How do you access a Remote Desktop group?

Assume a situation whereby you have just set up a remote site and now you find yourself having users or support servers that you can’t physically gain access. This means walking to the desk is out of your options. So how do you go about it to access the data and information you may be in need of?

To get it right, you need to figure out how to enable Remote Desktop via Group Policy, so that it can get applied to all devices at your site. Configuration of remote desktop forms the basis of our guide today. Let’s get started. 

What is Remote Desktop Group Policy

Almost all users who are interested in building safe connections between computers on the internet might have heard about RDP or VPN. RDP stands for the Remote Desktop Protocol. It is a network of communications protocol developed by Microsoft, to allow users to connect to another computer.

With RDP, one can connect to any computer that runs Windows. With RDP, you can connect to the remote PC, view the same display and interact as if you are working on that machine locally. 

Some instances where you may need to use RDP include;

• When traveling or when on vacation and you need to access your work computer
• When you can’t go to your office due to certain reasons and you still need to fulfill your daily tasks
• When you are a system admin and you need to perform administrative duties on your PC such as computer troubleshooting, tune-up, ID protection setting, printer set-up, software installation, email setup, virus and spyware removal, among others.
• When you need to give a demo and you need to access data from a private device
• When you want to personalize your remote desktop on experiences such as resolution, connection setting, screen setting, toolbar, start menu, icons among others.

How to Enable Remote Desktop Remotely on Windows 10

The easiest way to enable Remote Desktop on the Windows operating system family is to use a Graphical User Interface [GUI]. To do this, you need to;

Open the “System” control panel, go to “Remote Setting” and enable the “Allow remote connection to this computer” option in the Remote Desktop section. 

However, performing the above process will need local access to the computer on which you want to enable the RD. 

By default, remote desktop is disabled in both desktop versions of Windows and in Windows Server.

How to Enable Remote Desktop Remotely Using PowerShell

Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/2019. Here is the procedure to achieve the same;

1. On your computer, open the PowerShell console and run the following commands to connect to your remote server. Enter-PSSession -ComputerName server.domain.local -Credential domain\administrator.
2. You will have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you need to change registry parameter fDenyTSConnections from 1 to 0 on the remote machine. Run the command; Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
3. When RDP is enabled this way [as opposed to GUI method] the rule that allows remote RDP connections is not enabled in the Windows Firewall rules.
4. To allow incoming RDP connections in Windows Firewall, run the command; Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
5. If for some reason the firewall rule is deleted, you can create it manually using the following commands. netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
6. In case you need to allow secure RDP authentication [NLA – Network Level Authentication] run the command; Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
7. Now from your computer, you can check the TCP 3389 port on the remote host to see if it has become available. To do so, run the command below’ Test-NetConnection 192.168.1.11 -CommonTCPPort RDP.
8. If successful, you should get results similar to what is shown below’

The above results mean RDP on the remote host is enables and you can establish a remote desktop connection using mstsc client.

How to Enable/Disable Remote Desktop Using Group Policy

You can enable or disable remote desktop using group policy. To do so, perform the following steps

1. Search gpedit.msc in the Start menu. In the program list, click gpedit.msc  as shown below;
2. After Local Group Policy Editor opens, expand Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections. 
3. On the right-side panel. Double-click on Allow users to connect remotely using Remote Desktop Services. See below;
4. Select Enabled and click Apply if you want to enable Remote Desktop. Select Disabled and click Apply if you need to disable it. 

Now you will have enabled or disabled remote desktop using group policy

Network Level Authentication NLA on the remote RDP server

Network Level Authentication is a method used to enhance RD Session Host server security by requiring that a user be authenticated to RD session Host Server before a session can be created.

If you want to restrict who can access your PC, you can choose to allow access only with Network Level Authentication [NLA]. NLA is an authentication tool used in RDP  Server. When a user tries to establish a connection to a device that is NLA enabled, NLA will delegate the user’s credentials from the client-side Security Support Provider to the server for authentication, before creating a session.

The advantages of Network Level Authentication is;

• It requires fewer remote computer resources initially.
• It can provide better security by reducing the risk of denial of service attacks.

To configure Network Level Authentication for a connection, follow the steps below.

1. On the RD Session Host Server, open Remote Desktop Session Host Configuration. To do so, click Start>>Adminstrative Tools1>>Remote Desktop Services>> Remote Desktop Session Host Configuration.
2. Under Connections, right-click the name of the connection and then click Properties.
3. On the General tab, select Allow the connection only from computers running Remote Desktop with Network Level Authentication checkbox
4. Click OK

Note, under step 3, if the “Allow connections only from computers running a remote desktop with network-level authentication” checkbox is not enabled, the “Require user authentication for remote connections by using network-level authentication” Group Policy setting has to be enabled, and has been applied to the RD Session Host Server.

• Article
• 10/28/2021
• 3 minutes to read

Applies to

Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting.

Reference

This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.

Constant: SeRemoteInteractiveLogonRight

Possible values

• User-defined list of accounts
• Not Defined

Best practices

• To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group.

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Default values

By default, members of the Administrators group have this right on domain controllers, workstations, and servers. The Remote Desktops Users group also has this right on workstations and servers. The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.

Policy management

This section describes different features and tools available to help you manage this policy.

Group Policy

To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the Allow log on through Remote Desktop Services right. It is possible for a user to establish an Remote Desktop Services session to a particular server, but not be able to log on to the console of that same server.

To exclude users or groups, you can assign the Deny log on through Remote Desktop Services user right to those users or groups. However, be careful when you use this method because you could create conflicts for legitimate users or groups that have been allowed access through the Allow log on through Remote Desktop Services user right.

For more information, see Deny log on through Remote Desktop Services.

A restart of the device is not required for this policy setting to be effective.

Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:

1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.

Countermeasure

For domain controllers, assign the Allow log on through Remote Desktop Services user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop [RD] Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups.

Caution:  For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.

Alternatively, you can assign the Deny log on through Remote Desktop Services user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the Deny log on through Remote Desktop Services user right.

Potential impact

Removal of the Allow log on through Remote Desktop Services user right from other groups [or membership changes in these default groups] could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected.