This article begins a series of articles devoted to the design and security of the RDP protocol. The first article in this series analyzes the design, use and main technologies embedded in this protocol.

This article begins a series of articles devoted to the design and security of the RDP protocol. The first article in this series analyzes the design, use and main technologies embedded in this protocol.

The following articles will discuss the following issues in detail:

• Operation of the Remote Desktop security subsystem
• Exchange format official information in RDP
• Vulnerabilities terminal servers and ways to fix them
• Selection of user accounts using the RDP protocol (developed by Positive Technologies in this area)

The history of RDP

The Remote Desktop protocol was created by Microsoft to provide remote access to Windows servers and workstations. The RDP protocol is designed to share the resources of a high-performance terminal server with many less powerful workstations. The first terminal server (version 4.0) appeared in 1998 as part of Windows NT 4.0 Terminal Server; at the time of writing (January 2009), the latest version of the terminal server is version 6.1, included in the Windows 2008 Server and Windows Vista SP1. Currently, RDP is the main remote access protocol for Windows family systems, and client applications exist for both Microsoft OS and Linux, FreeBSD, MAC OS X, etc.

When talking about the history of RDP, one cannot fail to mention Citrix. Citrix Systems specialized in multi-user systems and remote access technologies in the 1990s. After acquiring the Windows NT 3.51 source code license in 1995, the company released a multi-user version of Windows NT known as WinFrame. In 1997, Citrix Systems and Microsoft entered into an agreement under which multi-user Windows environment NT 4.0 was based on technological developments from Citrix. In turn, Citrix Systems refused to distribute a full-fledged operating system and received the right to develop and implement extensions for Microsoft products. These extensions were originally called MetaFrame. Rights to ICA (Independent Computing Architecture), the application protocol for interaction between thin clients and the Citrix application server, remained with Citrix Systems, and the Microsoft RDP protocol was based on ITU T.120.

Currently, the main competition between Citrix and Microsoft is in the field of application servers for small and medium businesses. Traditionally, solutions based on Terminal Services win in systems with not very a large number of the same type of servers and similar configurations, while Citrix Systems has firmly established itself in the market for complex and high-performance systems. Competition is fueled by the release of lightweight solutions for small systems by Citrix and the constant expansion of Terminal Services functionality by Microsoft.

Let's look at the benefits of these solutions.

Strengths of Terminal Services:

• Easy installation of applications for the client side of the application server
• Centralized maintenance of user sessions
• Requires a license for Terminal Services only

Strengths of Citrix solutions:

• Easy to scale
• Ease of administration and monitoring
• Access control policy
• Support for third-party enterprise products (IBM WebSphere, BEA WebLogic)

Network design using Terminal Services

Microsoft suggests two modes of using the RDP protocol:

• for administration (Remote administration mode)
• to access the application server (Terminal Server mode)

RDP in administration mode

This type of connection is used by all modern Microsoft operating systems. Server Windows versions support simultaneously two remote connections and one local login, while client ones support only one login (local or remote). To allow remote connections, you must enable remote desktop access in the workstation properties.

RDP in terminal server access mode

This mode is available only in server versions of Windows. Number of remote connections in in this case is not limited, but requires setting up a license server and its subsequent activation. The license server can be installed either on a terminal server or on a separate network node. The ability to remotely access the terminal server is available only after installing the appropriate licenses on the License server.

When using a cluster of terminal servers and load balancing, the installation of a specialized connection server (Session Directory Service) is required. This server indexes user sessions, which allows you to log in, as well as re-login to terminal servers operating in a distributed environment.

How RDP works

Remote Desktop is an application protocol based on TCP. After establishing a connection to transport level An RDP session is initialized, within which various data transfer parameters are negotiated. After the initialization phase has successfully completed, the terminal server begins sending graphical output to the client and waits for keyboard and mouse input. The graphical output can be something like exact copy graphic screen, transmitting both an image and commands for drawing graphic primitives (rectangle, line, ellipse, text, etc.). Transmitting output using primitives is a priority for the RDP protocol, as it significantly saves traffic; and the image is transmitted only if otherwise is impossible for some reason (it was not possible to agree on the parameters for transmitting primitives when setting up an RDP session). The RDP client processes received commands and displays images using its graphics subsystem. By default, user input is transmitted using keyboard scan codes. The signal for pressing and releasing a key is transmitted separately using a special flag.

RDP supports multiple virtual channels within a single connection, which can be used to provide additional functionality:

• using a printer or serial port
• file system redirection
• Clipboard support
• using the audio subsystem

The characteristics of the virtual channels are negotiated during the connection setup phase.

Ensuring security when using RDP

The RDP protocol specification calls for one of two security approaches:

• Standard RDP Security (built-in security subsystem)
• Enhanced RDP Security (external security subsystem)

Standard RDP Security

With this approach, authentication, encryption and integrity assurance are implemented using the means built into the RDP protocol.

Authentication

Server authentication is performed as follows:

1. When the system starts, a pair of RSA keys is generated
2. A public key Proprietary Certificate is created
3. The certificate is signed with an RSA key hardcoded into the operating system (any RDP client contains the public key of this built-in RSA key).
4. The client connects to the terminal server and receives a Proprietary Certificate
5. The client verifies the certificate and receives the server's public key (this key is used later to negotiate encryption parameters)

Client authentication is performed by entering a username and password.

Encryption

The RC4 stream cipher was chosen as the encryption algorithm. Depending on the operating system version, different key lengths are available from 40 to 168 bits.

Maximum key length for Winodws operating systems:

• Windows 2000 Server - 56 bit
• Windows XP, Windows 2003 Server – 128 bit
• Windows Vista, Windows 2008 Server – 168 bit

When a connection is established, after agreeing on the length, two different keys are generated: to encrypt data from the client and from the server.

Integrity

Message integrity is achieved by using a MAC (Message Authentication Code) generation algorithm based on the MD5 and SHA1 algorithms.

Beginning with Windows 2003 Server, FIPS (Federal Information Processing Standard) 140-1 compliance can be achieved by using 3DES for message encryption and a SHA1-only MAC generation algorithm to ensure integrity.

Enhanced RDP Security

This approach uses external security modules:

• TLS 1.0
• CredSSP

TLS can be used starting with Windows 2003 Server, but only if the RDP client supports it. TLS support has been added since RDP client version 6.0.

When using TLS, the server certificate can be generated using Terminal Sercives or you can select an existing certificate from the Windows store.

The CredSSP protocol is a combination of the functionality of TLS, Kerberos and NTLM.

Let's look at the main advantages of the CredSSP protocol:

• Checking permission to enter remote system before establishing a full RDP connection, which allows you to save terminal server resources when large quantities connections
• Strong authentication and encryption via TLS protocol
• Using Single Sign On with Kerberos or NTLM

CredSSP capabilities can only be used in operating rooms Windows systems Vista and Windows 2008 Server. This protocol is enabled by the Use Network Level Authentication flag in the terminal server settings (Windows 2008 Server) or in the remote access settings (Windows Vista).

Terminal Services licensing scheme

When using RDP, accessing applications in thin client mode requires setting up a specialized license server.

Permanent client licenses can be installed on the server only after completing the activation procedure; before this procedure, temporary licenses limited in validity period can be issued. After activation, the license server is provided with a digital certificate confirming its ownership and authenticity. Using this certificate, the license server can perform subsequent transactions with the Microsoft Clearinghouse database and accept permanent CALs for the terminal server.

Types of client licenses:

• temporary license (Temporary Terminal Server CAL)
• device license (Device Terminal Server CAL)
• user license (User Terminal Server CAL)
• license for external users (External Terminal Server Connector)

Temporary license

This type of license is issued to the client upon first connection to the terminal server; the license is valid for 90 days. Upon successful login, the client continues to work with a temporary license, and the next time the terminal server connects, it tries to replace the temporary license with a permanent one, if it is available in the storage.

Device license

This license is issued for each physical device that connects to the application server. The license validity period is set randomly between 52 and 89 days. 7 days before the expiration date, the terminal server attempts to renew the license from the license server each time a client connects again.

User license

Per-user licensing provides additional flexibility by allowing users to connect from various devices. The current implementation of Terminal Services does not have controls over the use of user licenses, i.e. The number of available licenses on the license server does not decrease when new users connect. Using insufficient licenses for client connections violates the Microsoft license agreement. To use both device and user CALs on the same terminal server, the server must be configured to operate in per-user licensing mode.

License for external users

This is a special type of license designed to connect external users to a corporate terminal server. This license does not impose restrictions on the number of connections, however, according to the user agreement (EULA), the terminal server for external connections must be dedicated, which does not allow its use to serve sessions from corporate users. Due to the high price this type licenses are not widely used.

The license server can have one of two roles:

• License server for the domain or working group(Domain or Workgroup License server)
• Entire Enterprise License Server

The roles differ in how they discover the license server: when using the Enterprise role, the terminal server searches the ActiveDirectory for the license server, otherwise the search is performed using a NetBIOS broadcast request. Each server found is checked for correctness using an RPC request.

Promising technologies Terminal Services

Solutions for application servers are actively promoted by Microsoft, functionality is being expanded, and additional modules are being introduced. The greatest development has been achieved by technologies that simplify the installation of applications and components responsible for the operation of the terminal server in global networks.

The following features have been introduced in Terminal Services for Windows 2008 Server.

desktopwidth:i
The desktop width selected on the Display tab of the Remote Desktop Connection Options window.

desktopheight:i
The desktop height selected on the Display tab of the Remote Desktop Connection Options window.

session bpp:i
The color depth selected in the Color Palette group on the Display tab of the Remote Desktop Connection Options window.

winpoststr:i
The window position selected on the Display tab of the Remote Desktop Connection Options window.

full address:s
The computer you want to connect to. The value for this setting corresponds to the entry in the Computer field on the General tab of the Remote Desktop Connection Options window.

compression:i
Determines whether data compression is used when transferred to the client computer.
0 Use data compression.
1 Do not use data compression.

keyboardhook:i
Defines where combinations are applied Windows keys. The value for this setting corresponds to the entry in the Keyboard field on the Local Resources tab of the Remote Desktop Connection Options window.
0 On the local computer.
1 On a remote computer.
2 Only in full screen mode.

audiomode:i
Determines where the sound is played. The value of this setting corresponds to the entry in the Sound on the remote computer field on the Local Resources tab of the Remote Desktop Connection Options window.
0 On the client computer.
1 On the host computer.
2 Mute.

redirectdrives:i
Automatically connect drives upon login remote computer. The value of this setting corresponds to the state of the Disk drives check box on the Local Resources tab of the Remote Desktop Connection Options window.
0 Do not use automatic disk mounting.
1 Use automatic disk mounting.

redirectprinters:i
Automatically connect printers when you log in to a remote computer. The value of this setting corresponds to the state of the Printers check box on the Local Resources tab of the Remote Desktop Connection Options window.
0 Do not use automatic printer connection.
1 Use automatic printer connection.

redirectcomports:i
Automatic connection of COM ports when logging into a remote computer. The value of this setting corresponds to the Serial Ports check box on the Local Resources tab of the Remote Desktop Connection Options window.
0 Do not use automatic connection of COM ports.
1 Use automatic connection of COM ports.

displayconnectionbar:i
Display the connection panel when logging into a remote computer in full screen mode. This setting corresponds to the state of the Show connections panel when running in full screen check box on the Display tab of the Remote Desktop Connection Options window.
0 Do not display the connection panel.
1 Display the connection panel.

username:s
Username displayed in RDP. The value of this setting corresponds to the entry in the Username field on the General tab of the Remote Desktop Connection Options window.

domain:s
The username that appears in the Remote Desktop Connection dialog box. The value for this setting corresponds to the entry in the Domain field on the General tab of the Remote Desktop Connection Options window.

alternate shell:s
Automatic launch of the program when connecting via RDP. The value of this setting corresponds to the entry in the Program Path and File Name field on the Programs tab of the Remote Desktop Connection Options window.

shell working directory:s
The folder location of the application that automatically starts when connecting via RDP. The value of this setting corresponds to the entry in the Program Path and File Name field on the Programs tab of the Remote Desktop Connection Options window.

disable wallpaper:i
Display the wallpaper when you log on to a remote computer. The value of this setting corresponds to the state of the Desktop Wallpaper check box on the Advanced tab of the Remote Desktop Connection Options window.
0 Display background image.
1 Do not display wallpaper.

disable full window drag:i
Displays the contents of a folder when you drag a folder to a new location. The value of this setting corresponds to the state of the Show window contents when dragging check box on the Advanced tab of the Remote Desktop Connection Options window.
0 Show folder contents when dragging.
1 Do not display folder contents when dragging.

disable menu animations:i
Animation of menus and windows when logging into a remote computer. The value of this setting corresponds to the state of the Visual effects when displaying menus and windows check box on the Advanced tab of the Remote Desktop Connection Options window.
0 Use animation when displaying menus and windows.
1 Do not use animation when displaying menus and windows.

disable themes:i
Use themes when logging into a remote computer. The value of this setting corresponds to the Themes check box on the Advanced tab of the Remote Desktop Connection Options window.
0 Use themes.
1 Don't use themes.

bitmapcachepersistentable:i
Caching graphics on the local computer. This setting corresponds to the setting of the Graphics Caching check box on the Advanced tab of the Remote Desktop Connection Options window.
0 Do not use caching.
1 Use caching.

autoreconnection enabled:i
Determines whether the client computer should automatically try to re-establish a connection after the connection has been interrupted.
0 The client computer does not attempt to reestablish the connection.
1 The client computer is trying to reestablish the connection.

connect to console:i:1
Adding this line will result in a connection to the remote computer's console.

Many users very often come across the concept of an RDP client, although sometimes they do not fully understand what these programs are and what they are needed for. Let's look at what an RDP client is (let's take Windows XP and 7 as the operating system environment). Finally, a list of alternative applications will be presented.

RDP clients: what are they and why are they needed?

To understand the essence of such programs, you just need to decipher the abbreviation RDP. Essentially, this is a special protocol that allows you to connect to a remote “Desktop” from any other terminal or mobile device.

However, talking only about access exclusively to the “Desktop” is somewhat incorrect. Almost any program of this type, be it an RDP client for Windows XP, 7 and higher, allows you to access all functions and settings of the system, as well as information stored on the computer. And you can manage absolutely all available parameters from a remote terminal, smartphone or tablet . As for the settings, they are very similar (if, for example, you use a “native” RDP client for Windows 7 or a third-party software product).

Preview update for Windows XP

There are usually no problems with setting up applications of this type, since all processes are as automated as possible. However, you still need to pay attention to some nuances.

In Windows XP, even with the SP3 update installed, client version 6.1 is provided. You can install the RDP 7.0 client only manually. Unfortunately, problems often arise when downloading an update from the official Microsoft website, so you can download the update from another source. In this case, we mean the KB969084 (85) update package, taking into account

After downloading the file, which is presented in an executable version (EXE), simply run it and wait for the update process to complete. Upon completion of installation, the computer or laptop is in mandatory need to reboot. Version 7.0 in Windows XP will allow you to gain remote access even to terminals with the tenth version of the system on board.

Built-in RDP client for Windows 7: initial system setup

“Seven” also has its own remote access program. However, if in XP the RDP client can be updated to version 7.0, here the 7.1 modification is initially used by default, which is presented in the form of a special utility MsTsc.exe.

But before you start setting up, you should go to the “Control Panel” and select the “System” section. Access can also be achieved through the computer properties menu by clicking on the icon located on the “Desktop”.

On the left side there is a remote access settings section, in which, on the corresponding tab, you need to check the boxes next to the permission lines for this operation and connection. Additionally, you can select the users to whom these rules will apply.

General setup rules

Any RDP client for Windows can be called with the standard mstsc command, entered in the Run console shelf (Win + R).

In the connection window, you need to enter the desired IP address of the server or terminal with which the communication session will be carried out. After this, the system will prompt you to enter your credentials, and then you will be redirected to the remote “Desktop”.

To change settings, expand the display of all parameters using the corresponding button. On the tab general settings You can enter the computer name and set the permission to save the current settings. It’s just as easy to adjust the screen brightness and other characteristics associated with it on the corresponding tab. Local processes adjust the sound quality, allow the use of keyboard shortcuts, and select the devices that you would like to use when connecting (printers, faxes, etc.). On the Programs tab, you can select a specific application that will launch automatically when you install remote access. In the interaction section, you can set your own connection speed parameters. Finally, in advanced settings you can set server authentication options.

Changing connection speed limit settings

But that's not all. The fact is that built-in RDP clients can significantly limit the speed of access to remote terminals (an update speed limit is set).

You can change settings in the system registry editor, which is called regedit command in the Run menu. Here you need to select the HKCU branch and in the SOFTWARE section find the MinSendInterval parameter. Its default value is set to 120 ms, but it is better to change it and set it to 5-10 ms.

Along the way, you can change the value of the cache size and the parameters of the “pin connector”, but it is better not to touch them. But for the OrderDrawThreshold key it is better to set the value at 1 ms.

Do I need to change the port?

Almost all known RDP clients use port 3389 to work correctly. If for some reason it does not work, first you should change the firewall settings and create a new rule for the port and enter the port value for the TCP protocol.

In some cases, it may be necessary on a router, where, similar to a firewall, a new rule is created specifying 3389 as the forwarded port. For correct configuration, it is advisable to read the documentation for the router.

Alternative programs

Not all users agree that native RDP clients for Windows are the optimal solution for remote access. Today there are a lot of such programs being produced. For example, the client from Google Corporation is considered very convenient.

The only catch is that for it to work correctly you need to have it installed on your system. latest version browser Google Chrome. But the settings are much simpler, and the ease of use seems better than that of standard Windows utilities.

There are minimal settings here, but the main condition for granting access is to use your own Google services account. For owners of mobile devices with Android OS on board, this is not a problem at all. But in the end, you can control your computer or laptop even from the simplest smartphone.

Among other utilities, it is worth noting the following:

• FreeRDP.
• Remmina.
• Rdesktop, etc.

Conclusion

It’s difficult to advise what exactly to use, because each program has its own pros and cons. However, if we make some comparison, we can conclude: there is nothing easier than working with Windows’ own tools or installing Chrome Remote Desktop from Google. But in any case, preliminary configuration by resolution or at the first stage will have to be performed.

Among users, quite a lot of people have heard that there is a certain RDP client.

But few people know what it is, why it is needed and how to work with it.

But in fact, this is simply an irreplaceable thing for those who need to work in several places, but there is no way to carry a laptop with them.

Why do you need RDP?

Imagine that you are working in an office. Your responsibilities include scheduling, paperwork, and more. You perform all these tasks on your computer in the office. But the working day ends, the guard says that he will close the room and you cannot stay in it, and you still need to complete a few important tasks. Moreover, it will not be possible to postpone them until tomorrow.

And at this moment this same RDP comes to the rescue. Imagine being able to come home, turn on your home computer, and continue to work on the same desktop and with the same data as on the computer at work. That is, while at home, you will, in fact, work on your work computer.

Rice. 1. RDP allows you to work from one computer to another

Interesting?

Then let's continue!

Decrypting RDP

RDP is the Remote Desktop Protocol. This is exactly the definition given in official sources. This abbreviation stands for “Remote Desktop Protocol”. Actually, this is translated as the remote desktop protocol.

There is no complicated science here. This protocol is really designed to allow you to work with your desktop remotely. This means that you are at a certain distance from where the desktop is actually located, and still have the opportunity to work with it.

Actually, an RDP client is a program that allows you to implement the functions of this very protocol. In other words, it is a program that allows the user to work with the computer remotely. You can easily organize access to your computer, then connect to it from another device and continue working. In fact, there is nothing complicated about it.

