Lead Image © asphoto777, 123RF.com

Lead Image © asphoto777, 123RF.com

Setting up secure RDP connections

Window to the Server

Article from ADMIN 82/2024
By
Know when to make RDP available on the Internet for remote access to Windows Server and how to configure connections securely when you do.

The Remote Desktop Protocol (RDP) is still one of the most important methods for remote access. In this article, I show you how to enable RDP and use it in an effective and secure way. As an admin, this means you can manage your Windows servers with confidence and without having to compromise security. In combination with the Windows Admin Center, interesting options open up for managing Windows servers directly from the desktop.

Most of the settings described in this article also work on Windows Server 2016 and 2019, and on Windows 10 and 11, but I focus on Windows Server 2022 for the configuration. As things stand at present, the approach also works on Windows Server vNext/2025. RDP connections are primarily of interest for the graphical user interface (GUI) but can also be established on Server Core servers. In this case, you need to run sconfig.exe on the Server Core server to get started. In the Remote desktop menu item, you can then choose whether you want to enable or disable RDP, to which you can connect directly with the RDP client.

This approach works with the Windows Admin Center (WAC) just as it does on servers with a GUI. In this case, you can access the command prompt and PowerShell over the RDP connection, along with the same GUI tools that you use on the Server Core console. The use of RDP in Windows Admin Center is interesting, in that it lets you access your servers over HTTPS in the web browser. If you connected your servers to Azure free of charge with Azure Arc, you can secure access to your servers over the Internet with Windows Admin Center in Azure over RDP without requiring a virtual private network (VPN).

RDP files can be digitally signed and protected with certificates, which enhances security while avoiding error messages popping up because of incorrect signing. All these options suggest that Microsoft will continue to rely on RDP in the future and even expand its support.

Enabling Remote Desktop

Without installing Remote Desktop Services, you can use two active RDP sessions for server management of Windows servers. On Windows 10/11 Pro/Enterprise, only one user can connect over RDP. During the remote session in Windows 11, the operating system locks the user's session on the desktop. This situation is not the case for servers, unless you use the same username for the RDP connection as for the console connection. RDP client access licenses (CALs) are not required for managing the server over RDP, provided the RDP connections are restricted to managing the server.

RDP access is disabled by default. You can enable the Allow remote connections to this computer option in the GUI by running sysdm.cpl and selecting the Remote tab. After confirming, you can connect to the computer over RDP as an admin user, for example, with the local RDP client, which you can launch by typing mstsc.exe. Other tools used for this purpose are Royal TS [1] or the Microsoft Remote Desktop Connection Manager [2].

Enabling the Allow connections only from computers running Remote Desktop with Network Level Authentication option ensures that the accessing PC first needs to authenticate regardless of the user login. The Network Level Authentication (NLA) used here is not a problem in Active Directory (AD) environments. However, if you are accessing a server from a PC outside the domain – from your home office or with an RDP app on a smartphone or tablet, for example – the server refuses the connection. Generally speaking, this option is useful and should be deployed wherever possible to prevent cyberattacks.

For access over RDP, the user must be a member of the server's Local Administrator or Remote Desktop Users group. You can set this up in sysdm.cpl on the Remote tab with the Select User button. The options are available under System\Remote Desktop in the Windows Server 2022 Settings app.

Windows Admin Center and PowerShell

If the Windows Admin Center is already in use on the network and the computer in question is connected, you can enable RDP over the network from Settings\Remote Desktop (Figure 1). Access is also possible by WAC and the Remote Desktop section. In this case, the connection is opened by the internal WAC gateway, not the RDP client. The client uses HTTPS to connect to the Admin Center, and the RDP connection to the server is opened from there. Fewer settings can be configured here, but the connection does not need to be configured.

Figure 1: In Windows Admin Center, you can enable the remote desktop and connect to a server in your web browser over RDP.

If you want to control access from the local Remote Desktop Users group in the Windows Admin Center, go to the Local users & groups sidebar item, where you can maintain local user accounts and their groups, and add user accounts to the group in your web browser. You do not need to do this step for admins.

The PowerShell -computername parameter lets you query whether or not RDP is running on a server and works over the network, as well:

Get-CimInstance -Namespace "root\cimv2\TerminalServices" -Class win32_terminalservicesetting | select ServerName, AllowTSConnections

A value of 1 for AllowTSConnections shows that RDP is active on the server. If you see a value of 0 , you can enable RDP over the network or locally with PowerShell:

$rdp = Get-CimInstance -Namespace "root/cimv2/TerminalServices" -ClassName "Win32_TerminalServiceSetting" -ComputerName <Servername>
$rdp | Invoke-CimMethod -Method Name "SetAllowTSConnections" -Arguments @{AllowTSConnections=1;ModifyFirewallException=1}

The command also sets up the required firewall rules to prevent Windows firewall blocking access.

Group Policies and Firewall Settings

Generally speaking, you can use group policies to control the remote desktop for managing a server. These settings can be found in Group Policy Management in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections . The setting is named Allow users to connect remotely by using Remote Desktop Services . If you enable the settings, Windows disables the options in the GUI and enables RDP. These settings can no longer be changed in the user interface.

If you want to control the remote desktop with group policies, you also need to make sure the firewall rules are either defined manually or by a group policy. These settings are found in Windows Firewall: Allow inbound Remote Desktop exceptions , which resides in the path Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile .

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus