Remote access to the server via the Internet rdp. Connect to a remote desktop using the built-in Windows RDP client

There is an opinion that connecting via Windows Remote Desktop (RDP) is very unsafe in comparison with analogues (VNC, TeamViewer, etc.). As a result, opening access from outside to any computer or local network server is a very reckless decision - it will definitely be hacked. The second argument against RDP usually sounds like this: “it eats up traffic, not an option for a slow Internet.” Most often these arguments are not substantiated.

The RDP protocol has been around for a long time; its debut took place on Windows NT 4.0 more than 20 years ago, and a lot of water has passed under the bridge since then. Currently, RDP is no less secure than any other remote access solution. As for the required bandwidth, there are a bunch of settings in this regard that can be used to achieve excellent responsiveness and bandwidth savings.

In short, if you know what, how and where to configure, then RDP will be a very good remote access tool. The question is, how many admins have tried to delve into the settings that are hidden a little deeper than on the surface?

Now I’ll tell you how to protect RDP and configure it for optimal performance.

Firstly, there are many versions of the RDP protocol. All further descriptions will apply to RDP 7.0 and higher. This means that you have at least Windows Vista SP1. For retro lovers there is a special update for Windows XP SP3 KB 969084 which adds RDP 7.0 to this operating system.

Setting No. 1 - encryption

On the computer to which you are going to connect, open gpedit.msc Go to Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security

Set the parameter “Require the use of a special security level for remote connections using the RDP method” to “Enabled” and the Security level to “SSL TLS 1.0”

With this setting we enabled encryption as such. Now we need to make sure that only strong encryption algorithms are used, and not some DES 56-bit or RC2.

Therefore, in the same thread, open the option “Set encryption level for client connections.” Turn it on and select “High” level. This will give us 128-bit encryption.

But this is not the limit. The highest level of encryption is provided by the FIPS 140-1 standard. In this case, all RC2/RC4 automatically go through the forest.

To enable the use of FIPS 140-1, you need to go to Computer Configuration - Windows Configuration - Security Settings - Local Policies - Security Settings in the same snap-in.

We look for the option “System cryptography: use FIPS-compliant algorithms for encryption, hashing and signing” and enable it.

And finally, be sure to enable the “Require a secure RPC connection” option along the path Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security.

This setting requires connecting clients to require encryption according to the settings we configured above.

Now the encryption is in complete order, you can move on.

Setting No. 2 - change the port

By default, the RDP protocol hangs on TCP port 3389. For variety, it can be changed; to do this, you need to change the PortNumber key in the registry at the address

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Setting #3 - Network Authentication (NLA)

By default, you can connect via RDP without entering your username and password and see the Welcome screen of the remote desktop, where you will be asked to log in. This is just not at all safe in the sense that such a remote computer can be easily DDoSed.

Therefore, in the same thread we enable the option “Require user authentication for remote connections using network-level authentication”

Setting No. 4 - what else to check

First, make sure that the "Accounts: Allow blank passwords only during console logon" setting is enabled. The setting can be found in Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Security.

Secondly, do not forget to check the list of users who can connect via RDP

Setting No. 5 - speed optimization

Go to the section Computer Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Session Environment.

Here you can and should adjust several parameters:

• The highest color depth - you can limit yourself to 16 bits. This will save traffic by more than 2 times compared to 32-bit depth.
• Forced cancellation of the remote desktop wallpaper - it is not needed for work.
• Setting the RDP compression algorithm - it is better to set the value to Optimize bandwidth usage. In this case, RDP will consume a little more memory, but will compress more efficiently.
• Optimize visual effects for Remote Desktop Services sessions - set the value to “Text”. What you need for the job.

Otherwise, when connecting to a remote computer from the client side, you can additionally disable:

• Font smoothing. This will greatly reduce response time. (If you have a full-fledged terminal server, then this parameter can also be set on the server side)
• Desktop composition - responsible for Aero, etc.
• Show window when dragging
• Visual effects
• Design styles - if you want hardcore

We have already predefined the remaining parameters such as desktop background and color depth on the server side.

Additionally, on the client side, you can increase the size of the image cache; this is done in the registry. At the address HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\ you need to create two keys of type DWORD 32 BitmapPersistCacheSize and BitmapCacheSize

• BitmapPersistCacheSize can be set to 10000 (10 MB). By default, this parameter is set to 10, which corresponds to 10 KB.
• BitmapCacheSize can also be set to 10000 (10 MB). You will hardly notice if the RDP connection eats up an extra 10 MB of your RAM

I won’t say anything about forwarding any printers, etc. Whoever needs something, he forwards it.

This concludes the main part of the setup. In the following reviews I will tell you how you can further improve and secure RDP. Use RDP correctly, have a stable connection everyone! See how to make an RDP terminal server on any version of Windows.

Surely, many of you have already heard and seen this abbreviation - it literally translates as Remote Desktop Protocol (RemoteDesktopprotocol). If anyone is interested in the technical intricacies of the operation of this application level protocol, they can read the literature, starting with the same Wikipedia. We will consider purely practical aspects. Namely, this protocol allows you to remotely connect to computers running various versions of Windows using the “Remote Desktop Connection” tool built into Windows.

What are the pros and cons of using the RDP protocol?

Let's start with the pleasant - with the pros. The advantage is that this tool, which is more correctly called ClientRDP, is available to any Windows user, both on the computer from which the remote control is to be controlled, and to those who want to open remote access to their computer.

Through a connection to a remote desktop, it is possible not only to see the remote desktop and use the resources of the remote computer, but also to connect local disks, printers, smart cards, etc. to it. Of course, if you want to watch a video or listen to music via RDP, this process is unlikely to give you pleasure, because... in most cases you will see a slide show and the audio will likely be interrupted. But the RDP service was not developed for these tasks.

Another undoubted advantage is that the connection to the computer is carried out without any additional programs, which are mostly paid, although they have their advantages. The access time to the RDP server (which is your remote computer) is limited only by your desire.

There are only two minuses. One is significant, the other not so much. The first and essential one is that in order to work with RDP, the computer to which the connection is being made must have a white (external) IP, or it must be possible to “forward” a port from the router to this computer, which again must have an external IP. Whether it is static or dynamic does not matter, but it must be.

The second disadvantage is not so significant - the latest versions of the client no longer support the 16-color color scheme. Minimum - 15bit. This greatly slows down RDP when you connect over a stunted, dead Internet with a speed not exceeding 64 kilobits per second.

What can you use remote access via RDP for?

Organizations, as a rule, use RDP servers for collaboration in the 1C program. And some even deploy user workstations on them. Thus, the user, especially if he has a traveling job, can, if he has 3G Internet or hotel/cafe Wi-Fi, connect to his workplace remotely and resolve all issues.

In some cases, home users can use remote access to their home computer to obtain some data from home resources. In principle, the remote desktop service allows you to fully work with text, engineering and graphics applications. For the reasons stated above, it won’t work with video and audio processing, but it’s still a very significant plus. You can also view resources that are closed by company policy at work by connecting to your home computer without any anonymizers, VPN or other evil spirits.

Preparing the Internet

In the previous section, we talked about the fact that to enable remote access via RDP, we need an external IP address. This service can be provided by the provider, so we call or write, or go to your personal account and arrange for the provision of this address. Ideally, it should be static, but in principle, you can live with dynamic ones.

If someone does not understand the terminology, then a static address is constant, and a dynamic address changes from time to time. In order to fully work with dynamic IP addresses, various services have been invented that provide dynamic domain binding. What and how, there will be an article on this topic soon.

Preparing the router

If your computer is not connected directly to the ISP cable to the Internet, but through a router, we will also have to perform some manipulations with this device. Namely - forward service port - 3389. Otherwise, your router's NAT will simply not allow you into your home network. The same applies to setting up an RDP server in an organization. If you don’t know how to forward a port, read the article about How to forward ports on a router (opens in a new tab), then come back here.

Preparing the computer

In order to create the ability to remotely connect to a computer, you need to do exactly two things:

Allow the connection in System Properties;
- set a password for the current user (if he does not have a password), or create a new user with a password specifically for connecting via RDP.

Decide for yourself what to do with the user. However, keep in mind that non-server operating systems do not natively support multiple logins. Those. if you log in as yourself locally (console), and then log in as the same user remotely, the local screen will be locked and the session at the same place will open in the Remote Desktop Connection window. If you enter the password locally without exiting RDP, you will be kicked out of remote access, and you will see the current screen on your local monitor. The same thing awaits you if you log in at the console as one user, and remotely try to log in as another. In this case, the system will prompt you to end the local user session, which may not always be convenient.

So let's go to Start, right-click on the menu Computer and press Properties.

In properties Systems choose Advanced System Settings

In the window that opens, go to the tab Remote access…

...click Additionally…

And check the only box on this page.

This is the “home” version of Windows 7 - those who have Pro and higher will have more checkboxes and it is possible to differentiate access.

Click OK everywhere.

Now, you can go to Remote Desktop Connection (Start>All Programs>Accessories), enter the computer’s IP address or name there if you want to connect to it from your home network and use all resources.

Like this. In principle, everything is simple. If you suddenly have any questions or something remains unclear, welcome to the comments.

What is Remote Desktop

Using Windows Remote Desktop (rdp) can be a very useful and convenient solution to the issue remote computer access. When can remote desktop be useful? If you want to control your computer remotely (either from a local network or from anywhere in the world). Of course, third-party ones, such as and others, can be used for these purposes. But often these programs require access confirmation on the side of the remote computer, they are not suitable for simultaneous parallel use of the computer by several users, and still work slower than the remote desktop. Therefore, such programs are more suitable for remote assistance or maintenance, but not for everyday work.

It can be quite convenient to use Remote Desktop to allow users to work with certain programs. For example, if you need to demonstrate the operation of a program to a distant user (provide demo access for testing). Or, for example, you have only one powerful computer in your office on which a demanding program is installed. On other weak computers it slows down, but everyone needs access. Then a good solution would be to use a remote desktop: everyone from their “dead” computers connects via rdp to a powerful one and uses the program on it, without interfering with each other.

Static IP address. What is needed for remote access via rdp

One of the important points regarding setting up and subsequently using the remote desktop is the need for a static IP address on the remote computer. If you are setting up a remote desktop that will only be used within the local network, then there is no problem. However, remote desktop is mainly used for external access. Most providers provide subscribers with dynamic IP addresses and for normal use this is quite enough. Static (“white”) IPs are usually provided for an additional fee.

Setting up Windows Remote Desktop

Well, we figured out why we need a remote desktop. Now let's start setting it up. The instructions discussed here are suitable for Windows 7, 8, 8.1, 10. In all of the listed operating systems, the settings are similar, the differences are minor and only in how to open some windows.

First we need to configure the computer to which we will connect.

Attention! Your account must have administrator rights.

1. Open Start - Control Panel .

In Windows 8.1 and 10 it is convenient to open Control Panel by right-clicking on the icon Start and selecting from the list Control Panel .

Next, select system and safety - System. (This window can also be opened in another way: click Start, then right-click on Computer and choose Properties ).

Setting up remote access .

3. In the section Remote Desktop choose:

- Allow connections only from computers running Remote Desktop with network level authentication . Suitable for clients running version 7.0 of Remote Desktop.

- . Suitable for connecting legacy versions of clients.

4. Click Apply .

5. By button Select users A window opens in which you can specify accounts on the computer that will be allowed to connect remotely. (This procedure is also called adding a user to a group )

Users with administrative rights have remote worker access by default. However, in addition to actually connecting, any account must be password protected, even the administrator account.

6. Add to group Remote Desktop Users a new user with normal rights (not an administrator). To do this, press the button Add

In field Enter names of the selected objects, enter the name of our user. I have this Access1. Let's click Check names .

If everything is correct, the computer name will be added to the username. Click OK .

If we don’t remember the exact username or don’t want to enter it manually, click Additionally .

In the window that opens, click the button Search .

In field searching results All computer users and local groups will appear. Select the desired user and click OK .

When you have selected all the required users in the window Selection: Users press OK .

Now to the group Remote Desktop Users a user with a regular account will be added Access1. To apply the changes, click OK .

7. If you use a third-party one, you will need to configure it additionally, namely, open TCP port 3389. If you only have the built-in Windows firewall running, then you don’t need to do anything, it will be configured automatically as soon as we have allowed the use of remote desktop on the computer .

This completes the basic setup of the remote computer.

Network settings, port forwarding

As mentioned above, for remote desktop access you need a static IP address.

If you do not have any routers and the Internet cable goes directly to the computer, then skip this section and move on to the next one. If you use a router, you need to make additional settings on it.

If you plan to use the remote desktop only on a local network, then it will be enough to just assign a local IP to the desired computer (follow the first part, without port forwarding). If you need access from outside, then you also need . To open access to the remote desktop you need to forward TCP port 3389.

Setting up a remote desktop connection

Let's go directly to connecting to a remote desktop, that is, settings on the client side.

1. Let's launch .

You can do this in Windows 7 through the menu Start - All programs - Standard - Remote Desktop Connection .

In Windows 8 it is convenient to launch through search. Click Start, click on the magnifying glass icon in the upper right corner and start entering the word “deleted” in the search field. From the proposed search options, select Remote Desktop Connection .

On Windows 10: Start - All applications - Standard Windows - Remote Desktop Connection .

2. First of all, let’s check which protocol version is installed. To do this, click on the icon in the upper left corner and select the item About the program .

Checking the desktop protocol version. If 7.0 or higher, then everything is in order, you can connect.

If the protocol version is lower (this is possible on older versions of Windows), then you need to either update it or lower the security level in the settings of the remote computer (i.e. select Allow connections from computers running any version of Remote Desktop (more dangerous) ).

You can download Remote Desktop updates for legacy operating systems using the links below:

3. Specify connection parameters:

In field Computer We register the IP address of the remote computer to which we are going to connect. (Local - if we connect within the local network and real (the one given by the Internet provider) if the remote computer is located outside the local network). I have the first option.

Note. You can find out what external static IP address you have, for example, through the Yandex.Internetometer service.

4. Click To plug .

You will be prompted to enter your credentials. Enter the login and password of any user on the remote computer who has rights to use the remote desktop. In my example it's Admin or Access1. I remind you that accounts must be password protected.

Enter your username and password and check the box next to it Remember credentials , so as not to enter them the next time you connect. Of course, you can only remember your credentials if you are working from a personal computer that is not accessible to unauthorized persons.

Click OK .

A warning will pop up. Put a tick Don't ask for connections to this computer again and press Yes .

If everything is done correctly, you will see the remote desktop in front of you.

Note. I remind you that you cannot simultaneously connect via remote work from several computers under one user. That is, if it is planned that several people will work with the remote computer at the same time, then for each you will need to create a separate user and grant rights to use the remote desktop. This is done on a remote computer, as discussed at the beginning of the article.

Additional Remote Desktop Settings

Now a few words about additional settings for connecting to a remote desktop.

To open the settings menu, click on Options .

General tab

Here you can change connection settings. By clicking on the edit link, you can edit the user name and connection password.

You can save the already configured connection settings. Click on the button Save as and choose a place, for example, Desktop . Now on Desktop A shortcut will appear that immediately launches a remote desktop connection without the need to specify parameters. This is very convenient, especially if you periodically work with several remote computers or if you don’t configure it for yourself and don’t want to confuse users.

Screen tab

On the tab Screen you can specify the size of the remote desktop (whether it will occupy the entire screen of your monitor or be displayed in a small separate window).

You can also choose the color depth. If your Internet connection speed is slow, it is recommended to select a lower depth.

Local Resources tab

Here you can configure the sound parameters (play it on the remote computer or on the client computer, etc.), the order of using Windows hotkey combinations (such as Ctrl+Alt+Del, Ctrl+C, etc.) when working with the remote desktop .

One of the most useful sections here is Local devices and resources . By checking the box Printer, you get the ability to print documents from a remote desktop to your local printer. Check mark Clipboard activates a single clipboard between the remote desktop and your computer. That is, you can use normal copy and paste operations to transfer files, folders, etc. from a remote computer to yours and vice versa.

Clicking the button More details, you will be taken to the settings menu where you can connect additional devices on your computer to the remote desktop.

For example, you want to have access to your disk when working on a remote computer D. Then click on the plus sign opposite Devices to expand the list and tick the disk D. Click OK .

Now when you connect to a remote desktop, you will see and access your disk D through Conductor as if it were physically connected to the remote computer.

Advanced tab

Here you can choose the connection speed to achieve maximum performance, as well as set the display of the desktop background, visual effects, etc.

Removing a Remote Desktop Connection

Finally, let's consider how to delete a remote desktop connection. When is it needed? For example, you previously had remote access to your computer, but now there is no need for this, or you even need to prevent strangers from connecting to the remote desktop of your computer. It's very easy to do.

1. Open Control Panel - system and safety - System, as they did at the beginning of the article.

2. In the left column, click on Setting up remote access .

3. In the section Remote Desktop choose:

- Don't allow connections to this computer

Ready. Now no one will be able to connect to you via remote desktop.

In addition to using Remote Assistance, you can remotely connect to a Windows 10 user's desktop using a shadow RDP connection (). Most administrators have used this functionality in one way or another to connect to user sessions on terminal RDS servers running Windows Server 2012 R2 / Server 2016. However, not everyone knows that shadow connection can be used to remotely view and interact with the user’s desktop on desktop Windows 10. Let's look at how it works.

As you remember, if you try to remotely connect to a Windows 10 computer via RDP, the session of the user working locally will be disconnected (even if you enable the ability to use ). However, you can connect directly to a user's console session without locking their session.

Let's say you need to connect from a Windows Server 2012 R2 server to the desktop of a user running a local Windows 10 workstation.

To shadow connect to a user session, you need to use a standard RDP utility mstsc.exe. The command format is:

Mstsc.exe /shadow: /v:<Имя или IP адрес компьютера>

You can also use one of the options:

• /prompt– request the name and password of the user under which the connection is being made (if not specified, the connection is made under the current user).
• /control– mode of interaction with the user session. If the parameter is not specified, you will connect in viewing (monitoring) mode of the user session, i.e. you will not be able to control its mouse or enter data from the keyboard;
• /noConsentPrompt– do not ask the user for confirmation to connect to the session.

The shadow connection mode (whether it is necessary to request user confirmation, and possibly control in a session or only monitoring) is configured using group policy or editing the registry.

The policy is in the section Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections(Policies -> Administrative Templates -> Windows components -> Remote Desktop Services -> Remote Session Host -> Connections) and is called “ Set remote control rules for Remote Desktop Services user sessions» (Set rules for remote control of Remote Desktop Services user sessions).

Instead of enabling the policy, you can set the dword value of the key with the name Shadow in the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. Valid values:

• 0 – prohibit remote control;
• 1 — full control with the user’s permission;
• 2 — full control without user permission;
• 3 — session monitoring with the user’s permission;
• 4 - monitoring a session without the user's permission.

By default, this key is not specified and the shadow connection is carried out in full control mode with the user’s permission.

To connect to a computer remotely via a shadow connection, the connecting account must have administrator rights on the computer, and Remote Desktop (RDP) must be enabled in the system properties.

Let's remotely request a list of sessions on a Windows 10 workstation with the command:

qwinsta /server:192.168.11.60

As you can see, on this computer there is one user console session with ID = 1.

So, let's try to remotely connect to a user session via a shadow connection. Run the command:

Mstsc /shadow:1 /v:192.168.11.60

A prompt will appear on the Windows 10 user's screen:

Username is requesting to view your session remotely. You accept this request.

If the user allows the connection, you will connect to their console session and see their desktop. You will see all the user's actions, but will not be able to interact with their session.

Advice. To end the shadow session, press alt+* on your computer or ctrl+* on the RDS server.

If you check the network connections using TCPView, you can see that the communication is via RemoteRPC (and not via RDP on TCP port 3389). Those. A random TCP port from the high RPC range is used for connection. On the side of the connecting computer, the connection is established by mstsc.exe; on the client side, the connection is processed by rdpsa.exe or rdpsaproxy.exe (depending on the Windows 10 build). Therefore, RemoteRPC must be enabled on the client:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
“AllоwRemoteRPС”=dword:00000001

Remote Desktop Shadowing functionality works in Windows 10 / 8.1 and Windows Server 2012 R2 / 2016. For shadow connection to work on clients running Windows 7 SP1 (Windows Server 2008 R2), you need RDP client version 8.1 - so you will have to install update KB2830477 (requires KB2574819 and KB2857650 installed).

Thus, Remote Desktop Shadowing can be used as an analogue of Remote Assistance or TeamViewer for a local or corporate network.

Good afternoon, dear readers and guests of the blog, today we have the following task: change the incoming port of the RDP service (terminal server) from the standard 3389 to some other one. Let me remind you that the RDP service is a functionality of Windows operating systems, thanks to which you can open a session over the network to the computer or server you need using the RDP protocol, and be able to work on it, as if you were sitting on it locally.

What is RDP protocol

Before changing something, it would be good to understand what it is and how it works, I keep telling you about this. RDP or Remote Desktop Protocol is a remote desktop protocol for Microsoft Windows operating systems, although its origins come from PictureTel (Polycom). Microsoft just bought it. Used for remote work of an employee or user with a remote server. Most often, such servers play the role of a terminal server, on which special licenses are allocated, either per user or per device, CAL. The idea here was this: there is a very powerful server, then why not use its resources together, for example, for a 1C application. This becomes especially relevant with the advent of thin clients.

The world saw the terminal server itself, already in 1998 in the Windows NT 4.0 Terminal Server operating system, to be honest, I didn’t even know that such a thing existed, and in Russia at that time we all played dandy or sega. RDP connection clients are currently available in all versions of Windows, Linux, MacOS, Android. The most modern version of the RDP protocol at the moment is 8.1.

Default rdp port

I’ll immediately write the default rdp port 3389, I think all system administrators know it.

How the rdp protocol works

And so you and I understand why we came up with the Remote Desktop Protocol, now it’s logical that you need to understand the principles of its operation. Microsoft distinguishes two modes of the RDP protocol:

• Remote administration mode > for administration, you go to the remote server and configure and administer it
• Terminal Server mode > to access the application server, Remote App or share it for work.

In general, if you install Windows Server 2008 R2 - 2016 without a terminal server, then by default it will have two licenses, and two users will be able to connect to it at the same time, the third will have to kick someone out to work. In client versions of Windows, there is only one license, but this can also be circumvented; I talked about this in the article Terminal Server on Windows 7. Also Remote administration mode, you can cluster and load balance, thanks to NLB technology and the Session Directory Service connection server. It is used to index user sessions, thanks to this server the user can log into the remote desktop of terminal servers in a distributed environment. Also required components are a licensing server.

The RDP protocol operates over a TCP connection and is an application protocol. When a client establishes a connection with the server, an RDP session is created at the transport level, where encryption and data transmission methods are negotiated. When all negotiations are determined and initialization is complete, the terminal server sends graphical output to the client and waits for keyboard and mouse input.

Remote Desktop Protocol supports multiple virtual channels within a single connection, allowing you to use additional functionality

• Transfer your printer or COM port to the server
• Redirect your local drives to the server
• Clipboard
• Audio and video

RDP connection stages

• Establishing a connection
• Negotiating encryption parameters
• Server Authentication
• Negotiating RDP session parameters
• Client Authentication
• RDP session data
• Terminating RDP session

Security in the RDP protocol

Remote Desktop Protocol has two authentication methods Standard RDP Security and Enhanced RDP Security, we will look at both in more detail below.

Standard RDP Security

The RDP protocol with this authentication method encrypts the connection using the RDP protocol itself, which is in it, using this method:

• When your operating system starts, a pair of RSA keys is generated
• Proprietary Certificate is being created
• After which the Proprietary Certificate is signed with the RSA key created earlier
• Now the RDP client connecting to the terminal server will receive a Proprietary Certificate
• The client looks at it and verifies it, then receives the server’s public key, which is used at the stage of agreeing on encryption parameters.

If we consider the algorithm with which everything is encrypted, it is the RC4 stream cipher. Keys of different lengths from 40 to 168 bits, it all depends on the edition of the Windows operating system, for example in Windows 2008 Server - 168 bits. Once the server and client have decided on the key length, two new different keys are generated to encrypt the data.

If you ask about data integrity, then it is achieved through the MAC (Message Authentication Code) algorithm based on SHA1 and MD5

Enhanced RDP Security

The RDP protocol with this authentication method uses two external security modules:

• CredSSP
• TLS 1.0

TLS is supported from version 6 of RDP. When you use TLS, an encryption certificate can be created using a terminal server, a self-signed certificate, or selected from a store.

When you use the CredSSP protocol, it is a symbiosis of Kerberos, NTLM and TLS technologies. With this protocol, the check itself, which checks permission to enter the terminal server, is carried out in advance, and not after a full RDP connection, and thereby you save resources on the terminal server, plus there is more reliable encryption and you can log in once (Single Sign On). ), thanks to NTLM and Kerberos. CredSSP only works in OSs no lower than Vista and Windows Server 2008. Here is this checkbox in the system properties

Allow connections only from computers running Remote Desktop with network level authentication.

Change rdp port

In order to change the rdp port, you will need:

1. Open the registry editor (Start -> Run -> regedit.exe)
2. Let's move on to the next section:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Find the PortNumber key and change its value to the port number you need.

Be sure to select a decimal value; for example, I’ll put port 12345.

Once you have done this, restart the Remote Desktop Service via the command line using the following commands:

And we create a new incoming rule for the new rdp port. Let me remind you that the default rdp port is 3389.

We choose what the rule will be for the port

We leave the protocol as TCP and specify a new RDP port number.

The rule will be to allow RDP connection on a non-standard port

If necessary, set the necessary network profiles.

Well, let’s call the rule in a language that we understand.

To connect from Windows client computers, write the address indicating the port. For example, if you changed the port to 12345, and the address of the server (or simply the computer you are connecting to): myserver, then the MSTSC connection will look like this:
mstsc -v:myserver:12345