Configure remote access to a computer via rdp. Protecting and optimizing RDP

Any system administrator knows this protocol, which is widely used in modern computer networks. Using it, you can connect to a remote machine running operating system line of Microsoft. You will have access to the desktop, file system, and so on. Thus, it will be possible to carry out the bulk of the settings and preventive measures, without the need for physical presence behind the screen of a remote PC.

That is why the RDP protocol is one of the main components in the arsenal of technical specialists. Without leaving your workplace, you can manage all the available computers on the network, and troubleshoot problems.

History of appearance

The Remote Desktop Protocol, which is how the abbreviation RDP stands for, appeared back in 1998. At that time, this proprietary application-level protocol was part of the Windows NT 4.0 Terminal Server operating system, and made it possible to implement the idea of \u200b\u200bremote operation of client-server applications. As you understand, it is not always possible to provide all workplaces with powerful computers, and even in those distant years, performance left much to be desired.

The solution to this problem is the following construction: a powerful server (or a cluster of servers) performs the bulk of the computing operations, and low-power client computers / applications connect to it using the RDP protocol and carry out their tasks. Thus, it became possible to work with complex applications and programs on end user nodes, even with limited resources - after all, the main load fell on the server, and the client PC received only the main result of the operation on the monitor.

RDP protocol description

  • By default, TCP port 3389 is used for connection
  • As mentioned above, when connecting, it is possible to work with files on a remote machine.
  • To ensure security, encryption is implemented with 56 and 128 bit keys
  • Also for security functions, the capabilities of the TLS protocols are used
  • Shared clipboard - you can copy data from a remote machine and paste it to your local PC.
  • Implemented the ability to connect local resources to a remote PC.
  • RDP provides access to local computer ports (serial and parallel)

Principle of operation

RDP is based on the functionality of the TCP protocol stack. First of all, a connection is established between the client and the server at the transport level. Then the RDP session is initiated - at this stage, the main parameters are agreed: encryption, connected devices, graphics settings, etc.

Once everything is configured, the RDP session is completely ready to go. The client PC receives a graphic image from the server (the result of operations) that occur as a result of sending commands from the keyboard or mouse.

Authentication

If RDP security is configured, authentication occurs as follows:

  1. When initializing the connection, a pair of RSA keys is generated
  2. Next, a special public key certificate is created
  3. The operating system conducts the RSA certificate signing process with a key
  4. Next, the client connects to the server, receives a certificate from it, and if it passes the check, a remote control session is initialized

How to start

In operating systems such as Windows XP, Vista, Seven, Remote Desktop Connection client software is enabled by default. To launch it, you need to press the keyboard shortcut Win + R, dial mstsc and press Enter.

RDP is a convenient, efficient and practical tool for remote access both for administration purposes and for everyday work.


Considering that its implementations are almost everywhere (various platforms and OS), and there are many of them, you need to be well aware of its capabilities.

At least this will be necessary for a number of reasons:

  • Often, instead of RDP, another solution is used (VNC, Citrix ICA) for a simple reason - it is assumed that “the built-in RDP is minimal and can do nothing”.
  • In many solutions related to the now fashionable cloud technologies (transferring offices to “thin clients”, and simply organizing terminal servers), there is an opinion that “RDP is bad because it is built-in”.
  • There is a standard myth about the fact that “RDP cannot be exposed outside without a VPN, breakout” (the myth has a justification, but has long been out of date).
  • Well, since they started talking about myths, there is an opinion that “After switching from RDP to Citrix, the traffic drops a couple of times”. After all, citrix is \u200b\u200bexpensive, therefore at least 157% cooler.

All these myths are nonsense and a mixture of outdated "good advice", relevant in the days of NT 4.0, as well as outright fiction that has no reason to exist. Since IT is an exact science, you need to figure it out. A well-tuned RDP protocol of new versions, taking into account all the new functionality, is a fairly good and reliable tool for organizing remote access.

Therefore, we will deal with:

  • A brief mention of the RDP version
  • Configuring the protection mode of the RDP session
  • Configuring encryption for RDP
  • Binding to a specific adapter and port
    • Change the standard port to the desired one
    • Making separate RDP settings for multiple network adapters
  • Enabling NLA
    • NLA and Windows XP
    • How to enable CredSSP in XP
  • Choosing the right certificate for RDP
  • Blocking RDP connections to accounts with an empty password
  • RDP speed optimization
  • RDP compression optimization
  • Optimizing the ratio of RDP data streams
  • Enabling Require secure RPC communication for RDP

Let's get started.

RDP protocol versions

The protocol has a fairly long history, starting with NT 4.0. We will leave aside the historical details for a simple reason - at the moment it makes sense to talk only about the RDP 7.0 version, which is in Windows Vista SP1 / Windows Server 2008 and can be added to Windows XP for free by installing SP3 and an updated RDP client (found by link to KB 969084). I assume that you have at least Windows XP, and that you have / can install the latest Service Pack and do not waste your time discussing the advantages of RDP in Windows 2000 SP2 over NT 4.0 SP5.

Configuring RDP Session Protection Mode

Basically, this is the easiest part of the task. The bottom line is as follows. Different versions of RDP use two main mechanisms for securing the session - built-in RDP and "wrapping" the session in TLS. The built-in is not secure enough, and the recommendation “RDP can only be outside in VPN” is about it. Therefore, always enable TLS support. This is the minimum you should start with. The only limitations will be that the server version is not lower than Windows Server 2003 SP1 and the RDP client 5.2 and higher, but I think that at the end of 2011 this can be solved.

How to enable RDP over TLS

As always, there are several options. The first is enabling via Group Policy. To do this, go to the target group policy object (well, or run gpedit.msc locally on your home workstation) and select “Computer Configuration” -\u003e “Administrative Templates” -\u003e “Windows Components” -\u003e “Remote Desktop Session Host ”-\u003e“ Security ”and there enable the Require use of specific security layer for remote connections parameter by selecting SSL (TLS 1.0) only. You can also choose the softer Negotiate, but I would not recommend it because at the moment it is corny below the acceptable level of security. As a person who created private clouds with a sufficiently high level of security, I can say that the point of bringing especially valuable data to a data center near London and going there with default RDP is zero and is a search for trouble.

It is easier and easier - open the Remote Desktop Session Host Configuration snap-in (found in mmc or ready in the Administrative Tools -\u003e Remote Desktop Connections menu), select Connections from the list desired connection (usually it is one and called RDP-Tcp), and open Properties, then the General tab and select the desired Security Layer there.

For TLS to work, a digital certificate is required (at least from the server side). Usually it is already there (generated automatically), make sure it is there, we'll talk about how to make it good later. For now, you just need it, otherwise you won't be able to connect.

Configuring encryption for RDP

4 encryption options will be available for configuration. Let's consider each of them.

RDP Low Encryption Mode

The most “no” mode. The legacy of the terrible times and versions of RDP 5.x. Can negotiate 56-bit DES or 40-bit RC2 encryption, which is not serious at the moment. Not needed and dangerous. For example, if you enable it, then TLS will not be enabled, because TLS will already refuse to negotiate the weak ciphers that this option offers.

RDP Client Compatible Encryption Mode

The second “no” mode. The legacy of the terrible times and versions of RDP 5.x. Will try up to 128 bit RC4, but agree to DES / RC2 right away. Not needed and dangerous. Also not TLS compatible.

RDP High Encryption Mode

The minimum allowed mode. Requires at least 128 bit RC4. Works with all servers starting from Windows 2000 Server w / HEP.

RDP FIPS140-1 Encryption Mode

Exactly what is needed. Will support modern symmetric algorithms and will not explicitly support RC2, RC4, single DES, and will also force the use of SHA-1 rather than MD5 for Message Authentication Code (MAC) integrity computation. Always enable this option, finding a server that cannot 3DES, AES or SHA-1 is almost impossible.

Where is this setting done? Open the Remote Desktop Session Host Configuration snap-in (found in mmc or ready-made in the Administrative Tools -\u003e Remote Desktop Connections menu), select the desired connection from the Connections list (usually it is one and is called RDP-Tcp), and open Properties, then the General tab and there select the required Encryption Level.

Bind RDP to a specific adapter and port

In order for the server to work safely and predictably (for example, it does not start accepting connections from a new, freshly added network adapter), it is necessary to explicitly indicate on which interfaces the RDP server service should accept connections. Plus, it is often useful to switch the port on which the server listens for connections. Of course, you can do this by publishing a server with RDP through some gateway, but you can do it without it. Such seemingly basic actions in reality will significantly reduce the percentage of foolish scriptkiddis who check well-known ports with another “powerful tool”.

How to bind the RDP service to a specific network adapter or do multiple RDPs with different settings for different adapters

Open the Remote Desktop Session Host Configuration snap-in (found in mmc or ready-made in the Administrative Tools -\u003e Remote Desktop Connections menu), select the desired connection from the Connections list (usually it is one and is called RDP-Tcp), and open Properties, then the Network Interfaces tab ... In it, you can select one specific interface on which to wait for a connection, plus limit the number of parallel sessions.

If you have many interfaces, and you need, say, to be able to connect through 2 out of 5 available ones, then you will need to bind the default RDP-Tcp to one adapter, then go to the Action menu and select Create New Connection there. A connection can listen either on all interfaces, or on one, and in the case when it is necessary for it to listen on N interfaces, you will have to create N connections.

Accordingly, if you have the task “So that RDP listens on one interface on one port, and on the other - on another”, it can be solved in the same way - you untie the default RDP-Tcp from all adapters and bind to a specific one, after - create a new RDP- connection and also bind to the desired network interface.

How to bind RDP service to non-default port

The default port is 3389 TCP. By the way, don't forget to enable it in your packet filter. Well, if you want something else, you need to go to the registry key

HKEY_LOCAL_MACHINE \\ System \\ CurrentControlSet \\ Control \\ Terminal Server \\ WinStations \\ RDP-Tcp

and correct the PortNumber value in it. Keep in mind that tracking conflicts in terms of port occupancy is on your conscience, he himself, upon discovering that the port you designated is busy, will not be able to “jump” anywhere.

Turn on NLA - Network Level Authentication

The NLA function appeared in NT 6.0, and later added the ability to partially use it in the previous OS version by installing SP3 for XP.
The essence of this function is quite simple. In RDP versions up to 6.0 when connected via RDP client before authentication, you need to show the login window - i.e. first show, and then he will try to enter the system. This creates a simple vulnerability - the server can be overloaded with a bunch of “let me try a new session start” requests, and it will be forced to respond to all requests by creating a session and waiting for the user to log in. In fact, this is a DoS capability. How can you deal with this? It is logical that we need to come up with a scheme, the purpose of which will be to request credentials from the client as early as possible. Optimal - something like kerberos in the domain. This was done. The NLA has two objectives:

  • The client is authenticated before initiating a terminal session.
  • It becomes possible to transfer the data of the local client SSP to the server, i.e. Single Sign-On starts working.

This is implemented through a new security provider - CredSSP. You can read its technical specification, well, to put it simply, you should always enable this function. Of course, given that for its work it is necessary that:

  • The client OS (the one with which the connection is made) was Windows XP SP3 or higher.
  • The server OS (the one to which the connection will be) was Windows Server 2008 and above.

Note: Although the Windows Server 2003 kernel is newer than XP (5.2 vs. 5.1), there is an update for Windows XP that adds NLA support, but not for Windows Server 2003. That is, even if you connect from the most accessible version - Windows Server 2003 R2 SP2 with all patches, you will not be able to connect to a server that requires NLA and be a server that supports NLA. Alas.

How NLA is enabled from the RDP server side

It is best to enable NLA on all servers through Group Policy. To do this, go to the target group policy object and select “Computer Configuration” -\u003e “Administrative Templates” -\u003e “Windows Components” -\u003e “Remote Desktop Session Host” -\u003e “Security” there and enable the Require user authentication for parameter. remote connections by using Network Layer Authentication.

You can also enable it locally. This is done by calling the Properties submenu (a standard Computer submenu) and selecting the Remote tab there, in which there will be a choice from three options - deny connections via RDP to this host, allow connections via any RDP, allow only with NLA. Always enable the NLA option, this primarily protects the server.

NLA and Windows XP

If you have Windows XP, then you can also use this function. The common statement “NLA needs at least a whist, Microsoft did it to upgrade” is false. Service Pack 3 adds an implementation of CredSSP to delegate client credentials held by the local SSP to the server. That is, to put it simply, it was specially made so that from Windows XP it was possible to connect to systems with NT 6.0+. You cannot connect to Windows XP SP3 itself with this function, NLA support will be partial (therefore, an RDP server with support for connecting clients using NLA from Windows XP cannot be made using standard methods, Windows XP will only be an NLA-compatible client).

Note: NLA has been around since NT 6.0, and is part of a stack of technologies called RDP 6.0. The 3rd service pack for XP brings not just RDP 6.0, but the ability to install RDP 7.0, which is quite positive (for example, in RDP 7.0, unlike 6.0, there is EasyPrint, bidirectional audio and some other things that turn an RDP client on Windows XP with all the wraps into a fairly practical system). This is by the way about bad Microsoft, which so terribly forced everyone to upgrade from Windows XP to bad, bad whist, that even in the free service pack for the 2001 product, I sewed a newer RDP subsystem than the one that came in whist that came out in 2006.

It is necessary to enable this functionality explicitly, since despite the fact that Service Pack 3 adds a new dll of the cryptographic provider, it does not include it.

How to enable CredSSP in XP

Once again - this operation is carried out strictly after the installation of Service Pack 3 on Windows XP and in the context of our conversation is needed in order to be able to connect to other servers via RDP 6.1 using NLA.

Step one - expanding the list of Security Packages.
To do this, we will open the registry key

HKEY_LOCAL_MACHINE \\ SYSTEM \\ CurrentControlSet \\ Control \\ Lsa

and find the Security Packages value in it. Right click and select “Modify” (not Modify Binary Data, just Modify). There will be a list like “package name on each line”. We need to add tspkg there. The rest must be left. The place of addition is not critical.

The second step is to hook up the library.
The key will be different:

HKEY_LOCAL_MACHINE \\ SYSTEM \\ CurrentControlSet \\ Control \\ SecurityProviders

In it, you will need to find the SecurityProviders value (note, as in the previous case, this is not a subkey, but a value), and modify it by analogy, only adding credssp.dll. The rest of the list, again, do not need to be touched.

You can now close the registry editor. After these operations, the system must be rebooted. Crypto providers are a thing that will definitely not pick up on the go, and this is more good than bad.

Choosing the right certificate for RDP

If you have the opportunity to use a non-default certificate for RDP, then it is better to use it. This will not affect the security of the session as such, but will affect the security and usability of the connection. The certificate that is best used should include the following points:

  • A name (in subject or SAN) that matches the name entered by the client connecting to the server, character by character.
  • Normal CDP extension pointing to a working CRL (preferably at least two - OCSP and static).
  • The desired key size is 2048 bits. More is possible, but remember the XP / 2003 CAPI2 limitations.
  • Do not experiment with signature / hashing algorithms if you need XP / 2003 side connections. In short, choose SHA-1, that's enough.

I will dwell a little more on the issue of a special certificate for the RDP server.

Special certificate template for RDP servers

It will be ideal if the certificate for RDP is made not based on a regular template (such as Web Server) and in the Application Policy field (which in the certificate will be more commonly called Enchanced Key Usage - EKU) the standard Client Authentication and Server Authentication values, but add your own template , in which there will be a single, special, not added by standard methods value of application - Remote Desktop Authentication. This Application Policy value will have to be created manually, its OID will be 1.3.6.1.4.1.311.54.1.2, well, after that, you can already create a new certificate template, on the basis of which a certificate is issued, which is targeted for the RDP Server.

To fully automate this operation, give the new template a predictable name - for example, “RDPServerCert” - and go to the Group Policy object, and there open Computer Configuration -\u003e Policies -\u003e Administrative Templates -\u003e Windows Components -\u003e Remote Desktop Services -\u003e Remote Desktop Session Host -\u003e Security. Select the Server Authentication Certificate Template parameter and enable it, and in the value field enter a name - we made RDPServerCert. Now, if RDP is enabled on them, all domain hosts that fall under this policy will go to the Certification Authority themselves, request a certificate based on the specified template if they do not have a certificate, and automatically make it default to protect RDP connections. Simple, convenient, effective.

Block connections via RDP accounts with an empty password

A trifle, but you don't need to forget about it.
To block the connection of accounts without passwords to RDP, go to the settings of the group policy object: Computer Configuration -\u003e Windows Settings -\u003e Security Settings -\u003e Local Policies -\u003e Security Options and set “Accounts: Limit local account use of blank passwords to console logon only ”To Enabled. Take the time to check that this is the case.

Configuring ACL for RDP Connection

By default, you must have explicit User Access or Guest Access permission to connect to an RDP server.
The local Administrators and Remote Desktop Users groups have this permission. It is best to use the Remote Desktop Users group to control access to the RDP server, adding the necessary domain groups to it, rather than individual users. Modify the contents of the Security tab in the Properties settings for RDP-Tcp only as a last resort, best of all by adding the “RDP Blocked hostname” group, which is explicitly denied RDP access to the specified host.

RDP speed optimization

Optimizing RDP speed is a fairly extensive topic, so I'll break it down into parts. This will include those methods that will reduce the load on the protocol before compression and before optimizing the network layer.

Chroma (bit depth)

In RDP 7.0 and above, 32, 16 and 8 bit options are available. If we are talking about work, then 16 bits will be enough for it. This will significantly reduce the load on the channel, moreover, sometimes more than 2 times, which is surprising, but true. 8 bit, of course, is also possible, but it will look painfully scary. 16 bits are perfectly acceptable.

Note: 8-bit connections are no longer available in Windows Server 2008 R2.

Enable the Limit Maximum Color Depth parameter on the server, or do the same in the RDP client settings.

Disable ClearType

When you have disabled ClearType, the RDP protocol transmits not a picture, but commands for drawing characters. When enabled, it renders an image from the server side, compresses it and sends it to the client. This is guaranteed to be several times less effective, so disabling ClearType will greatly speed up the work process and reduce response time. You yourself will be surprised how much.

This can be done both at the client settings level and on the server side (the Do not allow font smoothing parameter in the Remote Session Enviroment section in Computer Configuration -\u003e Policies -\u003e Administrative Templates -\u003e Windows Components -\u003e Remote Desktop Services -\u003e Remote Desktop Session Host).

Remove wallpaper

The Enforce removal of RD Wallpaper parameter in the Remote Session Enviroment section in Computer Configuration -\u003e Policies -\u003e Administrative Templates -\u003e Windows Components -\u003e Remote Desktop Services -\u003e Remote Desktop Session Host will dramatically improve the situation with redrawing the terminal session screen. Users without cats on the desktop survive normally, it is checked.

Turn on and configure image caching

If the client has enough random access memory, it makes sense to enable and configure bitmap caching. This will win up to 20-50% of the bandwidth. To install, you will need to enter the key

HKEY_CURRENT_USER \\ SOFTWARE \\ Microsoft \\ Terminal Server Client \\

and create the BitmapPersistCacheSize and BitmapCacheSize parameters there, both DWORD 32 types.
The BitmapPersistCacheSize parameter specifies the size, in kilobytes, of the disk cache. The default is 10. It makes sense to increase this parameter to at least 1000.
The BitmapCacheSize parameter specifies the size in kilobytes of the cache in RAM. The default value is 1500. It makes sense to increase this parameter to at least 5000. This will be only 5 megabytes per client session, with modern RAM scales this is insignificant, and even if it leads to a 10% performance gain, it will pay off. By the way, the same parameter can be corrected in the .rdp file; if you save your RDP connection, and then open the file with notepad, then among the parameters you can add something like bitmapcachesize: i: 5000, where 5000 is 5MB cache.

Disable Desktop Composition

Desktop Composition brings all sorts of "niceties" like Aero and his friends and noticeably eats up the bandwidth. This is unnecessary and harmful for work. The Allow desktop composition for RDP Sessions parameter in the Remote Session Enviroment section in Computer Configuration -\u003e Policies -\u003e Administrative Templates -\u003e Windows Components -\u003e Remote Desktop Services -\u003e Remote Desktop Session Host must be set to Disabled.

Optimizing Desktop Window Manager Settings

The parameters found in the Remote Session Enviroment section in Computer Configuration -\u003e Policies -\u003e Administrative Templates -\u003e Windows Components -\u003e Desktop Window Manager will control the "nice" display of smoothly sliding menus and the like. There are three of them - Do not allow window animations, Do not allow desktop compositions and Do not allow Flip3D invocation. All of them must be switched to Enabled mode, i.e. in fact - disable all these functions.

Disable redirecting unused devices

If you do not plan to connect certain classes of devices (for example, COM and LPT ports), or audio, it makes sense to disable the ability to redirect them from the server side. So that clients with default RDP Client settings do not waste connection time negotiating unused functionality. This is done in the same place as the rest of the server settings, in the Properties of RDP-Tcp, the Client Settings tab (in the same place where we made the settings with the color depth), the Redirection section.

Setting up the general logic for optimizing visual data RDP

An option called Optimize visual experience for RDP sessions, found under Remote Session Enviroment under Computer Configuration -\u003e Policies -\u003e Administrative Templates -\u003e Windows Components -\u003e Remote Desktop Services -\u003e Remote Desktop Session Host -\u003e Remote Session Enviroment, will control that how RDP will perceive visual data - as multimedia or as text. This, roughly speaking, is a “hint” to the compression algorithm how to behave more competently. Accordingly, for work, you will need to set this parameter to Text, and if you want a lot of beautiful flash-banners, HTML5 and watch video clips, the Rich Multimedia option is better.

RDP compression optimization

Compression in RDP has come a long way. As of RDP 5.2 inclusive, there was a compression subsystem (“compressor”) with the internal name “Version 1” - the simplest and easiest option in terms of client processor load, but the worst in terms of network traffic load. RDP 6.0 made “Version 2”, which was slightly improved, but improved in terms of compression efficiency. We're interested in “Version 3”, which only works when connected to Windows Server 2008 and later servers. It compresses better than anyone else, and the cost of processor time, taking into account the power of modern computers, is insignificant.

The gain when the V3 is turned on can, judging by the tests, reach 60% and, in general, even without tests, is noticeably noticeable to the eye.

How to enable optimal compression in RDP

This is a client setting. Open Computer Configuration -\u003e Policies -\u003e Administrative Templates -\u003e Windows Components -\u003e Remote Desktop Services -\u003e Remote Desktop Session Host -\u003e Remote Session Enviroment in the desired group policy object, select the Set compression algoritm for RDP data parameter, enable it and select Optimize to use less network bandwidth.

Note: Many people wonder why there is an option “disable compression” in the list. This is necessary in the case when your RDP sessions are compressed by an external device that optimizes WAN connections, something like Cisco WAAS. In other cases, of course, it makes no sense to disable compression.

Setting the audio stream compression

RDP 7.0 brings an excellent ability to adjust the compression quality of the incoming audio stream (i.e. the audio that goes from server to client). This is quite useful - for example, if you are working on a terminal server, then in addition to all the service sounds like “message has arrived in ICQ”, others are not particularly planned. It makes no sense to transfer uncompressed CD-quality audio from the server if you don't need it for work. Accordingly, you need to adjust the compression level of the audio stream.
This parameter will be called Limit audio playback quality and located in the Device and Resource Redirection section of Computer Configuration -\u003e Policies -\u003e Administrative Templates -\u003e Windows Components -\u003e Remote Desktop Services -\u003e Remote Desktop Session Host. There will be three options:

  • High - the sound will go uncompressed. Generally. That is, it will fall under the general compression of the RDP protocol, but specific (lossy) audio compression will not be performed.
  • Medium - the compression will adapt to the channel so as not to increase the data transfer delay.
  • Dynamic - compression will dynamically adapt to the channel so that the delay does not exceed 150ms.

Choose the right one. As you can see, it is better to choose Dynamic for office work.

Optimizing the ratio of data streams in RDP

RDP session traffic is not monolithic. On the contrary, it is quite clearly divided into data streams of redirected devices (for example, copying a file from a local host to a terminal server), an audio stream, a rendering primitive command stream (RDP tries to transmit commands for rendering primitives, and transmits bitmaps as a last resort), and device streams input (mouse and keyboard).

The mutual relationship of these flows and the logic of its (relationship) calculation (a kind of local QoS) can be influenced. To do this, go to the registry key from the server side

HKEY_LOCAL_MACHINE \\ SYSTEM \\ CurrentControlSet \\ Services \\ TermDD

and create four keys there to begin with (if they are not there):

  • FlowControlDisable
  • FlowControlDisplayBandwidth
  • FlowControlChannelBandwidth
  • FlowControlChargePostCompression

Type for all - DWORD 32. The functionality of the keys will be as follows.
The FlowControlDisable key will determine if prioritization is used at all. If you specify one, the prioritization will be disabled, if zero - enabled. Turn it on.
The FlowControlDisplayBandwidth and FlowControlChannelBandwidth keys will determine the relationship between the two data streams:

  • User interaction flow (image + input devices)
  • Other data (block devices, clipboard and everything else)

The values \u200b\u200bof these keys themselves are not critical; how they relate is critical. That is, if you make FlowControlDisplayBandwidth equal to one, and FlowControlChannelBandwidth equal to four, then the ratio will be 1: 4, and 20% of the bandwidth will be allocated to the user interaction flow, and 80% for the rest. If you do 15 and 60, the result will be identical, since the ratio is the same.
The FlowControlChargePostCompression key will determine when this ratio is calculated - before or after compression. Zero is before compression, one is after.

I recommend using the form “our remote server is far away and everyone connects to it via RDP and in the office and 1C works” to set the ratio 1: 1 and read it after compression. From experience this can really help in the situation of “printing a large document from a terminal server to a local printer”. But this is not a dogma - try it, the main tool - knowledge of how it counts and works - you already have.

Enable Require secure RPC communication for RDP

This setting works similarly to the settings for Secure RPC, which are in the Security section of Group Policy and affect the entire system, only it is easier to configure. By enabling this parameter, you will make encryption mandatory for all client RPC requests (depending on the system settings, the “lower bar” of encryption will be different - RC4 / DES or, if FIPS-140 is enabled, 3DES / AES) and use at least NTLMv2 for authentication remote procedure call. Always enable this option. There is a myth that it does not work in a non-domain environment. This is not the case, and hardening RPC security will not hurt anyone.

This is a server setting. Open Computer Configuration -\u003e Policies -\u003e Administrative Templates -\u003e Windows Components -\u003e Remote Desktop Services -\u003e Remote Desktop Session Host -\u003e Security in the desired GPO, select the Require secure RPC communication parameter there and enable it.

Remote Desktop Protocol RDP (Remote Desktop Protocol) provides remote access via a network to the desktop of computers running a Windows operating system. Used when connecting thin clients to a Windows terminal server running Microsoft Terminal Services. Developed by Microsoft.

Official support RDP included in Windows Server 2008, Windows Server 2003, Windows Home Server, Windows XP Professional, Windows XP Media Center, Tablet PC Editions, Windows Vista Ultimate, Enterprise, and Business editions. All windows versions XP and Vista include client remote app Desktop Connection (RDC).

Key features of the RDP protocol

  • Supports RC-4 encryption with 128 or 56 bit key length
  • Supports TLS (Transport Layer Security) protocols
  • User authentication using smart cards (on the server through Microsoft Terminal Services)
  • Local computer audio support for terminal server applications
  • File System Redirection - allows you to work with files of a local computer on a remote terminal server
  • Printer Redirection - allows you to print to a printer on a local computer from applications running on a remote terminal server
  • Port Redirection - opens access to serial and parallel ports of a local computer for applications running on a remote terminal server
  • Sharing the clipboard both on the local computer and on a remote terminal server
  • Display color depth: 24, 16, 15 or 8 bit

Despite the fact that the RDP protocol packets themselves are transmitted over the network in an encrypted form, the terminal session itself can be exposed to the Man In The Middle attack, since neither the server side nor the client side perform mutual authentication of transmitted and received data packets. Therefore, to build fully secure solutions, you must use the RDP SSL protection introduced in Windows Server 2003 Service Pack 1.

New features in the sixth version of RDP

  • Remote Applications. Direct launch of applications on the server in a dedicated terminal session without opening a terminal session window. Support for file associations of the local computer - the ability to run applications on the server to open a document on the local computer in accordance with the extension in the file name.
  • Seamless Windows. Emulation of a local computer window with the launch of an application on a terminal server. Automatic authentication on the server with user account details. Automatic termination of the corresponding terminal session when the application terminates.
  • Terminal Server Gateway. Supports RDP connections through an IIS gateway server using the https protocol. Provides a secure connection to a terminal server located behind the ISS in the local network of the enterprise.
  • Windows Aero Glass. Windows Aero Glass support including ClearType font smoothing.
  • Windows Presentation Foundation. Supported on any client with the .NET Framework 3.0 installed.
  • Fully customizable terminal services including script support using Windows Management Instrumentation.
  • Improved bandwidth management for RDP clients.
  • Support for multiple monitors. Splitting the screen of a terminal session across multiple monitors. Works with Windows Vista systems only.
  • Display color depth: 32, 24, 16, 15 or 8 bit


We recommend reading