User:Mjb/Setting up Remote Desktop
It's easy to set up Remote Desktop so that you can control your Windows computer from another computer.
Contents
Compatibility
Server
The server is called Remote Desktop Services, or (prior to XP), Terminal Services. Other names for it include Remote Desktop Server and RDP Server. RDP stands for Remote Desktop Protocol.
These OSes cannot accept incoming Remote Desktop connections:
|
These OSes can accept incoming Remote Desktop connections, if it is enabled:
|
Windows 7 Home Premium can accept incoming Remote Desktop connections as a side effect of applying an unofficial patch to modify Remote Desktop functionality, but there will be no GUI for configuring the service; configuration has to be done through the registry. The unofficial patch, which I have not tried, is called Concurrent RDP Patcher. It has two main features: 1. It can make it so that if someone is already logged on via Remote Desktop, a second incoming Remote Desktop connection can bump them off (normally the second connection isn't allowed); and 2. It can allow Remote Desktop login with a blank password, which sounds like a really dumb idea.
Client
The client is called Remote Desktop Connection (RDC), or (prior to XP), Microsoft Terminal Services Client. Most people call it Remote Desktop Client.
Most versions of Windows (95 and newer, except Windows Phone) either come with a client, or one can be downloaded from Microsoft. An official client is available for Mac OS X as well.
Client features vary by version and by the server version being connected to. Newer servers can be configured to require Network Level Authentication, which locks out older clients.
Basic server setup
- Go to Remote Settings (it's in the System Properties, e.g. right-click on My Computer and go to Properties).
- Choose one of the "Allow connections..." settings for Remote Desktop. If you choose Network Level Authentication, it will probably lock out non-Win7 clients (see below).
- Click Apply or OK.
That's all you need to get it going. Try logging in from a Remote Desktop client elsewhere.
Extra security
Require Network Level Authentication
In the Remote Settings configuration, you choose whether only allow connections from computers running Remote Desktop with Network Level Authentication, which is a feature of Remote Desktop Client 6.0 and up. It generally means that the client must be running on Windows 7 and up. However, Microsoft makes updated clients available for Vista and XP, so you can still connect from those OSes as long as you use the updated client. To get Network Level Authentication working in the client on XP, you have to enable the CredSSP service.
After applying the April 2013 update KB2813347 (Remote Desktop cleint update for vulnerability MS13-029), I could no longer connect a client from Windows 7 Starter to a server on Windows 7 Professional without reconfiguring the server to not require Network Level Authentication. I had installed the update on both systems. I haven't yet investigated further.
Change the listening port
For extra security, I suggest changing the listening port. Details are in a Microsoft Knowledge Base article, but basically you just run Regedit, go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber and enter the port number. The change will take effect after the next reboot. Don't forget to create a custom rule in Windows Firewall to allow TCP traffic inbound on that port. You can disable all the other Remote Desktop rules; they are for the default port. Of course, you will need to make sure that you include the port number after the computer hostname in the client's logon settings, like the.remote.host:12345.
Temporarily prevent login after too many failed attempts
I also suggest setting an account lockout threshold in the Local Group Policy Editor > Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy. When you enter a threshold, it will suggest 30 minutes for the other values; this is good. This will make brute-force attacks difficult. I set mine to 5, which should be enough retries for a real person who just can't remember or is fat-fingering their password.