RDP Files for Quick Access

In addition to various additional tools for establishing RDP connections, the local RDP client in Windows is often launched by typing mstsc.exe. You can configure various settings in the client, such as the desired resolution; pass-through of local resources such as the clipboard, drives, or printers; and the connection quality. All of these settings can be saved in an RDP file by pressing Save as . If you double-click on this file, Windows automatically opens the Remote Desktop Client and connects your user account after authentication. You can also save the login data. You will not find this feature in the Remote Desktop Client, but in Credential Manager in the Control Panel (Figure 2). Login credentials can also be changed, deleted, or added here.

Figure 2: Managing the login information, which is also important for RDP connections.

If you connect to a server by double-clicking on an RDP file, a security warning flashes up in most cases because of an unknown certificate. This warning can be avoided by signing the RDP file. You do not need a complete certificate configuration, but you can self-sign RDP files created with built-in Windows tools. The use of these files does entail some security risks. For example, an RDP file that you publish on the network can be used to lure other administrators to malware-infected servers and is a known attack vector. Therefore, it generally makes sense to sign frequently used RDP files – especially if you want other admins to use them, too.

Signing RDP Files

Windows comes with the rdpsign.exe command-line tool for signing RDP files. It is very easy to use and only has a few options. If a certificate authority (CA) is already in use on the network (e.g., from the AD certificate services), it makes perfect sense to use certificates from this CA to sign your RDP files.

The certificate of the root CA must be installed on all computers that want to connect to the signed RDP file. If the computers are all members of the AD, group policies automatically distribute the root CA's certificates on the network. You need to verify this in advance; the RDP client will not otherwise open the connection because it fails to recognize the certificate.

Signing certificates is a simple matter. Use the /sha256 parameter to transfer the fingerprint of the certificate with which you want to sign the file. The issuing CA must be trusted by all computers that use this file, and the certificate must support AES 256-bit and be installed on the computer on which you are signing. You can find the thumbprint on the certificate's Details tab from either certmgr.msc for user certificates or certlm.msc for computer certificates.

When you pass the thumbprint in to rdpsign.exe, make sure you type it without spaces, except at the beginning and end of the character string:

rdpsign.exe /sha256 df3e3a36e67a45e8e4cd96a26241ad871679ce1c c:\temp\dl20.rdp

The command then reports the successful signing. If you want to distribute several RDP files, you can sign all of the files at once with a single certificate. To do this, simply create a comma-separated list. You will also notice that signing works when you use the file. Instead of an error message, you will see a message stating that the RDP file is signed and that you can view the publisher at this point. If this is not desired, you can use group policy to control the behavior.

Look for the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers setting in Computer Configuration or User Configuration under Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client . This is also where you enter the certificate's SHA-1 value.

Monitoring RDP Sessions on the Server

As soon as RDP is enabled on a server, up to two admins with different usernames can use the RDP client to connect to that server. A user can also be logged on at the console with a separate user account. You can run the query session command to discover whether any users are currently connected over RDP. After entering the command, you can see any existing RDP sessions or users logged in at the console, as well as the account names with which the users are connected. The query user command shows the connected users and when they logged in by RDP.

At this point, you can reset a session and disconnect from the server if you have any connection problems (e.g., an account is disconnected or a second admin cannot log in). Disconnecting can also be useful if you suspect that the second connection is an unwanted session. The reset session<ID> command is used for this purpose. Again, the query user command displays the ID. To view the processes launched in RDP sessions on the server, type query process.