Remote Desktop Protocol (RDP)

Overview

RDP (Remote Desktop Protocol) is a network communications protocol developed by Microsoft, which allows users to connect to another computer from a remote location.

Using mstsc

To connect to a session in full-screen mode, type:

mstsc /v:computer1 /f

Using /admin and /restrictedAdmin

Connecting to a workstation with Remote Desktop will disconnect any existing session. The /admin flag allows us to connect to the admin session, which does not disconnect the current user if we perform the login with the same user.

Connects you to a session for administering the server.

mstsc /v:computer1 /f /admin

Connecting to a workstation with /restrictedAdmin won't send your credentials to the remote PC. This mode won't send your credentials to the remote PC, which can protect you if you connect to a compromised device. Connections made from the remote PC might not be authenticated by other PCs, which impact application functionality and compatibility. The /admin parameter is implied. Microsoft introduced RDP with restricted admin mode, which allows system administrators to perform a network login with RDP.

When we supply this argument, the current login session is used to authenticate the session.

Restricted admin mode is disabled by default.

We can enable this through the DisableRestrictedAdmin registries at the following path:

HKLM:\System\CurrentControlSet\Control\Lsa

Command examples

RDP manament through WMI

Checking if RDP is allowed.

AllowTSConnections(0 – disable, 1 – enable)

Enabling AllowTSConnections (RDP) through WMI

Disabling AllowTSConnections (RDP) through WMI

Restricted admin

Using restricted admin to perform pass the hash.

Disabling restricted admin through registries.

Enabling restricted admin through registries

Base64 encoded:

References

LogomstscMicrosoftLearn
PreviousWindows Lateral MovementNextPowerShell Remoting (PS Remote)

Last updated