RDP is the Remote Desktop Protocol. In English, this abbreviation stands for Remote Desktop protocol. It is needed to connect one computer to another via the Internet. For example, if the user is at home and urgently needs to fill out documents in the office, he can do this using this protocol.
How RDP works
Access to the other computer is via TCP port 3389 by default. On every personal device it preinstalled automatically. There are two types of connection:
- for administration;
- for working with programs on the server.
Servers with Windows Server installed support two remote RDP connections at once (this is the case if the RDP role is not activated). Computers that are not servers have only one input.
The connection between computers is made in several stages:
- protocol based on TCP, requests access;
- The Remote Desktop Protocol session is defined. During this session instructions are approved data transmission;
- when the determination stage is completed, the server will transfer to another device graphical output. At the same moment, it receives data from the mouse and keyboard. Graphic output is an exactly copied image or commands for drawing various shapes, such as lines, circles. Such commands are key tasks for this type of protocol. They greatly save traffic consumption;
- the client computer turns these commands into graphics and displays them on the screen.
This protocol also has virtual channels that allow you to connect to a printer, work with the clipboard, use the audio system, etc.
Connection security
There are two types of secure connection via RDP:
- built-in system (Standard RDP Security);
- external system (Enhanced RDP Security).
They differ in that the first type uses encryption, ensuring integrity is created using standard means which are in the protocol. And in the second type, the TLS module is used to establish a secure connection. Let's take a closer look at the work process.
Built-in protection This is done like this: first, authentication takes place, then:
- when turned on there will be generatedRSAkeys;
- is being manufactured public key;
- signed by RSA, which is built into the system. It is available in any device with the Remote Desktop Protocol installed;
- the client device receives a certificate upon connection;
- is checked and this key is obtained.
Then encryption occurs:
- the RC4 algorithm is used as standard;
- for Windows 2003 servers, 128-bit protection is used, where 128 bits is the key length;
- for Windows 2008 servers – 168 bit.
Integrity is controlled by generating mac codes based on the MD5 and SHA1 algorithm.
The external security system works with TLS 1.0 and CredSSP modules. The latter combines the functionality of TLS, Kerberos, NTLM.
End of connection:
- computer checks permission at the entrance;
- the cipher is signed using the TLS protocol. This the best option protection;
- Entry is permitted only once. Each session is encrypted separately.
Replacing the old port value with a new one
In order to register a different value, you must do the following (relevant for any Windows versions, including Windows Server 2008):
Now, when connecting to a remote desktop, you must specify a new value after the IP address, separated by a colon, for example 192.161.11.2:3381 .
Replacement using PowerShell utility
PowerShell also allows you to make the necessary changes:
- It is recommended to reboot;
- Once the device turns on, enter the command “regedit” in the Start menu. Go to the directory: HKEY_ LOCAL_ MACHINE, Find the CurrentControlSet folder, then the Control folder, go to Terminal Server and open WinStations. Click on the RDP-Tcp file. A new value should be set here.
- Now you need to open the RDP port on the firewall. Log in to Powershell, enter the command: netsh advfirewall firewall add rule name=”NewRDP” dir=in action=allow protocol=TCP localport= 49089 . The numbers should indicate the port to which the old one was switched.
Failed to open connection file default.rdp
Most often this error occurs when problems withDNSserver. The client computer cannot find the name of the specified server. 
In order to get rid of the error, you must first check whether the host address is entered correctly.
Otherwise, if a bug occurs, you need to take the following steps:
- go to " My Documents»;
- find the file default.rdp. If you don’t find it, check the box “ Folders settings» for display hidden files and folders;
- now delete this file and try to connect again.
As you know, the Remote Desktop Protocol (RDP) allows you to remotely connect to computers running Windows control and available to anyone Windows user, unless it has the Home version, where there is only an RDP client, but not a host. This is a convenient, effective and practical tool for remote access for administration purposes or daily work. Recently, it has attracted the attention of miners who use RDP to remotely access their farms. RDP support has been included in Windows operating systems since NT 4.0 and XP, but not everyone knows how to use it. Meanwhile, you can open Microsoft Remote Desktop from computers running Windows, Mac OS X, as well as from mobile devices running Android OS or iPhone and iPad.
If you understand the settings properly, RDP will be a good means of remote access. It makes it possible not only to see the remote desktop, but also to use the resources of the remote computer, connect to it local disks or peripherals. In this case, the computer must have an external IP (static or dynamic), or it must be possible to “forward” the port from a router with an external IP address.
RDP servers are often used for collaboration in the 1C system, or user workplaces are deployed on them, allowing them to connect to their workplace remotely. The RDP client allows you to work with text and graphic applications, remotely receive some data from your home PC. To do this, you need to forward port 3389 on the router in order to gain access to your home network through NAT. The same applies to setting up an RDP server in an organization.
RDP is considered by many to be an unsafe method of remote access compared to using special programs such as RAdmin, TeamViewer, VNC, etc. Another prejudice is high traffic RDP. However, today RDP is no less secure than any other remote access solution (we will return to the issue of security later), and with the help of settings you can achieve high response speed and low bandwidth requirements.
How to protect RDP and tune its performance
| Encryption and Security | You need to open gpedit.msc, in “Computer Configuration - Administrative Templates - Windows components- Remote Desktop Services - Security" set the option "Require the use of a special security level for remote connections using the RDP method" and in the "Security level" select "SSL TLS". In "Set encryption level for client connections" select "High". To enable the use of FIPS 140-1, you need to go to “Computer Configuration - Windows Configuration - Security Settings - Local Policies - Security Settings” and select “System Cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.” The "Computer Configuration - Windows Settings - Security Options - Local Policies - Security Options" option and the "Accounts: Allow blank passwords only during console logon" option must be enabled. Check the list of users who can connect via RDP. |
| Optimization | Open Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Session Environment. In "Highest color depth" select 16 bits, this is enough. Uncheck the "Force the remote desktop wallpaper" option. In “Set RDP compression algorithm”, set “Optimize bandwidth usage. Set "Optimize visuals for Remote Desktop Services sessions" to "Text". Turn off Font Smoothing. |
The basic setup is complete. How to connect to remote desktop?
Remote Desktop Connection
To connect via RDP, you must have an account with a password on the remote computer, remote connections must be allowed in the system, and in order not to change access data with a constantly changing dynamic IP address, you can assign a static IP address in the network settings. Remote access is only possible on computers with Windows Pro, Enterprise or Ultimate.To connect to a computer remotely, you need to allow the connection in “System Properties” and set a password for the current user, or create a new user for RDP. Users of regular accounts do not have the right to independently provide a computer for remote control. The administrator can give them this right. An obstacle to using the RDP protocol may be its blocking by antiviruses. In this case, RDP must be enabled in the settings antivirus programs.
It is worth noting a feature of some server operating systems: if the same user tries to log into the server locally and remotely, the local session will close and the remote one will open in the same place. Conversely, logging in locally will close the remote session. If you log in locally as one user, and remotely as another, the system will end the local session.
Connection using the RDP protocol is carried out between computers located on the same local network or over the Internet, but this will require additional steps - forwarding port 3389 on the router, or connecting to a remote computer via VPN.
To connect to a remote desktop in Windows 10, you can enable remote connection in “Settings - System - Remote Desktop” and specify the users to whom you want to grant access, or create a separate user for the connection. By default, the current user and administrator have access. On the remote system, run the connection utility.
Press Win+R, type MSTSC and press Enter. In the window, enter the IP address or computer name, select “Connect”, enter the username and password. The remote computer screen appears.
When connecting to a remote desktop via the command line (MSTSC), you can set additional RDP parameters:
| Parameter | Meaning |
| /v:<сервер[: порт]> |
The remote computer to which you are connecting. |
| /admin |
Connect to a session for server administration. |
| /edit |
Editing an RDP file. |
| /f |
Launch the remote desktop in full screen. |
| /w:<ширина> |
Width of the remote desktop window. |
| /h:<высота> |
The height of the remote desktop window. |
| /public |
Launch the remote desktop in general mode. |
| /span |
Map the width and height of the remote desktop to the local virtual desktop and deploy to multiple monitors. |
| /multimon |
Configures the placement of RDP session monitors according to the current client-side configuration. |
| /migrate |
Migration of legacy connection files to new RDP files. |
For Mac OS Microsoft company has released an official RDP client that works stably when connected to any version of Windows OS. In Mac OS X, to connect to a Windows computer, you need to download from App Store Microsoft application Remote Desktop. In it, using the “Plus” button, you can add a remote computer: enter its IP address, username and password. Double click on the name of the remote desktop in the list for connection will open the Windows desktop.
On smartphones and tablets running Android and iOS, you need to install the Microsoft Remote Desktop application and run it. Select “Add” and enter connection parameters - computer IP address, login and password to log into Windows. Another way is to forward port 3389 on the router to the computer’s IP address and connect to public address router indicating this port. This is done using the router's Port Forwarding option. Select Add and enter:
Name: RDP Type: TCP & UDP Start port: 3389 End port: 3389 Server IP: IP address of the computer to connect.
What about Linux? RDP is a closed Microsoft protocol; it does not release RDP clients for Linux, but you can use the Remmina client. For Ubuntu users there are special repositories with Remmina and RDP.
The RDP protocol is also used to connect to virtual Hyper-V machines. Unlike the hypervisor connection window, when connecting via RDP the virtual machine sees various devices connected to physical computer, supports working with sound, provides a better image of the guest OS desktop, etc.
Configuring other remote access functionality
In the connection window remote computer There are tabs with customizable parameters.Details of setting up a remote desktop in Windows 10 are in this video. Now let's get back to RDP security.
How to hijack an RDP session?
Is it possible to intercept RDS sessions? And how to protect yourself from this? About the possibility of hijacking an RDP session in Microsoft Windows has been known since 2011, and a year ago, researcher Alexander Korznikov described in detail the hijacking techniques in his blog. It turns out that it is possible to connect to any running session in Windows (with any rights) while logged in under any other account.Some techniques allow you to intercept a session without a login password. All you need is access to the NT AUTHORITY/SYSTEM command line. If you run tscon.exe as the SYSTEM user, you can connect to any session without a password. RDP doesn't ask for a password, it just connects you to the user's desktop. You can, for example, dump the server's memory and obtain user passwords. By simply running tscon.exe with a session number, you can get the specified user's desktop - without external tools. Thus, with the help of one command we have a hacked RDP session. You can also use the psexec.exe utility if it was previously installed:
Psexec -s \\localhost cmd
Or you can create a service that will connect the attacked account and launch it, after which your session will be replaced by the target one. Here are some notes on how far this goes:
- You can connect to disconnected sessions. So if someone logged out a couple of days ago, you can simply connect directly to their session and start using it.
- You can unblock locked sessions. So while the user is away from their desk, you log into their session and they are unlocked without any credentials. For example, an employee logs into their account, then logs out, locking the account (but not logging out). The session is active and all applications will remain in the same state. If the system administrator logs into his account on the same computer, he gains access to the employee's account, and therefore to all running applications.
- Having local administrator rights, you can attack an account with domain administrator rights, i.e. higher than the rights of the attacker.
- You can connect to any session. If, for example, it is Helpdesk, you can connect to it without any authentication. If it is a domain administrator, you will become an administrator. With the ability to connect to disconnected sessions, you have an easy way to navigate the network. Thus, attackers can use these methods both to penetrate and further advance within a company’s network.
- You can use win32k exploits to gain SYSTEM permissions and then enable this feature. If patches are not applied properly, even the average user can experience this.
- If you don't know what to monitor, you won't know what's going on at all.
- The method works remotely. You can run sessions on remote computers even if you are not logged into the server.
Finally, let's look at how to delete a remote desktop connection. This is a useful measure if the need for remote access has disappeared, or if you want to prevent strangers from connecting to the remote desktop. Open “Control Panel – System and Security – System”. In the left column, click “Remote Access Settings”. Under Remote Desktop, select Don't allow connections to this computer. Now no one will be able to connect to you via remote desktop.
In conclusion, here are a few more life hacks that may be useful when working with the Windows 10 remote desktop, or simply when accessing remotely.
As you can see, there are many solutions and opportunities that remote access to a computer opens up. It is no coincidence that most enterprises, organizations, institutions and offices use it. This tool is useful not only for system administrators, but also for heads of organizations, and ordinary users Remote access is also very useful. You can help fix or optimize a system for a person who doesn’t understand it without leaving your chair, transfer data or gain access to the necessary files while on a business trip or vacation anywhere in the world, work for office computer from home, manage your virtual server, etc.
P.S. We are looking for authors for our blog on Habrahabr.
If you have technical knowledge of working with virtual servers, you can explain complex things in simple words, then the RUVDS team will be happy to work with you to publish your post on Habrahabr. Details at the link.
Tags: Add tags
Good afternoon, dear readers and guests of the blog, today we have the following task: change the incoming port of the RDP service (terminal server) from the standard 3389 to some other one. Let me remind you that the RDP service is a functionality of Windows operating systems, thanks to which you can open a session over the network to the computer or server you need using the RDP protocol, and be able to work on it, as if you were sitting on it locally.
What is RDP protocol
Before changing something, it would be good to understand what it is and how it works, I keep telling you about this. RDP or Remote Desktop Protocol is a remote desktop protocol for Microsoft Windows operating systems, although its origins come from PictureTel (Polycom). Microsoft just bought it. Used for remote work of an employee or user with a remote server. Most often, such servers play the role of a terminal server, on which special licenses are allocated, either per user or per device, CAL. The idea here was this: there is a very powerful server, then why not use its resources together, for example, for a 1C application. This becomes especially relevant with the advent of thin clients.
The world saw the terminal server itself, already in 1998 in the Windows NT 4.0 Terminal Server operating system, to be honest, I didn’t even know that such a thing existed, and in Russia at that time we all played dandy or sega. RDP connection clients are currently available in all versions of Windows, Linux, MacOS, Android. The most modern version of the RDP protocol at the moment is 8.1.
Default rdp port
I’ll immediately write the default rdp port 3389, I think that’s it system administrators they know him.
How the rdp protocol works
And so you and I understand why we came up with the Remote Desktop Protocol, now it’s logical that you need to understand the principles of its operation. Microsoft distinguishes two modes of the RDP protocol:
- Remote administration mode > for administration, you go to the remote server and configure and administer it
- Terminal Server mode > to access the application server, Remote App or share it for work.
In general, if you install Windows Server 2008 R2 - 2016 without a terminal server, then by default it will have two licenses, and two users will be able to connect to it at the same time, the third will have to kick someone out to work. In client versions of Windows, there is only one license, but this can also be circumvented; I talked about this in the article Terminal Server on Windows 7. Also Remote administration mode, you can cluster and load balance, thanks to NLB technology and the Session Directory Service connection server. It is used to index user sessions, thanks to this server the user can log into the remote desktop of terminal servers in a distributed environment. Also required components are a licensing server.
The RDP protocol operates over a TCP connection and is an application protocol. When a client establishes a connection with the server, an RDP session is created at the transport level, where encryption and data transmission methods are negotiated. When all negotiations are determined and initialization is complete, the terminal server sends graphical output to the client and waits for keyboard and mouse input.
Remote Desktop Protocol supports multiple virtual channels within a single connection, allowing you to use additional functionality
- Transfer your printer or COM port to the server
- Redirect your local drives to the server
- Clipboard
- Audio and video
RDP connection stages
- Establishing a connection
- Negotiating encryption parameters
- Server Authentication
- Negotiating RDP session parameters
- Client Authentication
- RDP session data
- Terminating RDP session
Security in the RDP protocol
Remote Desktop Protocol has two authentication methods Standard RDP Security and Enhanced RDP Security, we will look at both in more detail below.
Standard RDP Security
RDP protocol at this method authentication, encrypts the connection using the RDP protocol itself, which is in it, using this method:
- When your operating system starts, a pair of RSA keys is generated
- Proprietary Certificate is being created
- After which the Proprietary Certificate is signed with the RSA key created earlier
- Now the RDP client connecting to the terminal server will receive a Proprietary Certificate
- The client looks at it and verifies it, then receives the server’s public key, which is used at the stage of agreeing on encryption parameters.
If we consider the algorithm with which everything is encrypted, it is the RC4 stream cipher. Keys of different lengths from 40 to 168 bits, it all depends on the edition operating system Windows, for example in Windows 2008 Server - 168 bits. Once the server and client have decided on the key length, two new different keys are generated to encrypt the data.
If you ask about data integrity, then it is achieved through the MAC (Message Authentication Code) algorithm based on SHA1 and MD5
Enhanced RDP Security
The RDP protocol with this authentication method uses two external security modules:
- CredSSP
- TLS 1.0
TLS is supported from version 6 of RDP. When you use TLS, the encryption certificate can be created using the terminal server, a self-signed certificate, or selected from the store.
When you use the CredSSP protocol, it is a symbiosis of Kerberos, NTLM and TLS technologies. With this protocol, the check itself, which checks permission to enter the terminal server, is carried out in advance, and not after a full RDP connection, and thereby you save resources on the terminal server, plus there is more reliable encryption and you can log in once (Single Sign On). ), thanks to NTLM and Kerberos. CredSSP only works in OSs no lower than Vista and Windows Server 2008. Here is this checkbox in the system properties
Allow connections only from computers running Remote Desktop with network level authentication.
Change rdp port
In order to change the rdp port, you will need:
- Open the registry editor (Start -> Run -> regedit.exe)
- Let's move on to the next section:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Find the PortNumber key and change its value to the port number you need.
Be sure to select a decimal value; for example, I’ll put port 12345.
Once you have done this, restart the Remote Desktop Service via the command line using the following commands:
And we create something new incoming rule for the new rdp port. Let me remind you that the default rdp port is 3389.
We choose what the rule will be for the port
We leave the protocol as TCP and specify a new RDP port number.
The rule will be to allow RDP connection on a non-standard port
If necessary, set the necessary network profiles.
Well, let’s call the rule in a language that we understand.
To connect from client Windows computers write the address indicating the port. For example, if you changed the port to 12345, and the address of the server (or simply the computer you are connecting to): myserver, then the MSTSC connection will look like this:
mstsc -v:myserver:12345
The Windows system has been providing the ability to implement remote access via the RDP protocol for a long time. This standard tool appeared in the version of Windows NT 4.0, released in 1996. It was more or less functionally modified in the Windows XP version, and found its completeness already as part of Windows 7. Versions of Windows 8/8.1 and 10 inherited remote access via the RDP protocol from Windows 7 without functional changes.
Below we will take a closer look at how remote access works via the RDP protocol in versions of Windows 7, 8.1 and 10.
1. Remote access via RDP protocol
Connection using the RDP protocol is carried out between computers located on the same local network. This type of connection is intended primarily for IT specialists who service computers of companies integrated into their own production network. Without leaving their workplace, connecting remotely to the computers of enterprise employees, system specialists can solve problems that do not require intervention in the hardware of the machines and carry out preventive measures.
Connecting to a remote computer using the RDP protocol is also possible outside the local network, over the Internet. But this will require additional steps - either forwarding port 3389 on the router, or combining it with a remote computer into a single VPN network. In view of this, connecting to a remote computer over the Internet is much easier using other software tools that do not require unnecessary actions. This is, for example, standard Windows utility“Remote Assistance” for providing computer assistance over the Internet. It works on the principle of sending an invitation file to the user who will provide computer help. Its more functional analogues on the Windows software market are programs like .
The RDP protocol is also used to connect to virtual machines. A remote connection via RDP can offer more opportunities than the standard connection window of a standard hypervisor. The Hyper-V connection window does not provide sound playback in the guest OS, does not see connected USB storage media, and cannot offer more connection with a physical computer than pasting text copied into it. While an RDP connection can provide visibility virtual machine various devices connected to a physical computer, better image of the guest OS desktop, work with sound, etc.
To connect via RDP, the remote computer must meet the following requirements:
- It must have a password-protected account;
- The system must allow remote connections;
- If you do not want to change your access data every time you connect with a constantly changing dynamic IP address, you must assign a static IP address in the network settings.
Remote access is only possible on computers with Windows Pro, Enterprise or Ultimate editions installed. Home versions of Windows (Home) do not provide remote access via RDP.
2. Password on the remote computer
If you are working on a remote computer using a Microsoft account, and using a short PIN code instead of a long password, when connecting via RDP, you must enter that same long password, and not a four-digit PIN code.
If an unpassworded local account is used on the remote computer, and there is no special need for a password, such as when connecting to Hyper-V virtual machines, at least simplest password something like “777” or “qwerty” will have to be created.
3. IP address of the remote computer
When connecting via RDP, you will need to enter the IP address of the remote computer. The internal IP address is visible in network parameters systems. But in versions of Windows 7, 8.1 and 10 these are three different paths. In Windows 7, this is a section of the Control Panel, and in Windows 8.1 and 10 it is the Settings application, with its own organization inherent in each version. Therefore, we will recognize the internal IP address in a universal way suitable for each of these systems - through command line. The shortcut to launch Command Prompt in Windows 7 is available in the Start menu. In Windows 8.1 and 10, the command line is launched from context menu on the Start button.
In the command line window, enter:
After pressing Enter, we will get a summary of the data, where the internal IP address will be visible.
4. Allowing remote connections
Permission to connect remotely to Windows systems initially, as a rule, disabled. In any case, this definitely applies to licensed assemblies. The ability to connect via RDP on a remote computer is activated in the system settings. We need the "System" section. In the Windows 7 version, it can be accessed by searching the Start menu. And in Windows 8.1 and 10, you can get to the “System” section from the context menu on the “Start” button.
Click “Remote Access Settings”.
In the system properties window, you must set the option to allow remote connections to active. There is no need to remove the authentication option. To apply the changes, click “Apply” below.
Such settings will open the path to a remote connection, but only for the administrator account. Regular account users are not allowed to provide their own computer for remote control. The administrator can give them this right.
Below the option to allow remote connections there is a “Select users” button. Let's press it.
In the field below, enter the name of the user who is allowed to connect to him via the RDP protocol. For local accounts this is their name, and for Microsoft accounts this is email address, with the help of which authorization occurs. Click "Ok".
That’s it – now this user’s account will be accessible from any computer within the local network.
5. Connect to a remote computer
All necessary actions on the remote computer have been completed, let’s move on to the main computer from which connection and control will be carried out. You can launch the standard RDP connection utility by finding its shortcut using a search within the system. In Windows 7, this is a search in the Start menu.
In versions of Windows 8.1 and 10, press the Win+Q keys.
A small connection window will appear. In the future, it will be possible to connect to remote computers using exactly this abbreviated form. But for now, click “Show options”.
In the “Computer” field, enter the IP address of the remote computer. In the field below - “User” - accordingly, enter the user name. If a Microsoft account is connected to the remote computer, enter the email address.
If you work on your computer using a regular local account, the username must be entered in the format:
Computer\User
For example, DESKTOP-R71R8AM\Vasya, Where DESKTOP-R71R8AM is the name of the computer, and Vasya– username of the local account.
Below the username there is an option to save authorization data on a remote computer. Connection parameters - IP address, username and password - can be saved as a separate RDP file and used to open it on another computer. Click “Connect”, and then “Connect” again in a new window.
Enter the password for the remote computer account.
Click “Yes” in the certificate error window.
We will get more settings for connecting via the RDP protocol in the utility window initially, before establishing the connection.
6. Connect to another account on a remote computer
Below the column for filling in the user name of the remote computer, if the “Always request credentials” checkbox is not checked, options for deleting and changing access data are displayed. By clicking the “Change” option, in addition to the authorization form in an existing account on a remote computer, we will see the ability to connect to another account that is present on the same computer.
After entering a new username and password, the authorization data for a specific IP address will be overwritten.
7. Connection settings
In the opened window for connecting to a remote computer, we will find tabs with customizable parameters. The first two concern the convenience and functionality of remote access.
“Screen” – in this tab you can set the screen resolution of the remote computer; the utility window will open with this resolution after connection. If access is made from weak computer, you can set the resolution to low and sacrifice color depth.
“Local resources” – here for the sake of economy system resources You can disable audio playback on the remote computer. Or, on the contrary, you can also install audio recording from a remote computer. In the column local devices and resources after clicking the “Details” button, we can, in addition to the active printer, select devices of the main computer that will work on the remote computer. These are smart cards, separate sections hard drive, flash drives, memory cards, external hard drives.
An obstacle to using the RDP protocol may be its blocking by antiviruses. In this case, the RDP protocol must be enabled in the settings of antivirus programs.
Have a great day!
Imagine a situation where you are on a business trip or on vacation and just at this time you need to watch or do something on your home computer. U ordinary users such a need arises infrequently, which cannot be said about IT industry workers, businessmen and managers. When creating Windows, Microsoft developers foresaw this, so they built into the system such an opportunity as remote control desktop.
Windows 7/10 Remote Desktop, or RDP, is a feature that allows you to control one computer from another via a local or global network. To be honest, its implementation in Windows is somewhat lame, so special programs like TeamViewer, AeroAdmin or Ammyy Admin are more often used for remote access.
The disadvantage of third-party tools is the requirement to confirm access on the side of the remote host, however, TeamViewer also has the ability to connect without confirmation. Other disadvantages of such software include slower operating speed than when using standard RDP functions, and limiting simultaneous parallel access to a remote computer. Third party programs can be very convenient when it comes to remote maintenance and support, while remote access to the Windows 7/10 desktop, organized by built-in tools, is more suitable for everyday work.
Setting up a remote desktop using Windows
For computers to communicate, they must be configured correctly. Technically, the task does not seem too difficult, although there are some nuances here, especially in the case of control via the Internet. So, let's see how to set up a remote desktop using system tools. Firstly, the PC that will be accessed must have Windows version no lower than Pro, but you can also control it from the home version. The second and very important condition is the need to have a static IP address on the remote PC.
Of course, you can try to configure it manually, but there is a problem. The fact is that the internal IP is given to the PC by the DHCP server of the Internet center for a certain period, after which the computer will need to request a new IP. It may be the same, but it may also change, then you will not be able to use the RDP protocol. This happens with gray, dynamic addresses, and, I must say, these are the addresses that most providers allocate to their clients. Therefore, the most correct thing would be to contact your provider’s support service with a request to allocate a static address to your computer.
If we don’t want to pay for a white IP (the service is provided for an additional fee), we try to configure the connection manually. Team control /name Microsoft.NetworkAndSharingCenter open Network and Sharing Center shared access", click on your connection and click the "Details" button in the window that opens.
Make a note of the IPv4, subnet mask, default gateway, and DNS server information.
You can get the same data by running CMD or PowerShell command ipconfig /all. Close the details window and open properties in the status window.
Select IPv4 from the list, go to its properties and enter the received data in the appropriate fields. Save your settings.
You have a static address, now you need to enable connection access permission. Open with command systempropertiesremote"Remote Access" tab in system properties and turn on the "Allow remote connections to this computer" radio button.
If necessary, add users to whom we want to provide the ability to connect remotely.
In Windows 10 1709, you can access all of these settings from the Remote Desktop subsection of the Settings app.
If you are using a third-party firewall, open TCP port 3389 in it. At this point general setup Remote Desktop is complete.
If the connection is made on a local network, you can start working immediately. Run with the command mstsc built-in RDP application, enter the IP address or remote host name in the window that opens, select a user and click “Connect”.
We ignore it, disable connection requests (uncheck the box) and click “Yes”. If the connection is successful, you will see the desktop of the remote host.
Setting up a remote desktop over the Internet is more difficult, since here you will have to forward port 3389 to the IP address of your PC, and then connect to the external IP of the router, which can become a real headache for the user, since you will have to delve into the settings of the router. Finding out your public IP is not difficult, just go to the website 2ip.ua/ru or similar resource.
In case with, you need to go to the section Forwarding – Virtual servers , click “Add” and enter 3389 in the “Server Port” and “Internal Port” fields, in the “IP Address” field indicate the IP used by the computer, in the “Protocol” and “Status” fields “All” and “Enabled” should be set " respectively. Save your settings.
Now you can try to connect to the remote desktop from the main PC. Run the RDP program with the mstsc command and enter the previously obtained external IP address with the port number separated by a colon in the “Computer” field, for example, 141.105.70.253:3389. Further, everything is exactly the same as in the example with a local network connection.
Ensuring connection security and setting up user access
RDP has enough good protection However, it wouldn't hurt to check and enable additional options. First, make sure encryption is enabled on the remote host. In the Local Group Policy Editor, go to the section Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Security. On the right will be the setting “Require the use of a special security level for remote connections using the RDP method.” Enable this policy and set the security level to Negotiate or High.
In the same section, enable the policies “Require a secure RPC connection” and “Require user authentication for remote connections using network level authentication.”
Paranoids may turn on maximum level encryption by going to the section Windows Configuration - Security Settings - Local Policies - Security Settings, finding the “System cryptography: Use FIPS-compliant algorithms...” setting on the right and activating it.
As an additional measure, you can change the default port 3389. To do this, expand the registry branch HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp, on the right find the parameter PortNumber and change its value to yours (your port number), not forgetting to then open it in the firewall.
At the stage of providing remote access, check the list of users who can connect via RDP. By default, all users in the Administrators group can connect to a remote desktop in Windows 7/10. You can change this. Using the command secpol.msc go to local security policies, and then go to the section Local Policies - Assigning User Rights. On the right we find the “Allow logon through Remote Desktop Service” policy, open it and delete the “Administrators” entry.
Here you can allow access to a specific admin. There are other ways to ensure RDP security, such as restricting access by IP address.
Common errors when connecting to a remote desktop
Above, we outlined how to connect to a remote desktop in Windows 7/10 via the Internet and local network. Unfortunately, errors that arise in this case are not uncommon. So, at the moment of connection, the system gives a refusal and asks you to repeat the action. The reasons may vary. If everything was configured correctly, the problem may be the use of a VPN or too high security requirements (see encryption above).
On Windows 8.1 and 10 PCs, you may encounter a session disconnected error where the user receives a message that the Remote Desktop CAL has been changed or is missing. In this case, it is recommended to delete the contents of the subdirectory MSLicensing in the registry branch HKEY_LOCAL_MACHINE/Software/Microsoft, and then run the RDP program with administrator rights.
You can try to deal with other licensing errors in a similar way.
Errors with different codes often appear after installing cumulative updates. The problem is resolved by removing the updates, but in general you need to look at the error code and its description. For example, the appearance of error 720 is accompanied by a notification about the possible need for changes network settings. There are many problems with RDP and each one must be solved individually.