home > Internet > Remote access to computer rdp. RDP protocol

Remote access to computer rdp. RDP protocol

Good afternoon, dear readers and guests of the blog, today we have the following task: change the incoming port of the RDP service (terminal server) from the standard 3389 to some other one. Let me remind you that the RDP service is a functionality of Windows operating systems, thanks to which you can open a session over the network to the computer or server you need using the RDP protocol, and be able to work on it, as if you were sitting on it locally.

What is RDP protocol

Before changing something, it would be good to understand what it is and how it works, I keep telling you about this. RDP or Remote Desktop Protocol is a remote desktop protocol in operating rooms. Microsoft systems Windows, although its origins come from PictureTel (Polycom). Microsoft just bought it. Used for remote work of an employee or user with a remote server. Most often, such servers play the role of a terminal server, on which special licenses are allocated, either per user or per device, CAL. The idea here was this: there is a very powerful server, then why not use its resources together, for example, for a 1C application. This becomes especially relevant with the advent of thin clients.

The world saw the terminal server itself, already in 1998 in the Windows NT 4.0 Terminal Server operating system, to be honest, I didn’t even know that such a thing existed, and in Russia at that time we all played dandy or sega. RDP connection clients are currently available in all Windows versions, Linux, MacOS, Android. The most modern version of the RDP protocol at the moment is 8.1.

Default rdp port

I’ll immediately write the default rdp port 3389, I think that’s it system administrators they know him.

How the rdp protocol works

And so you and I understand why we came up with the Remote Desktop Protocol, now it’s logical that you need to understand the principles of its operation. Microsoft distinguishes two modes of the RDP protocol:

Remote administration mode > for administration, you are taken to remote server and configure and administer it
Terminal Server mode > to access the application server, Remote App or sharing it for work.

In general, if you install Windows Server 2008 R2 - 2016 without a terminal server, then by default it will have two licenses, and two users will be able to connect to it at the same time, the third will have to kick someone out to work. In client versions of Windows, there is only one license, but this can also be circumvented; I talked about this in the article Terminal Server on Windows 7. Also Remote administration mode, you can cluster and load balance, thanks to NLB technology and the Session Directory Service connection server. It is used to index user sessions, thanks to this server the user can log into the remote desktop of terminal servers in a distributed environment. Also required components are a licensing server.

The RDP protocol operates over a TCP connection and is an application protocol. When a client establishes a connection with the server, an RDP session is created at the transport level, where encryption and data transmission methods are negotiated. When all negotiations are determined and initialization is complete, the terminal server sends graphical output to the client and waits for keyboard and mouse input.

Remote Desktop Protocol supports multiple virtual channels within a single connection, allowing you to use additional functionality

Transfer your printer or COM port to the server
Redirect your local drives to the server
Clipboard
Audio and video

RDP connection stages

Establishing a connection
Negotiating encryption parameters
Server Authentication
Negotiating RDP session parameters
Client Authentication
RDP session data
Terminating RDP session

Security in the RDP protocol

Remote Desktop Protocol has two authentication methods Standard RDP Security and Enhanced RDP Security, we will look at both in more detail below.

Standard RDP Security

RDP protocol when this method authentication, encrypts the connection using the RDP protocol itself, which is in it, using this method:

When your operating system starts, a pair of RSA keys is generated
Proprietary Certificate is being created
After which the Proprietary Certificate is signed RSA key created earlier
Now the RDP client connecting to the terminal server will receive a Proprietary Certificate
The client looks at it and verifies it, then receives the server’s public key, which is used at the stage of agreeing on encryption parameters.

If we consider the algorithm with which everything is encrypted, it is the RC4 stream cipher. Keys of different lengths from 40 to 168 bits, it all depends on the edition operating system Windows, for example in Windows 2008 Server - 168 bits. Once the server and client have decided on the key length, two new different keys are generated to encrypt the data.

If you ask about data integrity, then it is achieved through the MAC (Message Authentication Code) algorithm based on SHA1 and MD5

Enhanced RDP Security

The RDP protocol with this authentication method uses two external security modules:

CredSSP
TLS 1.0

TLS is supported from version 6 of RDP. When you use TLS, an encryption certificate can be created using a terminal server, a self-signed certificate, or selected from a store.

When you use the CredSSP protocol, it is a symbiosis of Kerberos, NTLM and TLS technologies. With this protocol, the check itself, which checks permission to enter the terminal server, is carried out in advance, and not after a full RDP connection, and thereby you save resources on the terminal server, plus there is more reliable encryption and you can log in once (Single Sign On). ), thanks to NTLM and Kerberos. CredSSP only works in OSs no lower than Vista and Windows Server 2008. This checkbox is in the system properties

Allow connections only from computers running Remote Desktop with network level authentication.

Change rdp port

In order to change the rdp port, you will need:

Open the registry editor (Start -> Run -> regedit.exe)
Let's move on to the next section:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Find the PortNumber key and change its value to the port number you need.

Be sure to select a decimal value; for example, I’ll put port 12345.

Once you have done this, restart the Remote Desktop Service via the command line using the following commands:

And we create a new incoming rule for the new rdp port. Let me remind you that the default rdp port is 3389.

We choose what the rule will be for the port

We leave the protocol as TCP and specify new number RDP port.

The rule will be to allow RDP connection on a non-standard port

If necessary, set the necessary network profiles.

Well, let’s call the rule in a language that we understand.

To connect with client computers Windows address write indicating the port. For example, if you changed the port to 12345, and the address of the server (or simply the computer you are connecting to): myserver, then the MSTSC connection will look like this:
mstsc -v:myserver:12345

Setting up RDP (remote desktop protocol) - remote desktop

If you have a professional or maximum version, you can configure login to your PC via remote desktop. To do this you need to do several things.

— allow login via remote desktop (this menu is not available for younger versions)

— add users who have the right to work via remote desktop (usually Windows adds the current user automatically)

How to launch Remote Desktop in Windows 7?

All through the “Start” button:

We type in the search bar “Remote Desktop Connection” (funny - that’s exactly what MicroSoft recommends through the “Search” line -> opens in a new tab) or “mstsc.exe” - that’s actually the name of the program itself

Or through the “Standard” folder in programs. Not all versions of Windows have it, for example, Windows 7 Started (yes, the one with the software RAM limit of 2 GB) does not have such a folder.

After launch, we get the remote desktop settings form, we need the expanded version (with parameters)

On the general tab we configure:

Computer - or IP address or computer name

User - the user under which we will log in to the remote PC

On the “Local Resources” tab, we select whether the main computer’s printers and clipboard will be available to us.

If you have all your PCs in local local network(i.e. network speed is not critical) - you can use the background image of the desktop of the remote PC on the “Advanced” tab.

Well, everything seems to be set up - go back to the first tab, save it as a shortcut - try to connect.

Result:(

The main reasons for this situation:

the remote PC has an IP address assigned to it by the router via DHCP, it changes periodically. It is necessary to register a fixed IP address in the properties of the adapter
forgot to allow remote access through the “Properties” of the computer
remote access was allowed, but they forgot to specify the user who can log in
is prohibited by the Windows firewall, you need to add “remote desktop” to the exceptions
You have done a remote reboot of the PC and before logging in local user remote desktop won't work

In most cases, Windows 7 should do all this itself (add the current user, allow it in the firewall, etc.), but this does not always work. Those. for example, “Remote Desktop” has been added to the list of programs in the firewall, but the checkbox is not checked: (You need to check everything yourself.

Additional remote desktop settings.

1. There is a need to restart the PC via remote desktop. The reboot itself is not a problem - either through the task manager or through Alt F4. (This option will not be available in the Start button). But until the local user logs in, the remote desktop will not connect. And if the PC is in dark room where there are no local users?

Here's a surprise - you need to create a shortcut for the remote desktop via the command line with the /admin parameter

Like this: mstsc.exe /admin

Visually, the shortcut setup will be the same - but the system will launch via the remote desktop after the remote PC is rebooted.

Here full list remote desktop launch options from command line

2. If necessary, allow login without a password (highly not recommended for the corporate segment)

"Start" menu - run - gpedit.msc (policy editor) - "computer configuration" - "windows configuration" - " local policies" - "Security Settings" - "Limit the use of empty passwords....." - "Disabled"

Yes, on younger versions of Windows, of course, gpedit.msc does not start (this setting does not exist)

— All consumer versions of Windows allow only one user to work on a PC (when a new user logs in, the current user will be forcibly closed), unlike server versions. This is a licensing restriction - but there is a way out. A little shamanism - and everything works, watch (opens in a new window)

3. Automatic login with saved login and password

There is a magic checkbox “Allow me to save credentials.” If you run the change again, the checkbox will change to “Always prompt for credentials”

We receive a request to enter data, they are saved, logging into the remote machine works only by clicking on the shortcut.

What if the credentials are not saved (in Windows 7 and older)?

Or we receive the warning “The system administrator has prohibited the use of saved credentials to log in to the system remote computer, since its authenticity has not been fully verified. Enter new credentials."

What to do?

The point is that in latest versions Windows password is not stored in the rdp file, but in a separate storage (Credential Manager). At a minimum - in group policies The following options should be disabled:

User Configuration - Administrative Templates - Windows components- Remote Desktop Services - Remote Desktop Connection Client - Prohibit saving passwords;
Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Connection Client - Prohibit saving passwords.

Here you can (opens in a new window)

4. Sometimes when connecting you see the following picture: “the authenticity of the remote computer cannot be verified”

Authentication was added starting with Windows XP SP3. But it is disabled there by default (it is already enabled on Wibdows Vista).

How to enable remote computer authentication on Window XP SP3?

Go to the registry regedit.exe (Run)

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Open the parameter Security Packages and look for the word there tspkg. If it is not there, add it to the existing parameters.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

Open the parameter SecurityProviders and add to existing providers credssp.dll, if there is none.

Close the registry editor. Let's reboot.

If this is not done, then when we try to connect, the computer will ask us for a username and password, but instead of the remote desktop it will respond with the following:

Remote Desktop Connection
Authentication error (code 0x507)

5. Windows security warning appears when connecting

"The publisher of this remote connection cannot be determined"

This means that the rdp file is not protected by a signed certificate. For a local network there is nothing wrong with this; you can check the box “Do not display the request again...”

The security system itself works as follows. This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (RDP) files and RDP files received from unknown publishers.

If this policy setting is enabled or not configured, users can run unsigned RDP files and RDP files from unknown publishers on the client computer. Before starting an RDP session, the user will receive a warning and a request to confirm the connection.

If this policy setting is disabled, users cannot run unsigned RDP files or RDP files from unknown publishers on the client computer. If a user tries to start an RDP session, they will receive a publisher blocked message.

Supported: Not less Windows Vista with Service Pack 1 (SP1)

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Value Name	AllowUnsignedFiles
Value Type	REG_DWORD
Enabled Value	1
Disabled Value	0

File Default.rdp

Actually, this is a file, not a remote desktop shortcut. This customized file can be sent to another user, he will save it - and everything will work.

Moreover, it is a simple text file that stores all the remote connection settings and this file can be opened with Notepad. By the way, some parameters cannot be edited via standard settings, they can be entered by hand.

screen mode id:i:— 1 — the remote session is performed in windowed mode, 2 — in full screen. Edited on the “Display” tab of the “Options” window of the “Remote Desktop Connection” tool.

use multimon:i:— 0 — prohibits support for multiple monitors, 1 — allows support for multiple monitors. Can be used on Windows 7/Windows Server 2008 and later.

desktopwidth:i:— desktop width. Selected on the “Display” tab of the “Options” window of the “Remote Desktop Connection” tool.

desktopheight:i:— height of the desktop. Selected on the “Display” tab of the “Options” window of the “Remote Desktop Connection” tool.

session bpp:i:- color depth. Selected in the “Colors” group on the “Display” tab of the “Options” window of the “Remote Desktop Connection” tool.

winpostr:s:— window position and size in WINDOWPOS format

compression:i:— 0 — do not use data compression, 1 — use.

keyboardhook:i:— Determines how combinations are interpreted Windows keys. The value of this parameter corresponds to the setting in the Keyboard field on the Local Resources tab of the Remote Desktop Connection Options window. 0 - on the local computer. 1 - on the remote computer. 2 - only in full screen mode.

audiocapturemode:i:— Determines where the sound is played. The value of this parameter corresponds to the “Remote Audio” settings on the “Local Resources” tab of the “Options” window of the “Remote Desktop Connection” tool. 0 - on the client computer. 1 - on the remote computer. 2 - no sound is played.

videoplaybackmode:i:— 0 — do not use RDP efficient multimedia streaming when playing video. 1 - use.

connection type:i: 2 - connection type to achieve maximum performance. Corresponds to the “Performance” settings on the “Advanced” tab of the “Options” window of the “Remote Desktop Connection” tool. Determined by the type of connection speed selected.

displayconnectionbar:i:— Display the connection panel when logging into a remote computer in full screen mode. The value of this parameter corresponds to the state of the “Display connection panel when working in full screen” checkbox on the “Display” tab of the “Options” window of the “Remote Desktop Connection” tool. 0—do not display the connection panel. 1 — display the connection panel.

disable wallpaper:i:— prohibition of displaying the background image of the remote desktop. Corresponds to the settings in the “Performance” group - the “Desktop Background” checkbox on the “Advanced” tab of the “Options” window of the “Remote Desktop Connection” tool. 0 — display background image. 1 - do not display the background image.

allow font smoothing:i:— font smoothing resolution. Corresponds to the settings in the “Performance” group - the “Font Smoothing” checkbox on the “Advanced” tab of the “Options” window of the “Remote Desktop Connection” tool. 0—do not use anti-aliasing. 1 - use.

allow desktop composition:i: 0 - Corresponds to the settings in the “Performance” group - the “Font Smoothing” checkbox on the “Advanced” tab of the “Options” window of the “Remote Desktop Connection” tool. 0—do not use anti-aliasing. 1 - use.

disable full window drag:i:- Display folder contents when dragging. The value of this parameter corresponds to the state of the “Show window contents when dragging” checkbox on the “Advanced” tab of the “Options” window of the “Remote Desktop Connection” tool. 0—Display content when dragging. 1 - do not display.

disable menu animations:i:— ban on visual effects. The value of this parameter corresponds to the state of the “Visual effects when displaying menus and windows” checkbox on the “Advanced” tab of the “Options” window. 0 - use visual effects, 1 - do not use.

disable themes:i:— prohibition of using themes. 0—use themes. 1 - do not use themes.

disable cursor setting:i:0— prohibition of cursor settings. 0—cursor customization is allowed. 1 - prohibited.

bitmapcachepersistentable:i:1- Caching bitmaps on the local computer. The value of this setting corresponds to the state of the Persistent Bitmap Caching checkbox on the Advanced tab of the Options window. 0—do not use caching. 1 - use caching.

full address:s:— name or IP address of the remote computer to which you are connecting via RDP. If necessary, you can specify the number of the TCP port used.

audiomode:i:— determines where the sound is played. The value of this parameter corresponds to the entry in the “Remote Audio” field on the “Local Resources” tab of the “Options” window. 0 - on the client computer. 1 On a remote computer. 2 - sound is muted.

redirectprinters:i:— use of printers during a remote session. The value of this parameter corresponds to the state of the Printers checkbox on the Local Resources tab of the Settings window. 0 - do not use local printers during a remote session. 1 - use automatic connection printers.

redirectcomports:i:- use of serial ports local computer when connecting to a remote desktop. 0—do not use. 1 - use.

redirectsmartcards:i:— use of local computer smart cards when connecting to a remote desktop. 0—do not use. 1 - use.

redirectclipboard:i:— use a common clipboard for the local and remote computer. The value of this parameter corresponds to the state of the Clipboard checkbox on the Local Resources tab of the Options window. 0—do not use shared clipboard. 1 - use.

redirectposdevices:i:— redirection of devices that use Microsoft Point of Service (POS). 0—do not use redirection. 1 - use.

redirectdirectx:i:- DirectX redirection. 0 - do not use DirectX redirection. 1 - use.

autoreconnection enabled:i:1— automatic connection when the connection with the remote computer is lost. The value of this parameter corresponds to the state of the “Restore connection when broken” checkbox on the “Advanced” tab of the “Options” window. 0 - do not use automatic recovery connections. 1 - use.

authentication level:i:— authentication level for remote connection. Defines what to do if the identity of the remote computer cannot be verified. Determined by the “Server Authentication” group setting on the “Connection” tab. In Windows 10, the “Connection” tab corresponds to the “Interaction” tab. 0 — if it was not possible to confirm the authenticity of the terminal server, then connect without warning. 1 - do not connect. 2 — connect with a warning.

prompt for credentials:i:— a request to the user to confirm credentials if they were previously saved. 0—do not prompt for credentials if they have been previously saved. 1 - always prompt for credentials.

negotiate security layer:i:— RDP session encryption level. 0—a session with TLS 1.0 (SSL) encryption will be used if supported by the client. If the client does not support it, standard built-in RDP encryption will be used. 1 - the remote session will use x.224 encryption

remoteapplicationmode:i:— mode of working with a remote application. 0 — remote desktop mode. 1—mode of working with a remote application.

alternate shell:s:— the name of the user's alternate shell.

shell working directory:s:— the working directory of the user's shell.

gatewayhostname:s:— name of the Remote Desktop Gateway server. The gateway server parameter values are determined by the “Connect from Anywhere” group on the “Connection” tab (for Windows 10 – on the “Advanced” tab).

gatewayusagemethod:i:4- A method for using a Remote Desktop Gateway server. 0 - Never use the Remote Desktop Gateway server. 1 - Always use the Remote Desktop Gateway server. 2 - Do not use the Remote Desktop Gateway server for local clients. 3 - Use the default settings of the Remote Desktop Gateway server. 4 - do not use the Remote Desktop Gateway server, but in the “Connect from Anywhere” – “Options” setting, the “Do not use the Remote Desktop Gateway server for local addresses” checkbox is enabled.

Via the Internet without using special utilities. operating room Windows system started supporting this system component in the XP version. Now take advantage functionality every user of more modern versions can, including Windows 7, 8 and 10. This function is known to a wide audience of users, but few of them know how to set up remote access.
Microsoft Remote Desktop provides remote access to desktops

This instruction will tell you how to properly organize Remote work Desktop, both on laptops and PCs with various operating systems, including Windows, Mac OS X, and Android smartphones, iPhone.

It is worth noting that by carefully following the clear recommendations, each user will be able to set up a remote desktop in a short period of time.

How to use Microsoft Remote Desktop

Microsoft has developed an option that allows you to take advantage of the remote desktop capabilities. The RDP protocol provides for connecting one device to another. In this case, both computers must be connected to the same local network. It is important to note that there is a way in which the protocol is used when connecting via the Internet. It is also mentioned in this article.

To properly configure remote access, you will need to know the IP address of the device. Given the constant changes in this address in home computer configurations, the user will have to specify a static indicator that will relate exclusively to the local network. A static IP address is in no way associated with an Internet provider. This is an integral preparatory step that cannot be ignored before connecting the protocol.

The user is required to complete the following steps:

Checking IP and DNS

After receiving this information, close the window. Then in the status window, click on the item with properties. The screen displays a list of items that the connection uses. In this list, find Internet Protocol version 4. After selecting the component, click on the option called “Properties”. In the new window you will have to enter the data that you previously received from the network connection information window.

Correcting Internet protocol data

Having entered the parameters, click on the “OK” button. When a confirmation request appears, click “OK” again. Now a static IP address will be installed on the computer. It is worth noting that without it, further configuration will be impossible. Please pay attention to this if you want to connect the protocol server.

The next step in the preparatory stage is to enable the ability to connect RDP in windows on the device to which you plan to connect in the future. To do this, click on the control panel. Then click on the “system” option. In the new window, click on the tab responsible for the Windows remote access settings.

Allowing remote access

Select the following parameters:

Allowing the connection of a remote assistant to this PC.
Allows you to delete a connection to this PC.

If an urgent need arises, you can designate those users to whom you provide access. If you wish, you can easily create a separate account dedicated to connecting your desktop. It is worth noting that the default setting is specified according to which remote access is granted to the user under whose name the system was logged in. Now you can begin the main part of the connection.

How to Set Up Microsoft Remote Desktop on Windows

Microsoft Remote Desktop is a program that provides extensive capabilities remote control. It is worth noting that there is no need to install additional applications. If you want to activate it in Windows, then open the utility designed for connection. To do this, enter the remote desktop in Windows 7 in the search field. If Windows 10 is installed, then write this command in the taskbar. In the case of Windows 8, we prescribe this actually home screen. After entering the command, a window will appear on the screen. In the appropriate field, enter the IP address of the device to which we will connect.

Connecting to a remote desktop

You will then see a request for verification information. By accurately entering the necessary information, you will receive remote access to your computer in Windows 7 or another OS version.

Remote control via Microsoft Remote Desktop for Mac OS X

RDP is a protocol that allows you to connect a working device to a Mac device. Windows table. To set up remote access to your computer, you will need to download a specially designed utility. It is available for download at App Store called Microsoft Remote Desktop. When the download is complete, turn on the program and do the following:

Click on the option shown as a plus sign.
In the new window, fill in the required fields. To add a remote device, enter a name and specify its IP address. Write down the control data to gain access, in particular the password and user name. If necessary, select the optimal screen settings.

Connecting remotely

We close the window.
In the list for connection, find the name of the added table of the remote type and double-click on it. If you follow the recommendations correctly, Windows remote access will appear on the screen of your Mac device.

Microsoft Remote Desktop for Android and iOS

To connect to a remote desktop from mobile phone, you will need to download the application. Its use is extremely necessary. It is worth noting that the connection diagram for both platforms is identical. Once you've finished downloading Remote Desktop for Android or iOS, launch the program. Then do the following:

Select the “Add” item, which is located on the main screen. If you are using an iPhone or iPad, additionally click on the option called “Add a server or PC.”
Enter the required parameters, including name, password, username and IP address.

Executing the procedure on Android

After entering the data, enable remote access.

Internet connection

There is another way to quickly set up Microsoft Remote Desktop. The company's official Internet portal contains a manual on English language, which shows how to connect a remote desktop over the Internet. The user needs to forward port 3389 from the router to the device’s IP address. Then we connect to the address of the public type of router, designating the above port.

WATCH THE VIDEO

However, there is another scheme that is safer and simpler. To do this, we create a VPN type connection through which we connect to the PC. The user can then use remote access with the same success as if the devices were located on the same local network.

Now you know how to set up Microsoft Remote Desktop.

What is RDP protocol

Before changing something, it would be good to understand what it is and how it works, I keep telling you about this. RDP or Remote Desktop Protocol is a remote desktop protocol for Microsoft Windows operating systems, although its origins come from PictureTel (Polycom). Microsoft just bought it. Used for remote work of an employee or user with a remote server. Most often, such servers play the role of a terminal server, on which special licenses are allocated, either per user or per device, CAL. The idea here was this: there is a very powerful server, then why not use its resources together, for example, for a 1C application. This becomes especially relevant with the advent of thin clients.

The world saw the terminal server itself, already in 1998 in the Windows NT 4.0 Terminal Server operating system, to be honest, I didn’t even know that such a thing existed, and in Russia at that time we all played dandy or sega. RDP connection clients are currently available in all versions of Windows, Linux, MacOS, Android. The most modern version of the RDP protocol at the moment is 8.1.

Default rdp port

I’ll immediately write the default rdp port 3389, I think all system administrators know it.

How the rdp protocol works

Remote administration mode > for administration, you go to the remote server and configure and administer it
Terminal Server mode > to access the application server, Remote App or share it for work.

Remote Desktop Protocol supports multiple virtual channels within a single connection, allowing you to use additional functionality

Transfer your printer or COM port to the server
Redirect your local drives to the server
Clipboard
Audio and video

RDP connection stages

Establishing a connection
Negotiating encryption parameters
Server Authentication
Negotiating RDP session parameters
Client Authentication
RDP session data
Terminating RDP session

Security in the RDP protocol

Remote Desktop Protocol has two authentication methods Standard RDP Security and Enhanced RDP Security, we will look at both in more detail below.

Standard RDP Security

The RDP protocol with this authentication method encrypts the connection using the RDP protocol itself, which is in it, using this method:

When your operating system starts, a pair of RSA keys is generated
Proprietary Certificate is being created
After which the Proprietary Certificate is signed with the RSA key created earlier
Now the RDP client connecting to the terminal server will receive a Proprietary Certificate
The client looks at it and verifies it, then receives the server’s public key, which is used at the stage of agreeing on encryption parameters.

If we consider the algorithm with which everything is encrypted, it is the RC4 stream cipher. Keys of different lengths from 40 to 168 bits, it all depends on the edition of the Windows operating system, for example in Windows 2008 Server - 168 bits. Once the server and client have decided on the key length, two new different keys are generated to encrypt the data.

If you ask about data integrity, then it is achieved through the MAC (Message Authentication Code) algorithm based on SHA1 and MD5

Enhanced RDP Security

The RDP protocol with this authentication method uses two external security modules:

CredSSP
TLS 1.0

TLS is supported from version 6 of RDP. When you use TLS, an encryption certificate can be created using a terminal server, a self-signed certificate, or selected from a store.

Allow connections only from computers running Remote Desktop with network level authentication.

Change rdp port

In order to change the rdp port, you will need:

Open the registry editor (Start -> Run -> regedit.exe)
Let's move on to the next section:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Find the PortNumber key and change its value to the port number you need.

Be sure to select a decimal value; for example, I’ll put port 12345.

Once you have done this, restart the Remote Desktop Service via the command line using the following commands:

And we create a new incoming rule for the new rdp port. Let me remind you that the default rdp port is 3389.

We choose what the rule will be for the port

We leave the protocol as TCP and specify a new RDP port number.

The rule will be to allow RDP connection on a non-standard port

If necessary, set the necessary network profiles.

Well, let’s call the rule in a language that we understand.

To connect from client Windows computers write the address indicating the port. For example, if you changed the port to 12345, and the address of the server (or simply the computer you are connecting to): myserver, then the MSTSC connection will look like this:
mstsc -v:myserver:12345

Possibility of implementation remote access The Windows system has been providing for the RDP protocol for a long time. This standard tool appeared in the version of Windows NT 4.0, released in 1996. It was more or less functionally modified in the Windows XP version, and found its completeness already as part of Windows 7. Versions of Windows 8/8.1 and 10 inherited remote access via the RDP protocol from Windows 7 without functional changes.

Below we will take a closer look at how remote access works via the RDP protocol in versions of Windows 7, 8.1 and 10.

1. Remote access via RDP protocol

Connection using the RDP protocol is carried out between computers located on the same local network. This type of connection is intended primarily for IT specialists who service computers of companies integrated into their own production network. Without leaving their workplace, connecting remotely to the computers of enterprise employees, system specialists can solve problems that do not require intervention in the hardware of the machines and carry out preventive measures.

Connecting to a remote computer using the RDP protocol is also possible outside the local network, over the Internet. But this will require additional steps - either forwarding port 3389 on the router, or combining it with a remote computer into a single VPN network. In view of this, connecting to a remote computer over the Internet is much easier using other software tools, which do not require unnecessary actions. This is, for example, standard Windows utility“Remote Assistance” for providing computer assistance over the Internet. It works on the principle of sending an invitation file to the user who will provide computer help. Its more functional analogues on the Windows software market are programs like .

The RDP protocol is also used to connect to virtual machines. A remote connection via RDP can offer more opportunities than the standard connection window of a standard hypervisor. The Hyper-V connection window does not provide sound playback in the guest OS, does not see connected USB storage media, and cannot offer more connection with a physical computer than pasting text copied into it. While an RDP connection can provide visibility virtual machine various devices, connected to physical computer, better image of the guest OS desktop, work with sound, etc.

To connect via RDP, the remote computer must meet the following requirements:

It must have a password-protected account;
The system must allow remote connections;
If you do not want to change your access data every time you connect with a constantly changing dynamic IP address, you must assign a static IP address in the network settings.

Remote access is only possible on computers with Windows Pro, Enterprise or Ultimate editions installed. Home versions of Windows (Home) do not provide remote access via RDP.

2. Password on the remote computer

If you are working on a remote computer with account Microsoft, in this case a short PIN code is used instead of a long password; when connecting via the RDP protocol, you must enter that same long password, and not a four-digit PIN code.

If an unpassworded local account is used on the remote computer, and there is no special need for a password, such as when connecting to virtual Hyper-V machines, at least simplest password something like “777” or “qwerty” will have to be created.

3. IP address of the remote computer

When connecting via RDP, you will need to enter the IP address of the remote computer. The internal IP address is visible in the system network settings. But in versions of Windows 7, 8.1 and 10 these are three different paths. In Windows 7, this is a section of the Control Panel, and in Windows 8.1 and 10 it is the Settings application, with its own organization inherent in each version. Therefore, we will find out the internal IP address in a universal way suitable for each of these systems - through the command line. The shortcut to launch Command Prompt in Windows 7 is available in the Start menu. In Windows 8.1 and 10, the command line is launched from context menu on the Start button.

In the command line window, enter:

After pressing Enter, we will get a summary of the data, where the internal IP address will be visible.

4. Allowing remote connections

Permission to connect remotely to Windows systems initially, as a rule, disabled. In any case, this definitely applies to licensed assemblies. The ability to connect via RDP on a remote computer is activated in the system settings. We need the "System" section. In the Windows 7 version, it can be accessed by searching the Start menu. And in Windows 8.1 and 10, you can get to the “System” section from the context menu on the “Start” button.

Click “Remote Access Settings”.

In the system properties window, you must set the permission option to active remote connections. There is no need to remove the authentication option. To apply the changes, click “Apply” below.

Such settings will open the path to a remote connection, but only for the administrator account. Regular account users are not allowed to provide their own computer for remote control. The administrator can give them this right.

Below the option to allow remote connections there is a “Select users” button. Let's press it.

In the field below, enter the name of the user who is allowed to connect to him via the RDP protocol. For local accounts this is their name, and for Microsoft accounts this is email address, with the help of which authorization occurs. Click "Ok".

That’s it – now this user’s account will be accessible from any computer within the local network.

5. Connect to a remote computer

All necessary actions on the remote computer have been completed, let’s move on to the main computer from which connection and control will be carried out. You can launch the standard RDP connection utility by finding its shortcut using a search within the system. In Windows 7, this is a search in the Start menu.

In versions of Windows 8.1 and 10, press the Win+Q keys.

A small connection window will appear. In the future, it will be possible to connect to remote computers using exactly this abbreviated form. But for now, click “Show options”.

In the “Computer” field, enter the IP address of the remote computer. In the field below - “User” - accordingly, enter the user name. If an account is connected to the remote computer Microsoft entry, enter your email address.

If you work on your computer using a regular local account, the username must be entered in the format:

Computer\User

For example, DESKTOP-R71R8AM\Vasya, Where DESKTOP-R71R8AM is the name of the computer, and Vasya– username of the local account.

Below the username there is an option to save authorization data on a remote computer. Connection parameters - IP address, username and password - can be saved as a separate RDP file and used to open it on another computer. Click “Connect”, and then “Connect” again in a new window.

Enter the password for the remote computer account.

Click “Yes” in the certificate error window.

We will get more settings for connecting via the RDP protocol in the utility window initially, before establishing the connection.

6. Connect to another account on a remote computer

Below the column for filling in the user name of the remote computer, if the “Always request credentials” checkbox is not checked, options for deleting and changing access data are displayed. By clicking the “Change” option, in addition to the authorization form in an existing account on a remote computer, we will see the ability to connect to another account that is present on the same computer.

After entering a new username and password, the authorization data for a specific IP address will be overwritten.

7. Connection settings

In the opened window for connecting to a remote computer, we will find tabs with customizable parameters. The first two concern the convenience and functionality of remote access.

“Screen” – in this tab you can set the screen resolution of the remote computer; the utility window will open with this resolution after connection. If access is made from weak computer, you can set the resolution to low and sacrifice color depth.

“Local resources” – here, in order to save system resources, you can disable sound playback on the remote computer. Or, on the contrary, you can also install audio recording from a remote computer. In the column of local devices and resources, after clicking the “Details” button, we can, in addition to the active printer, select devices of the main computer that will work on the remote computer. These are smart cards, separate sections hard drive, flash drives, memory cards, external hard drives.

An obstacle to using the RDP protocol may be its blocking by antiviruses. In this case, the RDP protocol must be enabled in the settings antivirus programs.

Have a great day!

12.09.2020

Internet

The most interesting: