As you know, the Remote Desktop Protocol (RDP) allows you to remotely connect to computers running Windows control and available to anyone Windows user, unless it has the Home version, where there is only an RDP client, but not a host. This is a convenient, effective and practical tool for remote access for administration purposes or daily work. IN Lately it attracted miners who use RDP to remotely access their farms. RDP support has been included in Windows operating systems since NT 4.0 and XP, but not everyone knows how to use it. Meanwhile, you can open Microsoft Remote Desktop from computers running Windows, Mac OS X, as well as mobile devices with Android OS or iPhone and iPad.

If you understand the settings properly, RDP will be a good means of remote access. It makes it possible not only to see the remote desktop, but also to use the resources of the remote computer, connect local drives to it or peripherals. In this case, the computer must have an external IP (static or dynamic), or it must be possible to “forward” the port from a router with an external IP address.

RDP servers are often used for collaboration in the 1C system, or user workplaces are deployed on them, allowing them to connect to their workplace remotely. The RDP client allows you to work with text and graphic applications, remotely receive some data from your home PC. To do this, you need to forward port 3389 on the router in order to gain access to home network. The same applies to setting up an RDP server in an organization.

RDP is considered by many to be an unsafe method of remote access compared to using special programs such as RAdmin, TeamViewer, VNC, etc. Another prejudice is high traffic RDP. However, today RDP is no less secure than any other remote access solution (we will return to the issue of security later), and with the help of settings you can achieve high speed response and little bandwidth requirement.

How to protect RDP and tune its performance

Encryption and Security

You need to open gpedit.msc, in “Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security” set the parameter “Require the use of a special security level for remote connections using the RDP method” and in “Security Level” select “SSL TLS” . In "Set encryption level for client connections" select "High". To enable the use of FIPS 140-1, you need to go to “Computer Configuration - Windows Configuration- Security Settings - Local policies- Security Options" and select "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing." The Computer Configuration - Windows Settings- Security Settings - Local Policies - Security Settings "Accounts: Allow empty passwords only during console logon" option must be enabled. Check the list of users who can connect via RDP.

Optimization

Open Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Session Environment. In "Highest color depth" select 16 bits, this is enough. Uncheck the "Force the remote desktop wallpaper" option. In “Set RDP compression algorithm”, set “Optimize bandwidth usage. Set "Optimize visuals for Remote Desktop Services sessions" to "Text". Turn off Font Smoothing.

The basic setup is complete. How to connect to remote desktop?

Remote Desktop Connection

To connect via RDP it is necessary that the remote computer has Account with a password, the system must be allowed remote connections, and in order not to change access data with a constantly changing dynamic IP address, in the network settings you can assign static IP address. Remote access is only possible on computers with Windows Pro, Enterprise or Ultimate.

To connect to a computer remotely, you need to allow the connection in “System Properties” and set a password for the current user, or create a new user for RDP. Users of regular accounts do not have the right to independently provide a computer for remote control. The administrator can give them this right. An obstacle to using the RDP protocol may be its blocking by antiviruses. In this case, RDP must be enabled in the settings of antivirus programs.

It is worth noting a feature of some server operating systems: if the same user tries to log into the server locally and remotely, the local session will close and the remote one will open in the same place. Conversely, logging in locally will close the remote session. If you log in locally as one user, and remotely as another, the system will end the local session.

Connection via RDP protocol is carried out between computers located in the same local network, or over the Internet, but this will require additional steps - forwarding port 3389 on the router, or connecting to a remote computer via VPN.

To connect to a remote desktop in Windows 10, you can enable remote connection in “Settings - System - Remote Desktop” and specify the users to whom you want to grant access, or create a separate user for the connection. By default they have access current user and administrator. On the remote system, run the connection utility.

Press Win+R, type MSTSC and press Enter. In the window, enter the IP address or computer name, select “Connect”, enter the username and password. The remote computer screen appears.

When connecting to a remote desktop via the command line (MSTSC), you can set additional RDP parameters:

Parameter	Meaning
/v:<сервер[: порт]>	The remote computer to which you are connecting.
/admin	Connect to a session for server administration.
/edit	Editing an RDP file.
/f	Launch the remote desktop in full screen.
/w:<ширина>	Width of the remote desktop window.
/h:<высота>	The height of the remote desktop window.
/public	Launch the remote desktop in general mode.
/span	Map the width and height of the remote desktop to the local virtual desktop and deploy to multiple monitors.
/multimon	Configures the placement of RDP session monitors according to the current client-side configuration.
/migrate	Migration of connection files previous versions to new RDP files.

For Mac OS, Microsoft has released an official RDP client that works stably when connected to any version of Windows OS. On Mac OS X, to connect to Windows computer need to download from App Store app Microsoft Remote Desktop. In it, you can use the “Plus” button to add a remote computer: enter its IP address, username and password. Double-clicking the name of the remote desktop in the list to connect will open the Windows desktop.

On smartphones and tablets running Android and iOS you need to install Microsoft application Remote Desktop (“Microsoft Remote Desktop”) and launch it. Select “Add” and enter connection parameters - computer IP address, login and password to log into Windows. Another method is to forward port 3389 on the router to the computer’s IP address and connect to the public address of the router indicating of this port. This is done using the router's Port Forwarding option. Select Add and enter:

Name: RDP Type: TCP & UDP Start port: 3389 End port: 3389 Server IP: IP address of the computer to connect.
What about Linux? RDP is a closed Microsoft protocol; it does not release RDP clients for Linux, but you can use the Remmina client. For Ubuntu users There are special repositories with Remmina and RDP.

The RDP protocol is also used to connect to virtual machines Hyper-V. Unlike the hypervisor connection window, when connecting via RDP virtual machine sees various devices connected to a physical computer, supports sound, gives more high quality image guest OS desktop, etc.

Configuring other remote access functionality

The window for connecting to a remote computer has tabs with customizable parameters.

Details of setting up a remote desktop in Windows 10 are in this video. Now let's get back to RDP security.

How to hijack an RDP session?

Is it possible to intercept RDS sessions? And how to protect yourself from this? About the possibility of hijacking an RDP session in Microsoft Windows has been known since 2011, and a year ago, researcher Alexander Korznikov described in detail the hijacking techniques in his blog. It turns out that it is possible to connect to any running session in Windows (with any rights), while logged in under any other.

Some techniques allow you to intercept a session without a login password. All you need is access to command line NT AUTHORITY/SYSTEM. If you run tscon.exe as the SYSTEM user, you can connect to any session without a password. RDP doesn't ask for a password, it just connects you to the user's desktop. You can, for example, dump the server's memory and obtain user passwords. By simply running tscon.exe with a session number, you can get the specified user's desktop - without external tools. Thus, with the help of one command we have a hacked RDP session. You can also use the psexec.exe utility if it was previously installed:

Psexec -s \\localhost cmd
Or you can create a service that will connect the attacked account and launch it, after which your session will be replaced by the target one. Here are some notes on how far this goes:

• You can connect to disconnected sessions. So if someone logged out a couple of days ago, you can simply connect directly to their session and start using it.
• You can unblock locked sessions. So while the user is away from their desk, you log into their session and they are unlocked without any credentials. For example, an employee logs into their account, then logs out, locking the account (but not logging out). The session is active and all applications will remain in the same state. If the system administrator logs into his account on the same computer, he gains access to the employee's account, and therefore to all running applications.
• Having local administrator rights, you can attack an account with domain administrator rights, i.e. higher than the rights of the attacker.
• You can connect to any session. If, for example, it is Helpdesk, you can connect to it without any authentication. If it is a domain administrator, you will become an administrator. With the ability to connect to disconnected sessions, you have an easy way to navigate the network. Thus, attackers can use these methods to both penetrate and further advance within a company’s network.
• You can use win32k exploits to gain SYSTEM permissions and then enable this feature. If patches are not applied properly, even the average user can experience this.
• If you don't know what to monitor, you won't know what's going on at all.
• The method works remotely. You can run sessions on remote computers even if you are not logged into the server.

Many server operating systems are susceptible to this threat, and the number of servers using RDP is constantly increasing. Windows 2012 R2, Windows 2008, Windows 10 and Windows 7 were vulnerable. To prevent RDP sessions from being hijacked, it is recommended to use two-factor authentication. Updated Sysmon Framework for ArcSight and Sysmon Integration Framework for Splunk warn administrators about running malicious commands to hijack an RDP session. You can also use Windows utility Security Monitor for monitoring security events.

Finally, let's look at how to delete a remote desktop connection. This is a useful measure if the need for remote access has disappeared, or if you want to prevent strangers from connecting to the remote desktop. Open “Control Panel – System and Security – System”. In the left column, click “Remote Access Settings”. Under Remote Desktop, select Don't allow connections to this computer. Now no one will be able to connect to you via remote desktop.

In conclusion, here are a few more life hacks that may be useful when working with the Windows 10 remote desktop, or simply when accessing remotely.

As you can see, there are many solutions and opportunities that remote access to a computer opens up. It is no coincidence that most enterprises, organizations, institutions and offices use it. This tool is useful not only system administrators, but also to the heads of organizations, and ordinary users Remote access is also very useful. You can help fix or optimize a system for a person who doesn’t understand it without getting up from your chair, transfer data or gain access to the necessary files while on a business trip or vacation anywhere in the world, work for office computer from home, manage your virtual server, etc.

P.S. We are looking for authors for our blog on Habrahabr.
If you have technical knowledge of working with virtual servers, you know how to explain complex things in simple words, then the RUVDS team will be happy to work with you to publish your post on Habrahabr. Details at the link.

Tags: Add tags

There is an opinion that connecting via Windows Remote Desktop (RDP) is very unsafe in comparison with analogues (VNC, TeamViewer, etc.). As a result, opening access from outside to any computer or local network server is a very reckless decision - it will definitely be hacked. The second argument against RDP usually sounds like this: “it eats up traffic, not an option for a slow Internet.” Most often, these arguments are not substantiated.

The RDP protocol has been around for a long time; its debut took place on Windows NT 4.0 more than 20 years ago, and a lot of water has passed under the bridge since then. On this moment RDP is as secure as any other remote access solution. As for the required bandwidth, there are a bunch of settings in this regard that can be used to achieve excellent responsiveness and bandwidth savings.

In short, if you know what, how and where to configure, then RDP will be a very good remote access tool. The question is, how many admins have tried to delve into the settings that are hidden a little deeper than on the surface?

Now I’ll tell you how to protect RDP and configure it for optimal performance.

Firstly, there are many versions of the RDP protocol. All further descriptions will apply to RDP 7.0 and higher. This means that you have at least Windows Vista SP1. For retro lovers there is a special update for Windows XP SP3 KB 969084 which adds RDP 7.0 to this operating system.

Setting No. 1 - encryption

On the computer to which you are going to connect, open gpedit.msc Go to Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security

Set the parameter “Require the use of a special security level for remote connections using the RDP method” to “Enabled” and the Security level to “SSL TLS 1.0”

With this setting we enabled encryption as such. Now we need to make sure that only strong encryption algorithms are used, and not some DES 56-bit or RC2.

Therefore, in the same thread, open the option “Set encryption level for client connections.” Turn it on and select “High” level. This will give us 128-bit encryption.

But this is not the limit. Most maximum level encryption is provided by the FIPS 140-1 standard. In this case, all RC2/RC4 automatically go through the forest.

To enable the use of FIPS 140-1, you need to go to Computer Configuration - Windows Configuration - Security Settings - Local Policies - Security Settings in the same snap-in.

We look for the option “System cryptography: use FIPS-compliant algorithms for encryption, hashing and signing” and enable it.

And finally, be sure to enable the “Require a secure RPC connection” option along the path Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security.

This setting requires connecting clients to require encryption according to the settings we configured above.

Now the encryption is in complete order, you can move on.

