RDP Three letter game
As you know, the Remote Desktop Protocol ( Remote Desktop Protocol or RDP) allows you to remotely connect to computers running Windows and is available to any Windows user, if he does not have the Home version , where there is only an RDP client, but not a host. This is a convenient, effective and practical means for remote access for administrative purposes or daily work. Recently, it has attracted miners who use RDP for remote access to their farms. RDP support is included in Windows OS, starting from NT 4.0 and XP, but not everyone knows how to use it. Meanwhile, you can open the Microsoft remote desktop from computers running Windows, Mac OS X, as well as from mobile devices running Android OS or from iPhone and iPad.
If you properly understand the settings, then RDP will be a good means of remote access. It makes it possible not only to see the remote desktop, but also to use the resources of the remote computer, to connect local disks or peripheral devices to it. At the same time, the computer must have an external IP (static or dynamic), or it must be possible to “forward” the port from the router with an external IP address.
')
RDP servers are often used to work together in the 1C system, or they deploy users' workplaces, allowing them to connect to their workplace remotely. The RDP client allows you to work with text and graphic applications, remotely receive any data from your home PC. To do this, the router needs to forward port 3389 in order to gain access to the home network through NAT. Also applies to setting up an RDP server in an organization.
RDP is considered by many to be an insecure method of remote access compared to using special programs , such as RAdmin , TeamViewer, VNC, etc. Another prejudice is the large RDP traffic. However, today RDP is no less secure than any other solution for remote access (we will return to the issue of security), and with the help of settings you can achieve a high response speed and a small bandwidth requirement.
Basic setup done. How to connect to a remote desktop?
To connect via RDP, you need an account with a password on the remote computer, remote connections must be allowed in the system, and in order to not change access data with a constantly changing dynamic IP address, you can assign a static IP address in the network settings . Remote access is possible only on computers with Windows Pro, Enterprise or Ultimate.
To connect to a computer remotely, you need to enable the connection in “System Properties” and set a password for the current user, or create a new user for the RDP. Users of regular accounts do not have the right to independently provide a computer for remote control. This right can give them an administrator. An obstacle to using the RDP protocol may be blocking it with antivirus. In this case, RDP must be enabled in the settings of anti-virus programs.
It is worth noting a feature of some server operating systems: if the same user tries to log in to the server locally and remotely, the local session will close and the remote will open at the same place. Conversely, if you log in locally, the remote session will close. If you log in locally under one user, and remotely under another, the system will terminate the local session.
A RDP connection is made between computers on the same local network or over the Internet, but this will require additional actions - forwarding port 3389 on the router, or connecting to a remote computer via VPN.
To connect to a remote desktop in Windows 10 , you can allow a remote connection in "Settings - System - Remote Desktop" and specify the users who need to provide access, or create a separate user to connect. By default, the current user and administrator have access. On the remote system, run the utility to connect.
Press Win + R, type MSTSC and hit Enter. In the window, enter the IP address or computer name, select "Connect", enter the username and password. The remote computer screen appears.
When connecting to a remote desktop via the command line (MSTSC), you can set additional RDP parameters:
For Mac OS, Microsoft released the official RDP client, which works stably when connected to any version of Windows. In Mac OS X, to connect to a Windows computer, you need to download the Microsoft Remote Desktop application from the App Store. In it, using the Plus button, you can add a remote computer: enter its IP address, username, and password. Double clicking on the name of the remote desktop in the list to connect will open the Windows desktop.
On smartphones and tablets for Android and iOS, you need to install the Microsoft Remote Desktop application (“Microsoft Remote Desktop”) and run it. Select "Add" enter the connection settings - the IP address of the computer, login and password to log into Windows. Another way is forwarding on the port 3389 router to the computer’s IP address and connecting to the router’s public address indicating this port. This is done using the Port Forwarding option of the router. Select Add and enter:
What about Linux? RDP is Microsoft's closed protocol, it does not release Linux RDP clients, but you can use Remmina. For Ubuntu users, there are special repositories with Remmina and RDP.
RDP is also used to connect to Hyper-V virtual machines. Unlike the hypervisor connection window, when connected via RDP, the virtual machine sees various devices connected to the physical computer, supports sound processing, gives a better image of the desktop of the guest OS, etc.
With virtual hosting providers , the default Windows VPS servers under Windows are usually also available for connection using the standard RDP protocol. When using the standard Windows operating system to connect to the server, simply select: “Start - Programs - Standard - Remote Desktop Connection” or press Win + R and type MSTSC in the window that opens. The window displays the IP address of the VPS server.
By clicking the "Connect" button, you will see a window with authorization fields.
To ensure that the USB devices and network printers connected to your PC are available to the server, when you connect to the server for the first time, select "Show settings" in the lower left corner. In the window, open the Local Resources tab and select the required options.
Using the option of storing authorization data on a remote computer, the connection parameters (IP address, username and password) can be saved in a separate RDP file and used on another computer.
RDP can also be used to connect to Azure virtual machines .
In the connection to the remote computer there are tabs with customizable parameters.
Details of remote desktop settings in Windows 10 - in this video . Now back to RDP security.
Can I intercept RDS sessions? And how to protect against this? About the possibility of hijacking a RDP session in Microsoft Windows, it has been known since 2011, and a year ago, researcher Alexander Korznikov described in his blog detailed methods of hijacking. It turns out that it is possible to connect to any running session on Windows (with any rights), while logged in under any other.
Some techniques allow you to intercept a session without a login password. All you need is access to the NT AUTHORITY / SYSTEM command line. If you run tscon.exe as a SYSTEM user, you can connect to any session without a password. RDP does not ask for a password, it simply connects you to the user's desktop. You can, for example, dump server memory and get user passwords. By simply launching tscon.exe with a session number, you can get the desktop of the specified user - without external tools. Thus, with the help of one command, we have a hacked RDP session. You can also use the psexec.exe utility if it was previously installed:
Or you can create a service that will connect the attacked account and start it, after which your session will be replaced by the target one. Here are some notes on how far it lets go:
Many server operating systems are subject to this threat, and the number of servers using RDP is constantly increasing. Windows 2012 R2, Windows 2008, Windows 10 and Windows 7 were vulnerable. To prevent theft of RDP sessions, it is recommended to use two-factor authentication. The updated Sysmon Framework for ArcSight and Sysmon Integration Framework for Splunk warn the administrator about running malicious commands in order to hijack an RDP session. You can also use the Windows Security Monitor utility to monitor security events.
Finally, consider how to remove a remote desktop connection. This is a useful measure is needed if the need for remote access is gone, or if you want to prohibit the connection of outsiders to the remote desktop. Open "Control Panel - System and Security - System". In the left column, click "Configure Remote Access." In the "Remote Desktop" section, select "Do not allow connections to this computer." Now no one can connect to you via remote desktop.
In the end - a few more life hacking, which can be useful when working with a remote desktop Windows 10, and simply with remote access.
As you can see, there are many solutions and opportunities that remote access to a computer offers. It is not by chance that it is used by most enterprises, organizations, institutions and offices. This tool is useful not only to system administrators, but also to heads of organizations, and remote users are also very useful for simple users. You can help to repair or optimize the system to a person who does not understand this, not getting up from his chair, transfer data or access the necessary files while on a business trip or vacation anywhere in the world, work at an office computer from home, manage your virtual server and etc.
Good luck!
PS We are looking for authors for our blog on Habrahabr.
If you have technical knowledge on working with virtual servers, you can explain complex things in simple words, then the RUVDS team will be happy to work with you to publish your post on Habrahabr. Details on the link .
If you properly understand the settings, then RDP will be a good means of remote access. It makes it possible not only to see the remote desktop, but also to use the resources of the remote computer, to connect local disks or peripheral devices to it. At the same time, the computer must have an external IP (static or dynamic), or it must be possible to “forward” the port from the router with an external IP address.
')
RDP servers are often used to work together in the 1C system, or they deploy users' workplaces, allowing them to connect to their workplace remotely. The RDP client allows you to work with text and graphic applications, remotely receive any data from your home PC. To do this, the router needs to forward port 3389 in order to gain access to the home network through NAT. Also applies to setting up an RDP server in an organization.
RDP is considered by many to be an insecure method of remote access compared to using special programs , such as RAdmin , TeamViewer, VNC, etc. Another prejudice is the large RDP traffic. However, today RDP is no less secure than any other solution for remote access (we will return to the issue of security), and with the help of settings you can achieve a high response speed and a small bandwidth requirement.
How to protect RDP and adjust its performance
| Encryption and security | You need to open gpedit.msc, in "Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security", set the "Require the use of a special security level for remote connections using the RDP method" option and in the "Security Level" select "SSL TLS" . In "Set Encryption Level for Client Connections" select "High." To enable the use of FIPS 140-1, you need to go to "Computer Configuration - Windows Configuration - Security Settings - Local Policies - Security Settings" and select "System cryptography: use FIPS-compatible algorithms for encryption, hashing and signing". The "Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Settings" parameter "Accounts: Allow the use of blank passwords only at console input" should be enabled. Check the list of users who can connect via RDP. |
| Optimization | Open "Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Session Environment". In “Fastest Color Depth,” select 16 bits, that's enough. Deselect the option to force the removal of the remote desktop background image. In “Setting the RDP Compression Algorithm,” set “Optimize bandwidth usage. In Optimize Visual Effects for Remote Desktop Services Sessions, set the Text value. Disable Font Smoothing. |
Basic setup done. How to connect to a remote desktop?
Remote Desktop Connection
To connect via RDP, you need an account with a password on the remote computer, remote connections must be allowed in the system, and in order to not change access data with a constantly changing dynamic IP address, you can assign a static IP address in the network settings . Remote access is possible only on computers with Windows Pro, Enterprise or Ultimate.
To connect to a computer remotely, you need to enable the connection in “System Properties” and set a password for the current user, or create a new user for the RDP. Users of regular accounts do not have the right to independently provide a computer for remote control. This right can give them an administrator. An obstacle to using the RDP protocol may be blocking it with antivirus. In this case, RDP must be enabled in the settings of anti-virus programs.
It is worth noting a feature of some server operating systems: if the same user tries to log in to the server locally and remotely, the local session will close and the remote will open at the same place. Conversely, if you log in locally, the remote session will close. If you log in locally under one user, and remotely under another, the system will terminate the local session.
A RDP connection is made between computers on the same local network or over the Internet, but this will require additional actions - forwarding port 3389 on the router, or connecting to a remote computer via VPN.
To connect to a remote desktop in Windows 10 , you can allow a remote connection in "Settings - System - Remote Desktop" and specify the users who need to provide access, or create a separate user to connect. By default, the current user and administrator have access. On the remote system, run the utility to connect.
Press Win + R, type MSTSC and hit Enter. In the window, enter the IP address or computer name, select "Connect", enter the username and password. The remote computer screen appears.
When connecting to a remote desktop via the command line (MSTSC), you can set additional RDP parameters:
| Parameter | Value |
| / v: <server [: port]> | Remote computer to connect to. |
| / admin | Connect to session for server administration. |
| / edit | Editing RDP file. |
| / f | Launch remote desktop in full screen. |
| / w: <width> | The width of the remote desktop window. |
| / h: <height> | The height of the remote desktop window. |
| / public | Run remote desktop in general mode. |
| / span | Comparison of the width and height of a remote desktop with a local virtual desktop and deployment to multiple monitors. |
| / multimon | Configures the placement of the RDP session monitors according to the current configuration on the client side. |
| / migrate | Migrate legacy connection files to new RDP files. |
For Mac OS, Microsoft released the official RDP client, which works stably when connected to any version of Windows. In Mac OS X, to connect to a Windows computer, you need to download the Microsoft Remote Desktop application from the App Store. In it, using the Plus button, you can add a remote computer: enter its IP address, username, and password. Double clicking on the name of the remote desktop in the list to connect will open the Windows desktop.
On smartphones and tablets for Android and iOS, you need to install the Microsoft Remote Desktop application (“Microsoft Remote Desktop”) and run it. Select "Add" enter the connection settings - the IP address of the computer, login and password to log into Windows. Another way is forwarding on the port 3389 router to the computer’s IP address and connecting to the router’s public address indicating this port. This is done using the Port Forwarding option of the router. Select Add and enter:
Name: RDP Type: TCP & UDP Start port: 3389 End port: 3389 Server IP: IP- . What about Linux? RDP is Microsoft's closed protocol, it does not release Linux RDP clients, but you can use Remmina. For Ubuntu users, there are special repositories with Remmina and RDP.
RDP is also used to connect to Hyper-V virtual machines. Unlike the hypervisor connection window, when connected via RDP, the virtual machine sees various devices connected to the physical computer, supports sound processing, gives a better image of the desktop of the guest OS, etc.
With virtual hosting providers , the default Windows VPS servers under Windows are usually also available for connection using the standard RDP protocol. When using the standard Windows operating system to connect to the server, simply select: “Start - Programs - Standard - Remote Desktop Connection” or press Win + R and type MSTSC in the window that opens. The window displays the IP address of the VPS server.
By clicking the "Connect" button, you will see a window with authorization fields.
To ensure that the USB devices and network printers connected to your PC are available to the server, when you connect to the server for the first time, select "Show settings" in the lower left corner. In the window, open the Local Resources tab and select the required options.
Using the option of storing authorization data on a remote computer, the connection parameters (IP address, username and password) can be saved in a separate RDP file and used on another computer.
RDP can also be used to connect to Azure virtual machines .
Configure other remote access functionality
In the connection to the remote computer there are tabs with customizable parameters.
| Tab | Purpose |
| "Screen" | Sets the screen resolution of the remote computer, that is, the utility window after connection. You can set a low resolution and donate color depth. |
| "Local Resources" | To conserve system resources, you can turn off audio playback on a remote computer. In the local devices section, you can select a printer and other devices of the host computer that will be accessible on a remote PC, for example, USB devices, memory cards, external drives. |
Details of remote desktop settings in Windows 10 - in this video . Now back to RDP security.
How to "hijack" a RDP session?
Can I intercept RDS sessions? And how to protect against this? About the possibility of hijacking a RDP session in Microsoft Windows, it has been known since 2011, and a year ago, researcher Alexander Korznikov described in his blog detailed methods of hijacking. It turns out that it is possible to connect to any running session on Windows (with any rights), while logged in under any other.
Some techniques allow you to intercept a session without a login password. All you need is access to the NT AUTHORITY / SYSTEM command line. If you run tscon.exe as a SYSTEM user, you can connect to any session without a password. RDP does not ask for a password, it simply connects you to the user's desktop. You can, for example, dump server memory and get user passwords. By simply launching tscon.exe with a session number, you can get the desktop of the specified user - without external tools. Thus, with the help of one command, we have a hacked RDP session. You can also use the psexec.exe utility if it was previously installed:
psexec -s \\localhost cmd Or you can create a service that will connect the attacked account and start it, after which your session will be replaced by the target one. Here are some notes on how far it lets go:
- You can connect to disconnected sessions. Therefore, if someone logged out a couple of days ago, you can simply connect directly to his session and start using it.
- You can unlock locked sessions. Therefore, while the user is away from his workplace, you are logged into his session, and he is unlocked without any credentials. For example, an employee logs in to their account, then exits, blocking the account (but not logging out). Session is active and all applications will remain in their original state. If the system administrator logs into his account on the same computer, he gets access to the employee's account, which means all running applications.
- Having local administrator rights, you can attack an account with domain administrator rights, i.e. higher than the rights of the attacker.
- You can connect to any session. If, for example, this Helpdesk, you can connect to it without any authentication. If this is a domain administrator, you will become an admin. With the ability to connect to disconnected sessions, you get an easy way to navigate the network. Thus, attackers can use these methods both for penetration and for further promotion within the company's network.
- You can use win32k exploits to get SYSTEM permissions and then use this feature. If patches are not applied properly, it is available even to the average user.
- If you don’t know what to track, you won’t know what is going on at all.
- The method works remotely. You can perform sessions on remote computers, even if you are not logged on to the server.
Many server operating systems are subject to this threat, and the number of servers using RDP is constantly increasing. Windows 2012 R2, Windows 2008, Windows 10 and Windows 7 were vulnerable. To prevent theft of RDP sessions, it is recommended to use two-factor authentication. The updated Sysmon Framework for ArcSight and Sysmon Integration Framework for Splunk warn the administrator about running malicious commands in order to hijack an RDP session. You can also use the Windows Security Monitor utility to monitor security events.
Finally, consider how to remove a remote desktop connection. This is a useful measure is needed if the need for remote access is gone, or if you want to prohibit the connection of outsiders to the remote desktop. Open "Control Panel - System and Security - System". In the left column, click "Configure Remote Access." In the "Remote Desktop" section, select "Do not allow connections to this computer." Now no one can connect to you via remote desktop.
In the end - a few more life hacking, which can be useful when working with a remote desktop Windows 10, and simply with remote access.
- To access files on a remote computer, you can use OneDrive:
- How to restart a remote PC in Win10? Press Alt + F4. A window will open:
An alternative option is the command line and the shutdown command.
If you specify the / i parameter in the shutdown command, a window will appear:
- In Windows 10 Creators Update, the System section has become richer by one more subsection, where the ability to activate remote access to a computer from other operating systems, in particular, from mobiles via the Microsoft Remote Desktop application, is implemented:
- For various reasons, the RDP connection to the Windows Azure virtual machine may not work. The problem may be with a remote desktop service on a virtual machine, a network connection, or a client remote desktop client on your computer. Some of the most common methods for solving RDP connection problems are here .
- It is quite possible to make a terminal server from the normal version of Windows 10, and then several users can connect to a regular computer via RDP and simultaneously work with it. As noted above, the work of several users with the 1C file base is now popular. Turn the Windows 10 into a terminal server will help the tool that is well proven in Windows 7 - RDP Wrapper Library by Stas'M .
- You can use Parallels Remote Application Server (RAS) as a “RDP with a human face”, but some of its features need to be configured on the Windows Server side (or in the virtual machines you use).
As you can see, there are many solutions and opportunities that remote access to a computer offers. It is not by chance that it is used by most enterprises, organizations, institutions and offices. This tool is useful not only to system administrators, but also to heads of organizations, and remote users are also very useful for simple users. You can help to repair or optimize the system to a person who does not understand this, not getting up from his chair, transfer data or access the necessary files while on a business trip or vacation anywhere in the world, work at an office computer from home, manage your virtual server and etc.
Good luck!
PS We are looking for authors for our blog on Habrahabr.
If you have technical knowledge on working with virtual servers, you can explain complex things in simple words, then the RUVDS team will be happy to work with you to publish your post on Habrahabr. Details on the link .
Source: https://habr.com/ru/post/358630/
All Articles