Secure RDP connection with SSL. Connecting to the terminal server console via Remote Desktop (RDP) What can you use remote access via RDP for?

In server versions of Windows OS, there is a great opportunity to use the credentials entered by the user earlier when logging in to their computer for connections. Thus, they do not have to enter a login and password each time they launch a published application or just remote desktop. This thing is called Single Sign On using technology CredSSP(Credential Security Service Provider).

Description

For this to work, the following conditions must be met:

  • The terminal server and the client that connects to it must be in a domain.
  • The terminal server must be configured on the OS Windows Server 2008 , Windows Server 2008 R2 or older version .
  • The following OS must be installed on the client computer: Windows XP SP3, Windows Vista , Windows Server 2008, Windows 7, Windows 8 or Windows Server 2008 R2.

For Windows XP SP3, additional movements are required. It is necessary to install a fix that will allow you to configure settings through group policies and for Windows XP SP3.
This fix (MicrosoftFixit50588.msi) can be downloaded both from and from our website:

First, set the security level on the terminal server to "Negotiate" mode:

We set up 2 parameters in it: Allow passing default credentials and Allow delegation of default credentials with NTLM-only server authentication

Allow delegation of default credentials with NTLM-only server authentication - only need to be configured if authentication on the terminal server does not occur using Kerberos or an SSL certificate.

We enter the server (servers) on which we want to let users in without re-entering the login and password. You can enter by mask, or you can enter separately. The manual is detailed.

After that, we apply the policy on the required computer(s) and check that users are allowed to enter the terminal servers specified in the policies above without entering a login and password.

There are cases when, when using RDP (Remote Desktop Protocol), you cannot see programs that are installed in the system tray, or errors and notifications simply do not appear. To decide this problem, you can connect to the terminal server in console mode via the same RDP.

Remote Desktop Protocol or RDP is a technology for remotely connecting to a computer (server) for direct control over a local network or the Internet. I have already talked about this technology in the video tutorial "Connecting to a computer via remote desktop".

Using any remote administration programs to connect to the desktop directly is not always convenient, for example, when the connection is unstable or the session time is limited. So in this article we will tell you about a simple thing that some colleagues may not have known.

When you use the Windows Remote Desktop (RDP) client as a means of connecting to a Windows Server 2003/2008/2012 computer running the Terminal Server service, you have the ability to connect to the server's console. Using this option, you can log into the server as if you were sitting right in front of it, rather than creating new sessions over a network connection. The fact is that when installing some programs remotely, problems may arise that will not allow you to do this from a terminal session, so you will need to log into the server through the console.

Enable remote access on your computer.

In order to set up remote access on the target computer, the owner or administrator must follow these steps (My Computer \ Properties \ Remote Access Settings \ Remote Access \ Allow connections from computers running any version of Remote Desktop).

If you want to allow only certain users or groups of users on your network into your computer, then you need to check the box "Allow connections from computers running Remote Desktop with Network Level Authentication (recommended)".

How to connect to remote desktop?

This is of course standard means Windows ( Start\All Programs\Accessories\Remote Desktop Connection)

Or via command Run (Win+ R) and enter the command mstsc. This is a faster way and is mainly used by admins and software developers, because. often have to connect to remote desktop servers.

How to connect to the remote desktop console?

To do this, in the window that appears, drive in the command:

Windows Server 2003 and Windows XP: mstsc /console

Windows Server 2008/2012 and Windows 7/8/8.1: mstsc /admin

Enter the name of the terminal server or computer.

And enter the credentials of a user who has rights to connect remotely.

Since RDP creates a virtual console by default, the connection does not occur to the session itself, but directly to the console (the main console-mouse/keyboard).

What's the difference between a simple remote desktop connection and a console connection?

Connecting via the console is available only to administrators and is in fact equivalent to a regular login. Whereas a simple rdp connection is a terminal session, respectively, then software, which resists running under a terminal session, may work quite well under a console.

In the first case, a new session (mstsc) is created, parallel to the existing one. In the second case, the connection is made to your desktop (within the framework of licenses for the terminal).

Surely, many of you have already heard and seen this abbreviation - it literally translates as Remote Desktop Protocol (RemoteDesktopprotocol). If someone is interested in the technical subtleties of this application layer protocol, they can read the literature, starting from the same Wikipedia. We will consider purely practical aspects. Namely, the one that this protocol Allows you to connect remotely to computers Windows control different versions using the built-in Windows Remote Desktop Connection tool.

