec.exe, if it was pre-installed:
Code:
psexec -s \\localhost cmd
Alternatively, you can create a service that will connect the attacked account and launch it, after which your session will be replaced by the target one. Here are some notes on how far this allows you to go:
- You can connect to disconnected sessions. So if someone logged out a couple of days ago, you can just connect directly to their session and start using it.
- You can unblock blocked sessions. So while the user is away from their workplace, you log in to their session and they are unblocked without any credentials. For example, an employee logs in to their account, then leaves after blocking the account (but not logging out). The session is active and all applications will remain in the same state. If the system administrator logs in to his own account on the same computer, he gets access to the employee's account, and therefore to all running applications.
- If you have local administrator rights, you can attack an account with domain administrator rights, i.e. higher than the attacker's rights.
- You can connect to any session. If, for example, this is Helpdesk, you can connect to it without any authentication. If this is a domain administrator, you will become an administrator. With the ability to connect to disconnected sessions, you get an easy way to move around the network. Thus, attackers can use these methods both for penetration and for further promotion within the company's network.
- You can use win32k exploits to get SYSTEM permissions, and then use this feature. If patches are not applied properly, this is available even to the average user.
- If you don't know what to track, you won't know what's going on at all.
- This method works remotely. You can run sessions on remote computers even if you are not logged in to the server.
Many server operating systems are affected by this threat, and the number of servers using RDP is constantly increasing. Windows 2012 R2, Windows 2008, Windows 10, and Windows 7 were found to be vulnerable. To prevent RDP sessions from being hijacked, we recommend using two-factor authentication. The updated Sysmon Framework for ArcSight and Sysmon Integration Framework for Splunk warn the administrator about running malicious commands to hijack the RDP session. You can also use the Windows Security Monitor utility to monitor security events.
Finally, let's look at how to delete a remote desktop connection. This is a useful measure if you no longer need remote access, or if you want to prevent unauthorized users from connecting to the remote desktop. Open "Control Panel-System and Security-System". In the left column, click "Configure Remote access". In the "Remote Desktop" section, select "Do not allow connections to this computer". Now no one will be able to connect to you via remote desktop.
In conclusion, here are some more life hacks that can be useful when working with the remote desktop of Windows 10, and just for remote access.
- You can use OneDrive to access files on a remote computer:
- How to restart a remote PC in Win10? Press Alt+F4. A window opens:
An alternative option is the command line and the shutdown command.
If you specify the /i parameter in the shutdown command, a window will appear:
- In Windows 10 Creators Update, the "System" section has become richer for another subsection, where you can activate remote access to your computer from other operating systems, in particular, from mobile devices using the Microsoft Remote Desktop application.:
- For various reasons, the RDP connection to the Windows Azure VM may not work. The problem may be with the remote desktop service on the VM, the network connection, or the client's remote desktop client on your computer. Some of the most common methods for solving the RDP connection problem are listed here.
- From the regular version of Windows 10, it is quite possible to make a terminal server, and then several users can connect to a regular computer via RDP and simultaneously work with it. As noted above, it is now popular for multiple users to work with the 1C file database. A tool that has proven itself well in Windows 7 — RDP Wrapper Library by Stas ' - will help turn Windows 10 into a terminal server.
- You can use Parallels Remote Application Server (RAS) as a" human-facing RDP", but some of its features must be configured on the Windows Server side (or in the virtual machines that you use).
As you can see, there are many solutions and opportunities that open up remote access to a computer. It is no coincidence that most businesses, organizations, institutions, and offices use it. This tool is useful not only for system administrators, but also for managers of organizations, and remote access is also very useful for ordinary users. You can help a person who doesn't know how to fix or optimize the system without getting up from his chair, transfer data or get access to the necessary files while on a business trip or vacation anywhere in the world, work at an office computer from home, manage your virtual server, etc.
Good luck!
