-->
- Microsoft Remote Desktop 10 For Mac License Issue Is Preventing Windows 10
- Microsoft Remote Desktop 10 For Mac License Issue Is Preventing Coronavirus
- Microsoft Remote Desktop 10 For Mac License Issue Is Preventing Mac
- Microsoft Remote Desktop 10 For Mac License Issue Is Preventing Covid 19
This article helps you understand the most common settings that are used to establish a Remote Desktop session in an enterprise environment, and provides troubleshooting information for Remote desktop disconnected errors.
Original product version: Windows Server 2012 R2
Original KB number: 2477176
When connecting using Microsoft Remote Desktop from a Mac to a remote PC, you might experience the following error: There are no Client Access Licenses available for the target remote computer (code LicenseNoLicense(258))Most IT departments knows how to fix this; for Windows. This involves deleting registry keys, but you don't have them on a Mac. Use Microsoft Remote Desktop for Mac to connect to a remote PC or virtual apps and desktops made available by your admin. With Microsoft Remote Desktop, you can be productive no matter where you are. GET STARTED Configure your PC for remote access using the information at https://aka.ms/rdsetup.
Note
- Enable Remote Desktop in Windows server and Windows Server; Remote Access Windows 10 with Mac OS X. There are several ways to remote access windows 10 with Mac OS X but to do this, I have chosen this way because its reliable and official way to do it. Firstly, to start we’ve to enable remote access on windows 10, to do that Control Panel.
- Use Microsoft Remote Desktop for Mac to connect to a remote PC or virtual apps and desktops made available by your admin. With Microsoft Remote Desktop, you can be productive no matter where you are. GET STARTED Configure your PC for remote access using the information at https://aka.ms/rdsetup.
- Microsoft Remote Desktop 10 For Mac License Issue Is Preventing Windows 7 Timbuktu is a discontinued remote control software product originally developed by WOS Datasystems. Remote control software allows a user to control another computer across the local network or the Internet, viewing its screen and using its keyboard and mouse as if he.
This article is intended for use by support agents and IT professionals.
Remote Desktop Server
A Remote Desktop Session Host server is the server that hosts Windows-based programs or the full Windows desktop for Remote Desktop Services clients. Users can connect to an RD Session Host server to run programs, to save files, and to use network resources on that server. Users can access an RD Session Host server from within a corporate network or from the Internet.
Remote Desktop Session Host (RD Session Host) was formerly known as the Remote Desktop server role service, and Remote Desktop Session Host (RD Session Host) server was formerly known as Remote Desktop server.
Remote connections for administration
Remote Desktop supports two concurrent remote connections to the computer. You do not have to have Remote Desktop Services client access licenses (RDS CALs) for these connections.
To allow more than two administrative connections or multiple user connections, you must install the RD Session Host Role and have appropriate RDS CALs.
Symptom 1: Limited Remote Desktop session or Remote Desktop Services session connections
When you try to make a Remote Desktop Connection (RDC) to a remote computer or to a Remote Desktop server (Terminal Server) that is running Windows Server 2008 R2, you receive one of the following error messages:
Remote Desktop Disconnected.
This computer can't connect to the remote computer.
Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator.
Also, you are limited in the number of users who can connect simultaneously to a Remote Desktop session or Remote Desktop Services session. A limited number of RDP connections can be caused by misconfigured Group Policy or RDP-TCP properties in Remote Desktop Services Configuration. By default, the connection is configured to allow an unlimited number of sessions to connect to the server.
Symptom 2: Port assignment conflict
You experience a port assignment conflict. This problem might indicate that another application on the Remote Desktop server is using the same TCP port as the Remote Desktop Protocol (RDP). The default port assigned to RDP is 3389.
Symptom 3: Incorrectly configured authentication and encryption settings
After a Remote Desktop server client loses the connection to a Remote Desktop server, you experience one of the following symptoms:
- You cannot make a connection by using RDP.
- The session on the Remote Desktop server does not transition to a disconnected state. Instead, it remains active even though the client is physically disconnected from the Remote Desktop server.
If the client logs back in to the same Remote Desktop server, a new session may be established, and the original session may remain active.
Also, you receive one of the following error messages:
Error message 1
Because of a security error, the client could not connect to the Terminal server. After making sure that you are logged on to the network, try connecting to the server again.
Error message 2
Remote desktop disconnected. Because of a security error, the client could not connect to the remote computer. Verify that you are logged onto the network and then try connecting again.
Symptom 4: License certificate corruption
Remote Desktop Services clients are repeatedly denied access to the Remote Desktop server. If you are using a Remote Desktop Services client to log on to the Remote Desktop server, you may receive one of the following error messages.
Error message 1
Because of a security error, the client could not connect to the Terminal server. After making sure that you are logged on to the network, try connecting to the server again.
Error message 2
Remote desktop disconnected. Because of a security error, the client could not connect to the remote computer. Verify that you are logged onto the network and then try connecting again.
Error message 3
Because of a security error, the client could not connect to the Terminal server. After making sure that you are logged on to the network, try connecting to the server again.
Remote desktop disconnected. Because of a security error, the client could not connect to the remote computer. Verify that you are logged onto the network and then try connecting again.
Additionally, the following event ID messages may be logged in Event Viewer on the Remote Desktop server.
Event message 1
Event ID: 50
Event Source: TermDD
Event Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.Event message 2
Event ID: 1088Event Source: TermServiceEvent Description: The terminal services licensing grace period has expired and the service has not registered with a license server. A terminal services license server is required for continuous operation. A terminal server can operate without a license server for 90 days after initial start up.
Event message 3
Event ID: 1004
Event Source: TermService
Event Description: The terminal server cannot issue a client license.Event message 4
Event ID: 1010
Event Source: TermService
Event Description: The terminal services could not locate a license server. Confirm that all license servers on the network are registered in WINS/DNS, accepting network requests, and the Terminal Services Licensing Service is running.Event message 5
Event ID: 28
Event Source: TermServLicensing
Event Description: Terminal Services Licensing can only be run on Domain Controllers or Server in a Workgroup. See Terminal Server Licensing help topic for more information.
Resolution for Symptom 1
To resolve this problem, use the following methods, as appropriate.
Verify Remote Desktop is enabled
Open the System item in Control Panel. To start the System tool, click Start, click Control Panel, click System, and then click OK.
Under Control Panel Home, click Remote settings.
Click the Remote tab.
Under Remote Desktop, select either of the available options, depending on your security requirements:
Allow connections from computers from computers running any version of Remote Desktop (less secure)
Allow connections from computers only from computers running Remote Desktop with Network Level Authentication (more secure)
If you select Don't allow connections to this computer on the Remote tab, no users will be able to connect remotely to this computer, even if they are members of the Remote Desktop Users group.
Verify Remote Desktop Services Limit number of connections policy
Start the Group Policy snap-in, and then open the Local Security Policy or the appropriate Group Policy.
Locate the following command:
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections Limit number of connections
Click Enabled.
In the RD Maximum Connections allowed box, type the maximum number of connections that you want to allow, and then click OK.
Verify Remote Desktop Services RDP-TCP properties
Follow these steps, depending on your operating system version.
Setting via Remote Desktop Services Configuration
Configure the number of simultaneous remote connections allowed for a connection:
Microsoft Remote Desktop 10 For Mac License Issue Is Preventing Windows 10
On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services.
Under Connections, right-click the name of the connection, and then click Properties.
On the Network Adapter tab, click Maximum connections, enter the number of simultaneous remote connections that you want to allow for the connection, and then click OK.
If the Maximum connections option is selected and dimmed, the Limit number of connections Group Policy setting has been enabled and has been applied to the RD Session Host server.
Verify Remote Desktop Services Logon rights
Configure the Remote Desktop Users Group.
The Remote Desktop Users group on an RD Session Host server grants users and groups permission to remotely connect to an RD Session Host server. You can add users and groups to the Remote Desktop Users group by using the following tools:
- Local Users and Groups snap-in
- The Remote tab in the System Properties dialog box on an RD Session Host server
- Active Directory Users and Computers snap-in, if the RD Session Host server is installed on a domain controller
You can use the following procedure to add users and groups to the Remote Desktop Users group by using the Remote tab in the System Properties dialog box on an RD Session Host server.
Membership in the local Administrators group, or equivalent, on the RD Session Host server that you plan to configure, is the minimum required to complete this procedure.
Add users and groups to the Remote Desktop Users group by using the Remote tab
Start the System tool. To do this, click Start, click Control Panel, click the System icon, and then click OK.
Under Control Panel Home, click Remote settings.
On the Remote tab in the System Properties dialog box, click Select Users. Add the users or groups that have to connect to the RD Session Host server by using Remote Desktop.
Note
If you select the Don't allow connections to this computer option on the Remote tab, no users will be able to connect remotely to this computer, even if they are members of the Remote Desktop Users group.
Add users and groups to the Remote Desktop Users group by using Local Users and Groups snap-in
- Click Start, click Administrative Tools, and then click Computer Management.
- In the console tree, click the Local Users and Groups node.
- In the details pane, double-click the Groups folder.
- Double-click Remote Desktop Users, and then click Add.
- In the Select Users dialog box, click Locations to specify the search location.
- Click Object Types to specify the types of objects that you want to search for.
- In the Enter the object names to select (examples) box, type the name you want to add.
- Click Check Names.
- When the name is located, click OK.
Note
- You can't connect to a computer that's asleep or hibernating, so make sure the settings for sleep and hibernation on the remote computer are set to Never. (Hibernation isn't available on all computers.) For information about making those changes, see Change, create, or delete a power plan (scheme).
- You can't use Remote Desktop Connection to connect to a computer using Windows 7 Starter, Windows 7 Home Basic, or Windows 7 Home Premium.
- Members of the local Administrators group can connect even if they are not listed.
Resolution for Symptom 2
Important
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, seeHow to back up and restore the registry in Windows.
To resolve this problem, determine which application is using the same port as RDP. If the port assignment for that application cannot be changed, change the port assigned to RDP by changing the registry. After you change the registry, you must restart the Remote Desktop Services service. After you restart the Remote Desktop Services service, you should verify that the RDP port has been changed correctly.
Remote Desktop server listener availability
The listener component runs on the Remote Desktop server and is responsible for listening for and accepting new Remote Desktop Protocol (RDP) client connections, thereby allowing users to establish new remote sessions on the Remote Desktop server. There is a listener for each Remote Desktop Services connection that exists on the Remote Desktop server. Connections can be created and configured by using the Remote Desktop Services Configuration tool.
To perform these tasks, refer to the following sections.
Determine which application is using the same port as RDP
You can run the netstat tool to determine whether port 3389 (or the assigned RDP port) is being used by another application on the Remote Desktop server:
- On the Remote Desktop server, click Start, click Run, type cmd, and then click OK.
- At the command prompt, type
netstat -a -o
and then press Enter. - Look for an entry for TCP port 3389 (or the assigned RDP port) with a status of Listening. This indicates another application is using this port. The PID (Process Identifier) of the process or service using that port appears under the PID column.
To determine which application is using port 3389 (or the assigned RDP port), use the tasklist command-line tool along with the PID information from the netstat tool:
- On the Remote Desktop server, click Start, click Run, type cmd, and then click OK.
- Type
tasklist /svc
and then press Enter. - Look for an entry for the PID number that is associated with the port (from the netstat output). The services or processes that are associated with that PID appear on the right.
Change the port assigned to RDP
You should determine whether this application can use a different port. If you cannot change the application's port, you must change the port that is assigned to RDP.
Important
We recommend that you do not change the port that is assigned to RDP.
If you have to change the port assigned to RDP, you must change the registry. To do this, you must be a member of the local Administrators group, or you must have been granted the appropriate permissions.
To change the port that is assigned to RDP, follow these steps:
On the Remote Desktop server, open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and then click OK.
If the User Account Control dialog box appears, verify that the action it displays is what you want, and then click Continue.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlRemote Desktop serverWinStations
RDP-TCP is the default connection name. To change the port for a specific connection on the Remote Desktop server, select the connection under the WinStations key:
- In the details pane, double-click the PortNumber registry entry.
- Type the port number that you want to assign to RDP.
- Click OK to save the change, and then close Registry Editor.
Restart the Remote Desktop Services service
For the RDP port assignment change to take effect, stop and start the Remote Desktop Services service. To do this, you must be a member of the local Administrators group, or you must have been granted the appropriate permissions.
To stop and start the Remote Desktop Services service, follow these steps:
On the Remote Desktop server, open the Services snap-in. To do this, click Start, point to Administrative Tools, and then click Services.
If the User Account Control dialog box appears, verify that the action it displays is what you want, and then click Continue.
In the Services pane, right-click Remote Desktop Services, and then click Restart.
If you are prompted to restart other services, click Yes.
Verify that the Status column for the Remote Desktop Services service displays a Started status.
Verify that the RDP port has changed
To verify that the RDP port assignment has been changed, use the netstat tool:
On the Remote Desktop server, click Start, click Run, type cmd, and then click OK.
At the command prompt, type
netstat -a
then press Enter.Look for an entry for the port number that you assigned to RDP. The port should appear in the list and have a status of Listening.
Microsoft Remote Desktop 10 For Mac License Issue Is Preventing Coronavirus
Important
Remote Desktop Connection and the Terminal server Web Client use port 3389, by default, to connect to a Remote Desktop server. If you change the RDP port on the Remote Desktop server, you will have to modify the port used by Remote Desktop Connection and the Remote Desktop server Web Client. For more information, see Change the listening port for Remote Desktop on your computer.
Verify that the listener on the Remote Desktop server is working
To verify that the listener on the Remote Desktop server is working correctly, use any of the following methods.
Note
RDP-TCP is the default connection name and 3389 is the default RDP port. Use the connection name and port number specific to your Remote Desktop server configuration.
Method 1
Use an RDP client, such as Remote Desktop Connection, to establish a remote connection to the Remote Desktop server.
Method 2
Use the qwinsta tool to view the listener status on the Remote Desktop server:
- On the Remote Desktop server, click Start, click Run, type cmd, and then click OK.
- At the command prompt, type qwinsta, and then press Enter.
- The RDP-TCP session state should be Listen.
Method 3
Use the netstat tool to view the listener status on the Remote Desktop server:
- On the Remote Desktop server, click Start, click Run, type cmd, and then click OK.
- At the command prompt, type
netstat -a
then press Enter. - The entry for TCP port 3389 should be Listening.
Method 4
Use the telnet tool to connect to the RDP port on the Remote Desktop server:
- From another computer, click Start, click Run, type cmd, and then click OK.
- At the command prompt, type
telnet <servername> 3389
, where <servername> is the name of the Remote Desktop server, and then press Enter.
If telnet is successful, you receive the telnet screen and a cursor.
If telnet is not successful, you receive the following error message:
Connecting To servername... Could not open connection to the host, on port 3389: Connect failed
The qwinsta, netstat, and telnet tools are also included in Windows XP and Windows Server 2003. You can also download and use other troubleshooting tools, such as Portqry.
Resolution for Symptom 3
To resolve the issue, configure authentication and encryption.
To configure authentication and encryption for a connection, follow these steps:
On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
Under Connections, right-click the name of the connection, and then click Properties.
In the Properties dialog box for the connection, on the General tab, in Security layer, select a security method.
In Encryption level, click the level that you want. You can select Low, Client Compatible, High, or FIPS Compliant. See Step 4 above for Windows Server 2003 for Security layer and Encryption level options.
Note
- To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
- To open Remote Desktop Services Configuration, click Start, click Control Panel, double-click Administrative Tools, and then double-click Remote Desktop Services Configuration.
- Any encryption level settings that you configure in Group Policy override the configuration that you set by using the Remote Desktop Services Configuration tool. Also, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, this setting overrides the Set client connection encryption level Group Policy setting.
- When you change the encryption level, the new encryption level takes effect the next time a user logs on. If you require multiple levels of encryption on one server, install multiple network adapters and configure each adapter separately.
- To verify that certificate has a corresponding private key, in Remote Desktop Services Configuration, right-click the connection for which you want to view the certificate, click the General tab, click Edit, click the certificate that you want to view, and then click View Certificate. At the bottom of the General tab, the statement, You have a private key that corresponds to this certificate, should appear. You can also view this information by using the Certificates snap-in.
- The FIPS compliant setting (the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting in Group Policy or the FIPS Compliant setting in Remote Desktop server Configuration) encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140-1 encryption algorithms, using Microsoft cryptographic modules. For more information, see Terminal Services in Windows Server 2003 Technical Reference.
- The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption.
- The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client.
- The Low setting encrypts data sent from the client to the server using 56-bit encryption.
Additional troubleshooting step: Enable CAPI2 event logs
To help troubleshoot this problem, enable CAPI2 event logs on both the client and server computers. This command is shown in the following screenshot.
Workaround for the issue (You cannot completely disconnect a Remote Desktop server connection) described in Symptom 3
To work around this problem, follow these steps:
- Click Start, click Run, type gpedit.msc, and then click OK.
- Expand Computer Configuration, expand Administrative Templates, expand Windows Components, expand Remote Desktop Services, expand Remote Desktop Session Host, and then click Connections.
- In the right pane, double-click Configure keep-alive connection interval.
- Click Enabled, and then click OK.
- Close Group Policy Object Editor, click OK, and then quit Active Directory Users and Computers.
Resolution for Symptom 4
Important
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see 322756 How to back up and restore the registry in Windows.
Microsoft Remote Desktop 10 For Mac License Issue Is Preventing Mac
To resolve this problem, back up and then remove the X509 Certificate registry keys, restart the computer, and then reactivate the Remote Desktop Services Licensing server. To do this, follow these steps.
Note
Perform the following procedure on each of the Remote Desktop servers.
Make sure that the Remote Desktop server registry has been successfully backed up.
Start Registry Editor.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerRCM
On the Registry menu, click Export Registry File.
Type exported- Certificate in the File name box, and then click *Save.
Note
If you have to restore this registry subkey in the future, double-click the Exported-parameters.reg file that you saved in this step.
Right-click each of the following values, click Delete, and then click Yes to verify the deletion:
- Certificate
- X509 Certificate
- X509 Certificate ID
- X509 Certificate2
Exit Registry Editor, and then restart the server.
References
For more information about Remote Desktop Gateway, see the following articles:
If this article does not help you resolve the problem, or if you experience symptoms that differ from those that are described in this article, visit the Microsoft Support for more information. To search your issue, in the Search support for help box, type the text of the error message that you received, or type a description of the problem.
How secure is Windows Remote Desktop?
Remote Desktop sessions operate over an encrypted channel, preventing anyone from viewing your session by listening on the network. However, there is a vulnerability in the method used to encrypt sessions in earlier versions of RDP. This vulnerability can allow unauthorized access to your session using a man-in-the-middle attack.
Remote Desktop can be secured using SSL/TLS in Windows Vista, Windows 7, Windows 8, Windows 10 and Windows Server 2003/2008/2012/2016. *Some systems listed are no longer supported by Microsoft and therefore do not meet Campus security standards. If unsupported systems are still in use, a security exception is required.
While Remote Desktop is more secure than remote administration tools such as VNC that do not encrypt the entire session, any time Administrator access to a system is granted remotely there are risks. The following tips will help to secure Remote Desktop access to both desktops and servers that you support.
Basic Security Tips for Remote Desktop
1. Use strong passwords
Strong passwords on any accounts with access to Remote Desktop should be considered a required step before enabling Remote Desktop. Refer to the campus password complexity guidelines for tips.
2. Use Two-factor authentication
Departments should consider using a two-factor authentication approach. This topic is beyond the scope of this article, but RD Gateways can be configured to integrate with the Campus instance of DUO. Other unsupported by campus options available would be a simple mechanism for controlling authentication via two-factor certificate based smartcards. This approach utilizes the Remote Desktop host itself, in conjunction with YubiKey and RSA as examples.
3. Update your software
One advantage of using Remote Desktop rather than 3rd party remote admin tools is that components are updated automatically with the latest security fixes in the standard Microsoft patch cycle. Make sure you are running the latest versions of both the client and server software by enabling and auditing automatic Microsoft Updates. If you are using Remote Desktop clients on other platforms, make sure they are still supported and that you have the latest versions. Older versions may not support high encryption and may have other security flaws.
4. Restrict access using firewalls
Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389). Using an RDP Gateway is highly recommended for restricting RDP access to desktops and servers (see discussion below). As an alternative to support off-campus connectivity, you can use the campus VPN software to get a campus IP address and add the campus VPN network address pool to your RDP firewall exception rule. Visit our page for more information on the campus VPN service.
5. Enable Network Level Authentication
Windows 10, Windows Server 2012 R2/2016/2019 also provide Network Level Authentication (NLA) by default. It is best to leave this in place, as NLA provides an extra level of authentication before a connection is established. You should only configure Remote Desktop servers to allow connections without NLA if you use Remote Desktop clients on other platforms that don't support it.
Microsoft Remote Desktop 10 For Mac License Issue Is Preventing Covid 19
NLA should be enabled by default onWindows 10, Windows Server 2012 R2/2016/2019.
To check you may look at Group Policy setting Require user authentication for remote connections by using Network Level Authentication found at ComputerPoliciesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurity. This Group Policy setting must be enabled on the server running the Remote Desktop Session Host role.
6. Limit users who can log in using Remote Desktop
By default, all Administrators can log in to Remote Desktop. If you have multiple Administrator accounts on your computer, you should limit remote access only to those accounts that need it. If Remote Desktop is not used for system administration, remove all administrative access via RDP, and only allow user accounts requiring RDP service. For Departments that manage many machines remotely remove the local Administrator account from RDP access at and add a technical group instead.
Click Start-->Programs-->Administrative Tools-->Local Security Policy
Under Local Policies-->User Rights Assignment, go to 'Allow logon through Terminal Services.' Or “Allow logon through Remote Desktop Services”
Remove the Administrators group and leave the Remote Desktop Users group.
Use the System control panel to add users to the Remote Desktop Users group.
A typical MS operating system will have the following setting by default as seen in the Local Security Policy:
The problem is that “Administrators” is here by default, and your “Local Admin” account is in administrators. Although a password convention to avoid identical local admin passwords on the local machine and tightly controlling access to these passwords or conventions is recommended, using a local admin account to work on a machine remotely does not properly log and identify the user using the system. It is best to override the local security policy with a Group Policy Setting.
To control access to the systems, even more, using “Restricted Groups” via Group Policy is also helpful.
If you use a “Restricted Group” setting to place your group, e.g., “CAMPUSLAW-TECHIES” into “Administrators” and “Remote Desktop Users,” your techies will still have administrative access remotely, but using the steps above, you have removed the problematic “local administrator account” having RDP access. Going forward, whenever new machines are added in the OU under the GPO, your settings will be correct.
7. Set an account lockout policy
By setting your computer to lock an account for a set number of incorrect guesses, you will help prevent hackers from using automated password guessing tools from gaining access to your system (this is known as a 'brute-force' attack). To set an account lockout policy:
- Go to Start-->Programs--> Administrative Tools--> Local Security Policy
- Under Account Policies--> Account Lockout Policies, set values for all three options. Three invalid attempts with 3-minute lockout durations are reasonable choices.
Best Practices for Additional Security
1. Do not allow direct RDP access to clients or servers from off campus.
Having RDP (port 3389) open to off campus networks is highly discouraged and is a known vector for many attacks. The options below list ways of improving security while still allowing RDP access to system.
Once an RDP gateway has been set up, hosts should be configured to only allow RDP connections from the Gateway host or campus subnets where needed.
2. Use RDP Gateways (Best Option)
Using an RDP Gateway is strongly recommended. It provides a way to tightly restrict access to Remote Desktop ports while supporting remote connections through a single 'Gateway' server. When using an RD Gateway server, all Remote Desktop services on your desktop and workstations should be restricted to only allow access only from the RD Gateway. The RD Gateway server listens for Remote Desktop requests over HTTPS (port 443) and connects the client to the Remote Desktop service on the target machine.
Utilize Campus RDP Gateway Service. This is the best option to allow RDP access to system categorized as UC P2 (formerly UCB PL1) and lower. Includes DUO integration. RDP Gateway Service is provided by the Windows Team. Documentation is available here: https://berkeley.sharepoint.com/sites/calnetad/gateway.
The RDP Gateway Service also supports the new Remote Access Services requirement of the draft MSSND update (requirement 8), which requires the use of an approved service (i.e., RDP gateway, dedicated gateway, or bSecure VPN) for access to the UC Berkeley network from the public Internet.
Dedicated Gateway Service (Managed). Needed for rdp access to systems that are UC P4 (formerly UCB PL2) or higher. Must also be configured for DUO
Some campus units use an IST managed VPS as an RD Gateway. A rough estimate might be that 30-100 concurrent users can use one RD Gateway. The HA at the virtual layer provides enough fault-tolerant and reliable access; however a slightly more sophisticated RD gateway implementation can be done with network load balancing.- Dedicated Gateway Service (Unmanaged). Installing and configuring RD Gateway on department run hardware.
There are many online documents for configuring this embedded Windows 2016/2019 component. The official documentation is here: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-se...
Installing the configuring, the role service is mostly as described; however, using a Calnet issued trusted Comodo certificate is recommended. Using a self-signed cert is ok for testing, and using a CalnetPKI cert can work if all clients have trusted the UCB root. The Comodo cert is usually better accepted so that your end users do not receive certificate warnings.
Configuring your client to use your RD Gateway is simple.The official documentation for the MS Client is here: http://technet.microsoft.com/en-us/library/cc770601.aspx
In essence, a simple change on the advanced tab of your RDP client is all that is necessary:
3. Change the listening port for Remote Desktop
Changing the listening port will help to 'hide' Remote Desktop from hackers who are scanning the network for computers listening on the default Remote Desktop port (TCP 3389). This offers effective protection against the latest RDP worms such, as Morto. To do this, edit the following registry key (WARNING: do not try this unless you are familiar with the Windows Registry and TCP/IP): HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp. Change the listening port from 3389 to something else and remember to update any firewall rules with the new port. Although this approach is helpful, it is security by obscurity, which is not the most reliable security approach. You should ensure that you are also using other methods to tighten down access as described in this article.
4. Tunnel Remote Desktop connections through IPSec or SSH
If using an RD Gateway is not feasible, you can add an extra layer of authentication and encryption by tunneling your Remote Desktop sessions through IPSec or SSH. IPSec is built-in to all Windows operating systems since Windows 2000, but use and management are greatly improved in Windows 10 (see: http://technet.microsoft.com/en-us/network/bb531150). If an SSH server is available, you can use SSH tunneling for Remote Desktop connections.
5. Use existing management tools for RDP logging and configuration
Using other components like VNC or PCAnywhere is not recommended because they may not log in a fashion that is auditable or protected. With RDP, logins are audited to the local security log, and often to the domain controller auditing system. When monitoring local security logs, look for anomalies in RDP sessions such as login attempts from the local Administrator account. RDP also has the benefit of a central management approach via GPO as described above. Whenever possible, use GPOs or other Windows configuration management tools to ensure a consistent and secure RDP configuration across all your servers and desktops.
By enforcing the use of an RDP gateway, you also get a third level of auditing that is easier to read than combing through the domain controller logins and is separate from the target machine so it is not subject to tampering. This type of log can make it much easier to monitor how and when RDP is being used across all the devices in your environment.
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.