What are the pros and cons of using the RDP protocol?

Let's start with the pleasant - with the pros. The advantage is that this tool, which is more correctly called ClientRDP, available to anyone Windows user both on the computer from which the remote control is to be controlled, and on those who want to open remote access to their computer.

Through a remote desktop connection, it is possible not only to see the remote desktop and use the resources of a remote computer, but also to connect local drives, printers, smart cards, etc. to it. Of course, if you want to watch a video or listen to music via RDP, this process is unlikely to give you pleasure, because. in most cases you will see a slideshow and the sound will most likely be interrupted. But, the RDP service was not developed for these tasks.

Another undoubted advantage is that the connection to the computer is carried out without any additional programs, which are mostly paid, although they have their advantages. Access time to the RDP server (which is your remote computer) is limited only by your desire.

There are only two minuses. One significant, the other not so much. The first and essential one is that in order to work with RDP, the computer to which the connection is made must have a white (external) IP, or it must be possible to “forward” the port from the router to this computer, which again must have an external IP. It will be static or dynamic - it does not matter, but it should be.

The second minus - not so significant - latest versions client stopped supporting 16-color color scheme. The minimum is 15bit. This greatly slows down the work on RDP when you connect over the stunted-dead Internet at a speed not exceeding 64 kilobits per second.

What can you use remote access via RDP for?

Organizations, as a rule, use RDP servers for collaboration in the 1C program. And some even deploy user jobs on them. Thus, the user, especially if he has traveling work, can, in the presence of 3G Internet or hotel / cafe Wi-Fi, connect to his workplace remotely and resolve all issues.

In some cases, home users may use remote access to their home computer to get some data from home resources. In principle, the remote desktop service allows you to fully work with text, engineering and graphic applications. With the processing of video and sound for the above reasons - it will not work, but still - this is a very significant plus. And you can also view resources closed by company policy at work by connecting to your home computer without any anonymizers, vpn and other evil spirits.

We prepare the Internet

In the previous section, we talked about the fact that in order to provide remote access via the RDP protocol, we need an external IP address. This service can be provided by the provider, so we call or write, or go to Personal Area and organize the provision of this address. Ideally, it should be static, but in principle, you can live with a dynamic one.

If someone does not understand the terminology, then the static address is permanent, and the dynamic one changes from time to time. In order to fully work with dynamic IP addresses, various services have been invented that provide dynamic domain binding. What and how, soon there will be an article on this topic.

We prepare the router

If your computer is not connected directly to the provider's wire to the Internet, but through a router, we will also have to perform some manipulations with this device. Namely - forward service port - 3389. Otherwise, your router's NAT will simply not let you in. home network. The same applies to setting up an RDP server in an organization. If you don't know how to forward a port, read the article on How to forward ports on a router (opens in a new tab), then come back here.

We prepare the computer

In order to create the ability to remotely connect to a computer, you need to do exactly two things:

Allow connection in System Properties;
- set a password for the current user (if he does not have a password), or create a new user with a password specifically for connecting via RDP.

How to deal with the user - decide for yourself. However, keep in mind that regular non-server Operating Systems do not support multiple input. Those. if you are logged in locally (console), and then log in under the same user remotely, the local screen will be locked and the session at the same place will open in the Remote Desktop Connection window. Enter the password locally without exiting RDP - you will be kicked out of remote access, and you will see the current screen on your local monitor. The same thing awaits you if you log in as one user on the console, and remotely try to log in under another. In this case, the system will prompt you to end the local user session, which may not always be convenient.

So let's go to Start, right click on the menu A computer and press Properties.

In properties Systems choose Extra options systems

In the window that opens, go to the tab Remote access

... press Additionally

And put the only checkbox on this page.

This is a "home" version of Windows 7 - those who have Pro and above will have more checkboxes and it is possible to make access control.

Click OK everywhere.

Now, you can go to Remote Desktop Connection (Start>All Programs>Accessories), enter the IP address of the computer there, or the name if you want to connect to it from your home network and use all the resources.

Like this. In principle, everything is simple. If suddenly there are any questions or something remains unclear - welcome to the comments.

There is an opinion that the Windows Remote Desktop Connection (RDP) is very insecure compared to its counterparts (VNC, TeamViewer, etc.). As a result, open access from outside to any computer or server local network very reckless decision - they will definitely hack. The second argument against RDP usually sounds like this - "it eats traffic, it's not an option for a slow Internet." Most of the time, these arguments are unsubstantiated.

The RDP protocol has existed for more than a day, its debut took place on Windows NT 4.0 more than 20 years ago, and since then a lot of water has flowed under the bridge. On the this moment RDP is no less secure than any other remote access solution. As for the required bandwidth, there are a lot of settings in this regard, with which you can achieve excellent responsiveness and save bandwidth.

In short, if you know what, how and where to configure, then RDP will be a very good remote access tool. The question is, how many admins tried to delve into the settings that are hidden a little deeper than on the surface?

Now I will tell you how to protect RDP and configure it for optimal performance.

First, there are many versions of the RDP protocol. All further description will be applicable to RDP 7.0 and higher. This means that you have at least Windows Vista SP1. For fans of retro there is a special update for Windows XP SP3 KB 969084 which adds RDP 7.0 to this operating system.

Setting #1 - Encryption

On the computer to which you are going to connect, open gpedit.msc Go to Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security

Set the option "Require the use of a special security level for remote connections via RDP Method" to "Enabled" and Security Level to "SSL TLS 1.0"

With this setting, we have enabled encryption as such. Now we need to make sure that only strong encryption algorithms are used, and not some DES 56-bit or RC2.

Therefore, in the same branch, open the "Set encryption level for client connections" option. Turn on and select "High" level. This will give us 128-bit encryption.

But this is not the limit. The highest level of encryption is provided by the FIPS 140-1 standard. In this case, all RC2 / RC4 automatically go to the forest.

To enable the use of FIPS 140-1, you need to go to Computer Configuration - Windows Configuration - Security Settings - Local Policies - Security Options in the same snap-in.

We are looking for the option "System cryptography: Use FIPS-compliant algorithms for encryption, hashing and signing" and enable it.

And finally, without fail, enable the "Require a secure RPC connection" option along the path Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security.

This setting requires connecting clients to require encryption according to the settings we configured above.

Now with encryption full order, you can move on.

Setting #2 - port change

By default, the RDP protocol hangs on TCP port 3389. For a change, you can change it, for this you need to change the PortNumber key in the registry at

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Setting #3 - Network Authentication (NLA)

By default, you can connect via RDP without entering a login and password and see the Welcome screen of the remote desktop, where you will be asked to log in. This is just not safe at all in the sense that such a remote computer can be easily DDoSed.

Therefore, all in the same branch, enable the option "Require user authentication for remote connections through network level authentication"

Setting #4 - what else to check

First, check that the " Accounts: Only allow blank passwords for console login" is enabled. The setting can be found in Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security.

Second, don't forget to check the list of users who can connect via RDP

Setting #5 - speed optimization

Go to Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Session Environment.

Here you can and should adjust several parameters:

  • The greatest color depth - you can limit yourself to 16 bits. This will save more than 2 times the traffic compared to 32-bit depth.
  • Forced cancellation of the background picture of the remote desktop - it is not needed for work.
  • Setting the RDP compression algorithm - better set to Optimize bandwidth usage. In this case, RDP will eat a little more memory, but it will be more efficient to compress.
  • Optimize visual effects for Remote Desktop Services sessions - set to "Text". What you need to work.

Otherwise, when connecting to a remote computer from the client side, you can additionally disable:

  • Font smoothing. This will greatly reduce the response time. (If you have a full-fledged terminal server, then this parameter can also be set on the server side)
  • Desktop composition - responsible for Aero, etc.
  • Show window while dragging
  • Visual effects
  • Design styles - if you want hardcore

The remaining parameters such as the desktop background, color depth, we have already predefined on the server side.

Additionally, on the client side, you can increase the size of the image cache, this is done in the registry. At HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\ you need to create two DWORD 32 keys BitmapPersistCacheSize and BitmapCacheSize

  • BitmapPersistCacheSize can be set to 10000 (10 MB). By default, this parameter is set to 10, which corresponds to 10 KB.
  • BitmapCacheSize can also be set to 10000 (10 MB). You will hardly notice if the RDP connection eats an extra 10 MB of your RAM

I won’t say anything about forwarding any printers, etc. Whoever needs what, then he forwards it.

This concludes the main part of the setup. In the following reviews, I will tell you how you can further improve and secure RDP. Use RDP correctly, all stable connection! How to make an RDP terminal server on any Windows versions see .

Similar posts