Windows Remote Desktop

Overview

Gaining remote access to your computers at home can save lots of time because you can maintain all of them from one place. Some options to do this are:

  • Get an account at logmein.com: This free service installs a program on each computer that you want to access remotely. Once each remote system is setup you can remotely access all of them from the website
  • Install Tight VNC server and client:This is a free utility that provides a server process you can install on each computer that you want to access remotely. Once setup you can login to each system using the VNC client utility.

The problem with these approaches is that relative to the Microsoft Remote Desktop utility the performance is poor. An examination of the Windows version comparison chart shows that unless you have Professional or Ultimate editions this feature is disabled.

What is RDP?

This is a Remote Desktop Protocol (RDP) introduced by Microsoft that allows brings a the desktop of a remote system to you from anywhere. You can usually find the RDP client in the start menu underAccessories. When you launch it you are presented with the following dialog. Before this works on your home systems some additional configuration may be required.

A user named untermensch has provided an solution in a post on experts.windows.com. He presents a program called Concurrent RDP Patcher that will modify a few files and settings in your system and get you up and running with RDP in a few minutes.

Get the binaries here .

Get the source code here.

An examination of the visual basic source code shows how it works. In summary it preforms the following steps when you patch…

  1. Retrieve OS version and determine if this windows version is supported.
  2. Stop the Terminal Service
  3. Take ownership of C:\Windows\system32\termsrv.dll (or 64 bit equivalent)
  4. Apply 3 binary updates to termsrv.dll (separate updates for 32 bit and 64 bit)
  5. Uncompress internal copy of rdpclip.exe to C:\Windows\system32
  6. Modify registry values in \HKLM\SYSTEM\CurrentControlSet\Control\Lsa
    1. LimitBlankPasswordUse
  7. Modify registry values in \HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    1. fSingleSessionPerUser
    2. fDenyTSConnections
  8. Create Remote Desktop firewall rule
  9. Start Terminal Service 
  10. Grant ownership of termsrv.dll to the TrustedInstaller group

Troubleshooting

In the process of testing this program I noticed that when I removed and re-applied the patch the binaries I was unable to connect. This was happening because the Remote Desktop firewall rule was deleted but the re-add never happened. If this happens you can manually add it with these commands.

 # File: termsrv_firewall_fix.ps1
 # Note: this is a powershell script
 # Description: This script will add the firewall setting that can be missing
 # after the "Concurrent RDP Patcher" program unpatches iteself.
 netsh advfirewall firewall delete rule `
 name="Remote Desktop" `
 netsh advfirewall firewall add rule `
 name="Remote Desktop" `
 dir=in `
 action=allow `
 protocol=tcp `
 localport=3389 `
 program=System `
 description="Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389]" `
 "profile=public,private,domain"

Securing Access

The first step to securing access to your system is to make sure you have an updated version of the RDP client. If you are using XP you may need to refer to the following section titled “Windows XP Issues”.You can check your RDP client version in the about box. Verify that you support at least protocol 7.0 as in the screenshot below.

You should setup Network Level Authentication also known as NLA. In addition to many other improvements in RDP 6.1. NLA has the ability to authenticate before it opens a session with the remote desktop. This improves security and allows your login information to be specified before the session begins.

You can check if it is active by looking at the “About Remote Desktop Connection” dialog. Check for a message that reads “Network Level Authentication supported” (as in the above screenshot). One important parameter to change is the SecurityLayer registry key.

\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer

Some possible values are given in the table below.

Security Level SecurityLayer Description
Low 0 RDP is used by the and the client for authentication prior to a remote desktop prior to a remote desktop connection being established. Use this setting if you are working in aheterogeneousenvironment.
Medium 1 The server and client negotiate the method for authentication prior to a Remote Desktop connection being established. (this is the default value) Use this setting if all of your computers are running Windows.
High 2 Transport Layer Security (TLS) is used by the server and client for authentication prior to a remote desktop connection being established. Use this setting for maximum security.

It is recommended that you use the value “2” if you intend to leave the connection open to the Internet. This setting will force the new TLS authentication to be used and will prevent anonymous people from opening RDP connections.

Another useful feature is the MinEncryptionLevel setting.

\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel

Level of Encryption MinEncryptionLevel Description
Low 1 Data sent from the client to the server is encrypted using 56-bit encryption. Data sent from the server to the client is not encrypted
Client Compatible 2 Encrypts client / server communication at the maximum key strength supported by the client. Use this level when the Terminal Server is running in an environment containing mixed or legacy clients. This is the default setting
High 3 Encrypts client / server communication using 128-bit encryption. Use this level when the clients that access the Terminal Server also support 128-bit encryption. If this option is set, clients that do not support 128-bit encryption will not be able to connect.
FIPS-Compliant 4 All client / server communication is encrypted and decrypted with the Federal Information Processing Standard (FIPS) encryption algorithms. FIPS 140-1 (1994) and its successor, FIPS 140-2 (2001) describe these requirements

I recommend setting this to “3” so it will force all connections to use 128-bit encryption. You will need to re-start your system for the changes to be effective.

Windows XP Issues

If you are still using this decade old operating system (like me) then this section is useful and if not then you can skip it. If you have XP then there are a number of security updates you can manually install that are not offered with the standard windows update service.

The latest version available to XP will provide support for RDP protocol 7.0. It is not pushed through the windows update service so you will need to manual download and installMicrosoft update KB969084 .

To get NLA you need to setup the Credential Security Support Provider (CredSSP) that was provided in Windows XP Service Pack 3. Follow these steps to add support forCredSSP (source: http://support.microsoft.com/kb/951608 )

  1. Open RegEdit or PowerShell.
  2. Optionally backup your registry.
  3. Navigate to \HKLM\SYSTEM\CurrentControlSet\Control\LSA
  4. Examine the Security Packages entry. It should be a list like “kerberos msv1_0s channel wdigest”.
  5. Add tspkg to the end of the Security Packages list.
  6. Navigate to \HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders.
  7. Examine the Security Providers entry. It should look something like “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”.
  8. Add credssp.dll to the end of this list.
  9. Restart your system.

After the reboot verify if it is active by checking the About dialog in the RDP client.

Accessing your Home from the Internet

One of the best things about setting up remote access is being able to access your home systems when you are at work or on the road. Most consumer Internet providers offer a dynamic IP that makes it difficult to host servers because the IP is frequently changing. Fortunately there are services that can help you get around this problem.

DynDNS offers a free service that will provide you with an internet hostname that is frequently updated whenever your ISP assigns you a new IP. First you need to sign up for their free service . Next you need to download an update client and install it on a system that is constantly online. The program will monitor your internet IPaddressfor changes and notify DynDNS of the changes.

Also, you will need to configure your firewall to route the remote RDP traffic to the system you want to access. For an AT&T U-verse service I had to add a user-defined application to the firewall to allow incoming TCP connections for port 3389 and route it to the system I intended to connect to. This process will vary depending on how your router is configured.

note: It is possible to setup RDP on other ports but that is beyond the scope of this document. After configuring my firewall it shows that TCP over my public IP being mapped to the system on my home network.

After you do this you con specify the DynDNS name in your RDP client and access your system from anywhere.