Setting No. 2 - change the port

By default, the RDP protocol hangs on TCP port 3389. For variety, it can be changed; to do this, you need to change the PortNumber key in the registry at the address

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Setting #3 - Network Authentication (NLA)

By default, you can connect via RDP without entering your username and password and see the Welcome screen of the remote desktop, where you will be asked to log in. This is just not at all safe in the sense that such a remote computer can be easily DDoSed.

Therefore, in the same thread we enable the option “Require user authentication for remote connections using network-level authentication”

Setting No. 4 - what else to check

First, make sure that the "Accounts: Allow blank passwords only during console logon" setting is enabled. The setting can be found in Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security.

Secondly, do not forget to check the list of users who can connect via RDP

Setting No. 5 - speed optimization

Go to the section Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Session Environment.

Here you can and should adjust several parameters:

• The highest color depth - you can limit yourself to 16 bits. This will save traffic by more than 2 times compared to 32-bit depth.
• Force cancel wallpaper remote desk- it is not needed for work.
• Setting the RDP compression algorithm - it is better to set the value to Optimize bandwidth usage. In this case, RDP will consume a little more memory, but will compress more efficiently.
• Optimize visual effects for Remote Desktop Services sessions - set the value to “Text”. What you need for the job.

Otherwise, when connecting to a remote computer from the client side, you can additionally disable:

• Font smoothing. This will greatly reduce response time. (If you have a full-fledged terminal server, then this parameter can also be set on the server side)
• Desktop composition - responsible for Aero, etc.
• Show window when dragging
• Visual effects
• Design styles - if you want hardcore

We have already predefined the remaining parameters such as desktop background and color depth on the server side.

Additionally, on the client side, you can increase the size of the image cache; this is done in the registry. At HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\ you need to create two keys of type DWORD 32 BitmapPersistCacheSize and BitmapCacheSize

• BitmapPersistCacheSize can be set to 10000 (10 MB). By default, this parameter is set to 10, which corresponds to 10 KB.
• BitmapCacheSize can also be set to 10000 (10 MB). You will hardly notice if the RDP connection eats up an extra 10 MB of your RAM

I won’t say anything about forwarding any printers, etc. Whoever needs what, he forwards it.

This concludes the main part of the setup. In the following reviews I will tell you how you can further improve and secure RDP. Use RDP correctly, have a stable connection everyone! See how to make an RDP terminal server on any version of Windows.

Remote desktop in operating systems Windows family is a very powerful tool for remote computer control. Remote Desktop or RDP has been introduced into the Microsoft family of operating systems since Windows NT 4.0. At the moment, the latest version of RDP built into Windows has serial number 10, just like the new operating system itself. In this material we will take a detailed look at connecting to a remote machine via the RDP protocol from various operating systems. Our readers will also learn how to connect to a remote desktop over the Internet.

We connect from various systems via RDP to a computer running Windows XP

For our example, we took a computer based on the Windows XP operating system. We will connect to it via RDP from computers running Windows 7, 10 and Ubuntu. In these examples everything RDP connections will be local, that is, inside the local network. First we will look at an example connection to Windows 10. To do this, open the application itself in Windows 10 " Remote Desktop Connection».

On the " Are common" to access the XP computer under " Computer", you must enter the address of the remote PC. In our case, the address has the value " 192.168.0.183 " Next, enter the username “ User" and user password. The address of the remote computer running XP can be found in the network connection settings.

It is also worth adding that before connecting to a remote PC, in the computer properties in Windows XP, turn on the checkbox in the “ Remote control desktop" as shown below. This is necessary in order to allow connection to it.

The data we enter in the RDP client in Windows 10 will look like this:

If all data is entered correctly, you can connect using the Connect button. By clicking this button, the RDP client will take us to the password entry window for further access in Windows XP.

After successfully entering the password Windows system XP will allow us to log in.

Once again, let's return to the RDP client in Windows 10. On the first tab, we found out that data for the remote machine is entered there. In the second tab " Screen"We can edit screen resolution values ​​on a remote machine.

