3 Replies
· · ·
Poblano
OP
Dec 20, 2018 at 12:58 UTC
Computer Configuration -> Policies -> Windows Settings -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections Allow users to connect remotely by using Remote Desktop Services to Enable.
1
· · ·
Cayenne
OP
Dec 20, 2018 at 15:57 UTC
So, what you're saying is you're trying to make your company vulnerable to SAMSAM? Because that's how you get SAMSAM [opening RDP on WAN].
I would recommend a different solution - but I would also check with your organization's policy on remote access from non-company devices, as this is almost always explicitly forbidden. If you are permitted to access this way, you should do so securely, either using VPN and RDP, or a remote client that uses a 3rd party service to manage connections that use SSL and doesn't require making holes in your firewall. Chrome remote desktop is a good free one. There are a ton of topics and discussions here on remote access options.
In a situation where you MUST open RDP over a WAN and have no other option, at a minimum it should be IP whitelisted - aka only specific IPs you trust should be allowed to make the connection.
0
· · ·
Mace
OP
Dec 20, 2018 at 16:01 UTC
Microsoft Remote Desktop Services expert
50 Best Answers
207 Helpful Votes
RDP open to the world, even on an alternate port, is a horrible idea.
That said,fdenytsconnections should be set to 0, not 1 but your group policy restriction is going to override that.
0
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
What is Remote Desktop Group Policy
Almost all users who are interested in building safe connections between computers on the internet might have heard about RDP or VPN. RDP stands for the Remote Desktop Protocol. It is a network of communications protocol developed by Microsoft, to allow users to connect to another computer.
With RDP, one can connect to any computer that runs Windows. With RDP, you can connect to the remote PC, view the same display and interact as if you are working on that machine locally.
Some instances where you may need to use RDP include;
- When traveling or when on vacation and you need to access your work computer
- When you can’t go to your office due to certain reasons and you still need to fulfill your daily tasks
- When you are a system admin and you need to perform administrative duties on your PC such as computer troubleshooting, tune-up, ID protection setting, printer set-up, software installation, email setup, virus and spyware removal, among others.
- When you need to give a demo and you need to access data from a private device
- When you want to personalize your remote desktop on experiences such as resolution, connection setting, screen setting, toolbar, start menu, icons among others.
How to Enable Remote Desktop Remotely on Windows 10
The easiest way to enable Remote Desktop on the Windows operating system family is to use a Graphical User Interface [GUI]. To do this, you need to;
Open the “System” control panel, go to “Remote Setting” and enable the “Allow remote connection to this computer” option in the Remote Desktop section.
However, performing the above process will need local access to the computer on which you want to enable the RD.
By default, remote desktop is disabled in both desktop versions of Windows and in Windows Server.
How to Enable Remote Desktop Remotely Using PowerShell
Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/2019. Here is the procedure to achieve the same;
- On your computer, open the PowerShell console and run the following commands to connect to your remote server.Enter-PSSession -ComputerName server.domain.local -Credential domain\administrator.
- You will have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you need to change registry parameter fDenyTSConnections from 1 to 0 on the remote machine. Run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
- When RDP is enabled this way [as opposed to GUI method] the rule that allows remote RDP connections is not enabled in the Windows Firewall rules.
- To allow incoming RDP connections in Windows Firewall, run the command;Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
- If for some reason the firewall rule is deleted, you can create it manually using the following commands.netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
- In case you need to allow secure RDP authentication [NLA – Network Level Authentication] run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
- Now from your computer, you can check the TCP 3389 port on the remote host to see if it has become available. To do so, run the command below’Test-NetConnection 192.168.1.11 -CommonTCPPort RDP.
- If successful, you should get results similar to what is shown below’
The above results mean RDP on the remote host is enables and you can establish a remote desktop connection using mstsc client.
How to Enable/Disable Remote Desktop Using Group Policy
You can enable or disable remote desktop using group policy. To do so, perform the following steps
- Search gpedit.msc in the Start menu. In the program list, click gpedit.msc as shown below;
- After Local Group Policy Editor opens, expand Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections.
- On the right-side panel. Double-click on Allow users to connect remotely using Remote Desktop Services. See below;
- Select Enabled and click Apply if you want to enable Remote Desktop. Select Disabled and click Apply if you need to disable it.
Now you will have enabled or disabled remote desktop using group policy
Network Level Authentication NLA on the remote RDP server
Network Level Authentication is a method used to enhance RD Session Host server security by requiring that a user be authenticated to RD session Host Server before a session can be created.
If you want to restrict who can access your PC, you can choose to allow access only with Network Level Authentication [NLA]. NLA is an authentication tool used in RDP Server. When a user tries to establish a connection to a device that is NLA enabled, NLA will delegate the user’s credentials from the client-side Security Support Provider to the server for authentication, before creating a session.
The advantages of Network Level Authentication is;
- It requires fewer remote computer resources initially.
- It can provide better security by reducing the risk of denial of service attacks.
To configure Network Level Authentication for a connection, follow the steps below.
- On the RD Session Host Server, open Remote Desktop Session Host Configuration. To do so, click Start>>Adminstrative Tools1>>Remote Desktop Services>> Remote Desktop Session Host Configuration.
- Under Connections, right-click the name of the connection and then click Properties.
- On the General tab, select Allow the connection only from computers running Remote Desktop with Network Level Authentication checkbox
- Click OK
Note, under step 3, if the “Allow connections only from computers running a remote desktop with network-level authentication” checkbox is not enabled, the “Require user authentication for remote connections by using network-level authentication” Group Policy setting has to be enabled, and has been applied to the RD Session Host Server.
Resolving the Issue Using Group Policy Editor
Unfortunately, this option is only available to Windows 10 Pro and Enterprise users, Home users can skip this section.
The solution to this problem can be found in the Group Policy Editor, but you’ll need to launch this utility with administrative privileges.
- To do so, click the Start Menu and type gpedit.msc. The top result should be the Local Group Policy Editor as shown in the screenshot below.
- Right-click on the gpedit.msc result and selectRun as Administrator.
- In the Group Policy Editor, use the hierarchical list of options on the left side of the window to navigate toComputer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds.
- WithData Collection and Preview Builds selected, you’ll see an option labeledAllow Telemetry on the right side of the window. Double-click it to change its options.
- At the top of the Allow Telemetry options window, clickEnabled. Don’t freak out, privacy advocates. This is a temporary change and we’ll soon turn Windows 10 telemetry back off.
- With Telemetry Enabled, click the drop-down box in the Options section and choose 3 – Full.
- ClickOK to save your changes and close the window. Next, double-clickAllow Telemetry in the Group Policy Editor again to bring the same configuration window back up.
- This time, selectNot Configured instead of “Enabled.” Finally, clickOK to save the change and close the window. You can also now quit the Group Policy Editor.
- Now head back to a location where you previously encountered the “Some settings are managed by your organization” message. You should see that the message is now gone and that you have full access to your Windows 10 settings.
Note, however, that this fix is intended for individually-owned consumer PCs. If your Windows 10 PC or license is owned by your company or organization [or was initially set up that way], there will be other settings which will continue to limit your access to certain functions and you shouldn’t change Group Policy settings without consulting your IT administrator.
Try this fix:
The easy solution to fix the error is to change the privacy settings on your Windows 10.
Step 1]
On your keyboard, press theWindows logo key
Step 2]
Type gpedit.mscin the box and pressEnter.
Note: If you’re Windows Home User, you may not have gpedit.msc [Local Group Policy Editor], but not to worry. Just follow the steps to add it to your computer.
1] Download gpedit.msc[Group Policy Editor] from Internet.
2] When it’s done, Go to C:\Windows\SysWOW64, and copy the followings:
folders: GroupPolicy
GroupPolicyUsers
gpedit.msc[console document]
3] Paste them in the following locations:
C:\Windows\System
C:\Windows\System32
Step 3]
On the pop-up window, head to Computer Configuration > Administrative Templates > Windows Components.
Step 4]
Scroll down on the Windows Components section, find and click onData Collection and Preview Builds.
Then double-click on Allow Telemetry on the right pane.
Step 5]
Tick onEnabledand choose3-Fullfrom the drop-down menu.
Then click Apply >OK to save the settings.
Now you should see that the message is now gone and that you have full access to your Windows 10 settings.