Rice. 2. Remote access to a computer from a tablet

Today RDP clients exist on a wide variety of operating systems, including:

• Windows;
• Mac OS;
• Android;

Users of all these platforms have the opportunity to easily organize remote access to their devices. Moreover, from a device on one OS you can do the same for a device on another. For example, you can connect to a Windows computer from an Android tablet.

In general, a very useful and interesting feature. Now we will look at how to work with this protocol and programs for working with it.

RDP client on Windows

The earliest and most common example of a program for working with the remote access protocol is the Remote Desktop Connection tool on Windows. Actually, the RDP protocol was developed for this operating system. And only then they began to use it in other operating systems.

Today, any version of Windows has a built-in tool called “Remote Desktop Connection”. It can be found in the Start menu or using search. It's called the same everywhere.

To use it, you must first configure the computer to which you will connect, that is, the desktop of which you are going to work. To do this, do this:

1. First you need to find out the IP address of the computer, so that you can then give it to another device, from which the first will be controlled. To do this, follow these steps:

• launch the program execution window by simultaneously pressing the Win and R buttons on the keyboard;
• in the window that opens, in the only input field, enter “cmd” and press Enter on the keyboard - this will launch the command line;

Rice. 3. Command to launch the command line in the program execution window

• V command line enter the command “ipconfig” and press Enter again;
• All available network information will open, find the line “IPv4 address” there - opposite it will be the IP address, remember it (!).

Rice. 4. Network information on the command line

As you can see, in our example the IP address is 192.168.1.88.

1. You should now enable the ability to access your computer using the remote management tool. To do this, do the following:
   • in the Start menu, open Control Panel;
   • click on the “System and Security” section;

Rice. 5. “System and Security” section in the control panel

• in the next window, click on the “System” subsection;

Rice. 6. Subsection "System"

• In the menu on the left, select “Advanced system settings”;
• in the window that opens, go to the “Remote access” tab;
• Place marks opposite the items highlighted in Figure 7 with numbers 1 and 2;
• close all windows, and before that click “Apply”.

Rice. 7. Allow remote control in the “System” section

Now you can easily connect to this computer. This operation is also quite simple. It is performed in the following sequence:

1. Go to the “Start” menu, select the list of all programs there, then the “Accessories” section and click on the tool called “Remote Desktop Connection”. It won't be difficult to find him.

Rice. 8. Remote Desktop Connection Tool in Start Menu

1. Then in the next window you need to enter the IP address that we determined in one of the previous steps. Recall that in our example it is 168.1.88. This address must be entered into this very window. When this is done, proceed to the next step, but do not click the “Connect” button yet. Instead, click on the “Options” inscription, which is located slightly below and to the left of the address input field.

Rice. 9. Tool window for connecting to a remote worker

1. It is important that you have the opportunity to work not only with folders and files, but also with devices connected to the computer that will be controlled. Therefore, in the window that appears, go to the “Local Resources” tab and check the boxes next to the “Printers” and “Clipboard” items. Now you can click the “Connect” button and thus move on to the next step.

Rice. 10. Parameters for connecting to a remote computer

After this, a connection will be made to the specified computer at its address. Some people install an account system on their devices. In this case, you will have to enter your username and password to connect. But if at the first stage of the setup described above you did not do anything to install such a system, you do not need to enter anything.

It's simple! Isn't it true?

Now you know how to use the simplest version of RDP and can easily establish a remote connection. If you have any questions or difficulties, write about it in the comments below. We will definitely answer.

There is an opinion that connecting via remote work Windows desktop(RDP) is very unsafe in comparison with analogues (VNC, TeamViewer, etc.). As a result, open access from outside to any computer or server local network A very reckless decision - it will definitely be hacked. The second argument against RDP usually sounds like this: “it eats up traffic, it’s not an option for a slow Internet.” Most often, these arguments are not substantiated.

The RDP protocol has been around for a long time; its debut took place on Windows NT 4.0 more than 20 years ago, and a lot of water has passed under the bridge since then. Currently, RDP is no less secure than any other remote access solution. As for the required bandwidth, there are a bunch of settings in this regard that can be used to achieve excellent responsiveness and bandwidth savings.

In short, if you know what, how and where to configure, then RDP will be very good remedy remote access. The question is, how many admins have tried to delve into the settings that are hidden a little deeper than on the surface?

Now I’ll tell you how to protect RDP and configure it for optimal performance.

Firstly, there are many versions of the RDP protocol. All further descriptions will apply to RDP 7.0 and higher. This means that you have at least Windows Vista SP1. For retro lovers there is a special update for Windows XP SP3 KB 969084 which adds RDP 7.0 to this operating system.

Setting No. 1 - encryption

On the computer to which you are going to connect, open gpedit.msc Go to Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security

Set the parameter “Require the use of a special security level for remote connections using the RDP method” to “Enabled” and the Security level to “SSL TLS 1.0”

With this setting we enabled encryption as such. Now we need to make sure that only strong encryption algorithms are used, and not some DES 56-bit or RC2.

Therefore, in the same thread, open the option “Set encryption level for client connections.” Turn it on and select “High” level. This will give us 128-bit encryption.

But this is not the limit. The highest level of encryption is provided by the FIPS 140-1 standard. In this case, all RC2/RC4 automatically go through the forest.

To enable the use of FIPS 140-1, you need to go to Computer Configuration - Windows Configuration - Security Settings - Local Policies - Security Settings in the same snap-in.

We look for the option “System cryptography: use FIPS-compliant algorithms for encryption, hashing and signing” and enable it.

And finally, be sure to enable the “Require a secure RPC connection” option along the path Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security.

This setting requires connecting clients to require encryption according to the settings we configured above.

Now with encryption complete order, you can move on.

Setting No. 2 - change the port

By default, the RDP protocol hangs on TCP port 3389. For variety, it can be changed; to do this, you need to change the PortNumber key in the registry at the address

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Setting #3 - Network Authentication (NLA)

By default, you can connect via RDP without entering your username and password and see the Welcome screen of the remote desktop, where you will be asked to log in. This is just not at all safe in the sense that such a remote computer can be easily DDoSed.

Therefore, in the same thread we enable the option “Require user authentication for remote connections using network-level authentication”

Setting No. 4 - what else to check

First, check that the parameter " Accounts: Allow empty passwords only during console login" is enabled. The setting can be found in Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security.

Secondly, do not forget to check the list of users who can connect via RDP

Setting No. 5 - speed optimization

Go to the section Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Session Environment.

Here you can and should adjust several parameters:

• The highest color depth - you can limit yourself to 16 bits. This will save traffic by more than 2 times compared to 32-bit depth.
• Forced cancellation of the remote desktop wallpaper - it is not needed for work.
• Setting the RDP compression algorithm - it is better to set the value to Optimize bandwidth usage. In this case, RDP will consume a little more memory, but will compress more efficiently.
• Optimize visual effects for Remote Desktop Services sessions - set the value to “Text”. What you need for the job.

Otherwise, when connecting to a remote computer from the client side, you can additionally disable:

• Font smoothing. This will greatly reduce response time. (If you have a full-fledged terminal server, then this parameter can also be set on the server side)
• Desktop composition - responsible for Aero, etc.
• Show window when dragging
• Visual effects
• Design styles - if you want hardcore

We have already predefined the remaining parameters such as desktop background and color depth on the server side.

Additionally, on the client side, you can increase the size of the image cache; this is done in the registry. At the address HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\ you need to create two keys of type DWORD 32 BitmapPersistCacheSize and BitmapCacheSize

• BitmapPersistCacheSize can be set to 10000 (10 MB). By default, this parameter is set to 10, which corresponds to 10 KB.
• BitmapCacheSize can also be set to 10000 (10 MB). You will hardly notice if the RDP connection eats up an extra 10 MB of your RAM

I won’t say anything about forwarding any printers, etc. Whoever needs what, he forwards it.

This concludes the main part of the setup. In the following reviews I will tell you how you can further improve and secure RDP. Use RDP correctly, have a stable connection everyone! See how to make an RDP terminal server on any version of Windows.