Next tab " Local resources» allows you to connect resources that relate to your PC (from which the connection is made). For example, you can connect local disk, DVD-ROM, printer and other devices.

Tab " Interaction» provides access to settings for the quality of graphics displayed in the RDP client window.

In the " Additionally» The user has the opportunity to enable and configure RDP remote connection security.

If you compare clients on Windows 10 and 7, you will hardly find any difference, since they have the same settings. The only minor difference is the slightly improved design in Windows 10. Below is the remote desktop Windows 7.

Therefore, if you use RDP on a Windows 10 or 7 PC, you will hardly notice the difference.

Now let's move on to using remote desktop on a computer running Ubuntu. For example, we will use latest version Ubuntu with serial number 16.04. IN operating system Ubuntu 16.04 RDP client is called Remmina. Below is a window with open program. To access a remote PC, in Ubuntu you need to click the Create button in the top panel of Remmina.

After this action, a window will appear in which you need to enter the settings of the remote machine running XP.

The image above shows how the settings are entered, similar to RDP from Microsoft. After entering these settings, we can immediately access Windows XP by clicking the Connect button, which is what we will do.

The image above shows the Desktop of the connected machine. If we exit this session, then in the Remmina window we will see that the access settings for our PC have been saved in the program.

From the example discussed, you can see how easy it is to access a remote PC running Windows XP on a PC running Ubuntu. Please note that when comparing the standard client from Microsoft and Remmina in Ubuntu, you will notice that the latter has much more settings and capabilities.

Thanks to these features of Remmina, the Ubuntu operating system has gained great popularity among terminal server users. For example, in many organizations they are used as clients for terminal server computers with Ubuntu OS. This is not surprising, because Ubuntu is a free operating system. Ubuntu clients are especially popular when working with server solutions where 1C software products are installed. Using this scheme, many companies save tens of thousands of dollars.

Direct access via RDP over the Internet

In previous examples, we looked at options for connecting to a remote machine via a local network. Now we will consider the option Internet connections. In order to connect via the protocol in question, you need a white IP.

Conclusion

In this article we looked at RDP clients from both Microsoft and Ubuntu. In this article, we tried to convey to our readers as simply as possible: how to establish a connection to a remote desktop. We also discussed in the article what gray and white IP are. Another point that I would like to talk about is the new application Microsoft Remote Desktop for Android. Thanks to this application, any user using a smartphone or tablet will be able to connect to a remote PC. Below is the window of this application.

And we, in turn, hope that our article will be useful to our readers, and thanks to its content you will be able to connect to a remote desktop without any problems.

Video on the topic

Surely many people have encountered a situation where they need to fix their parents’ computer. And the reasons for repairs can be very funny, for example, the computer is full of programs in startup. And it’s very inconvenient to run to your grandmother every day for such trifles in order to eliminate the little things on her computer. It’s good if your loved ones and acquaintances are nearby, but what if you are asked by a person who is out of reach from you? And here we will look at how to connect a remote desktop in Windows 10 and Windows 7 via the Internet, in our own way and through the Team Viewer program, so that there is less useless running around.

Windows 10 Remote Desktop Connection

Happy anniversary release microsoft update added a native feature to Windows 10 to connect to another remote computer on your desktop. You can connect via the Internet to another computer without third party programs. You can open it using the search function for quick help in the Start menu.

If you want to help another person via a remote connection, you need to click Help and pass the resulting code to someone else. The other person must press Get help and enter the code received from the first person.

How to connect to another computer via local network

In the Microsoft operating system itself, there is a function called Remote Desktop Protocol (RDP) or Remote Desktop, which was designed precisely to offer users the ability to connect to another computer from their computer, and have access to programs and functions of the system. Here we will connect and configure this function.

Note:I want to clarify that standard way in windows for remote access to the desktop, it connects only if the computers are on the same local network (over a grid).

To be more precise, there is a way to connect RDP via the Internet. To do this, you need to forward the router port to the IP address of your computer, but this dance with a tambourine is useless. It turns out that the settings will be reset all the time depending on the static or dynamic IP address, and it will be very expensive to reconfigure each time. Maybe in Windows 10 someday they will add a normal remote desktop function, but for now we have what we have.

Method 1.

• Click Search next to the start menu, or in other versions windows start and search.
• 1. Write Control Panel.
• 2. Select from the suggested Control Panel.
• 3. System and security.
• 4. In the System window that opens.
• 5. In the next window, click Remote access settings.

Method 2.

• 1. Click Start and right click on the icon This computer or in the explorer on the white RMB and properties field.
• 2. Select Additionally and in the pop-up menu Properties.
• 3. In the window that opens Setting up remote access.

Go to the tab Remote access > put a tick Allow connections remote assistant to this computer> select below Allow remote connections to this computer and put a tick Allow connections only from computers running Remote Desktop with network level authentication. Ditto for additional security, you can Select users, which we want to allow access to remotely on the computer, and only they can do this.

Let's launch the utility itself. Click Search, and write connection...

Now you should know the IP address, Computer name, Password of the computer you want to connect to. I would like to note that if it does not connect, then you need to create a password on the remote computer. IP addresses, computer name and a lot of local information can be scanned by the program advanced ip scanner.

Connecting to another computer via the Internet ( Team Viewer)

Let's look at how to set up and connect to a remote worker windows table another computer, via popular program Team Viewer. Go to website to download the program itself. Install Team Viewer on your and the remote computer. Select settings for how you want to use the program.

• 1. This is your ID and password. You may need it if you need to access your desktop from another computer.
• 2. Partner ID. Must indicate the details of another (remote) computer. The data of the remote (second) computer will be written in the same place as you have in point 1.

Click the button Connect to a partner after which it will display the following window where you will have to enter the password of the remote partner.

I greet you. Alexander Glebov is in touch with you. This time I will tell you and show you how to enable remote desktop, that is, rdp, remotely. If interested, read on.

Introduction

You may ask: “Why do we even need to enable remote desktop remotely? In a domain, this can generally be done by politicians, etc.” I'll tell you where I needed to enable remote desktop. At one time I worked at the company ZAO NG Energo, and there was such a case there. In one office they installed new computer With installed Windows 7, but it was not on a domain, and in Windows RDP is disabled by default. So I had to think about how to enable rdp remotely, so that I could then connect and enter the computer into the domain. Let's get to the point...

Procedure - enable remote desktop (rdp) remotely

There are several requirements without which you cannot enable rdp remotely, namely:

• You must have administrator credentials on the remote workstation;
• there must be physical access over the network.

So let's get started. Click start, click run, type regedit and press enter. As a result, the Registry Editor will open. It happens that there is no execute button, then press “Windows + R”, our own execute will open. It looks like this:

In the Registry Editor that opens, you need to connect the remote registry. This is done like this: click in the upper left corner, “file”, then “connect network registry”. In the window that opens, enter the name or IP of the remote computer and click OK.

As a result, if your computer is in a domain and you have sufficient rights, that is, your account is in the local administrators group, a new registry branch will appear in the editor (example below). If, as in my example, the computer is in working group, then a request will pop up to enter credentials that have the appropriate rights:

Read also:

Saving and transferring cache addresses of outlook

Enter the login (User) in the format: remote computer name\remote user name, then enter the password and click OK. If the data is entered correctly, we get the following picture:

Next we go along the following path: “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server”, and on the right we see a set of keys, we are interested in the key fDenyTSConnections. It must be assigned the value 0.

After this, we ask someone to restart the computer and try to connect via RDP. However, it may happen that you will not be able to connect, this means that FireWall is most likely enabled on the remote computer, and you need to add a rule that allows you to connect via standard port 3389. If for some reason you were unable to add the key through the registry editor, then read below. There I provide the command to enable rdp via pstools and command line.

How to add a rule to the firewall on a remote computer?

The requirements are still the same, there must be physical access over the network, and you must have administrator credentials on the remote computer. Let's perform the following steps: