WIN7とWIN8のRDPセキュリティ「メモ帳」

この間、香港に新しいノートブックもデスクトップを買ってきた。

ノートブックにはWIN8がはいっていて、デスクトップにはOSついてないが、ネットのどっかでGHOSTでリストアするとすぐにも使えそうWIN8をいれた。

とりあえず、急にWIN8の環境に巻き込まれたって感じ。ｗ

デスクトップのを主にRDPにするから、RDPの設定をいじってみたが、なんだか、どうしてもうまくいけなさそうで、ネットで丁寧によくできてる説明サイトが見つかったんで、メモとして自分のブログにも載せた。ちなみに、説明サイトを見たら、RDPのポートを変更するのには、レジストリだけなく、ファイアウォールで開放するポートを追加することも必要だ。そういえば、XPの頃もそうだったが、WIN7/WIN8とXPの設定はかなり違ってるので、見つけるまで結構苦労した。

Securing remote desktop on Windows 8 and Windows 7 – JKB: Tech & Security

Securing remote desktop on Windows 8 and Windows 7

By Jack On September 2, 2012 · 27 Comments

This tutorial will outline a few simple steps to secure the Windows Remote Desktop Protocol on Windows 7 and Windows 8. The tutorial is divided up into 5 parts which are independent, so if you only require help with one of these parts you may freely skip to that part that takes your interest.

Part 1

Enable remote desktop and give remote access to specific user(s).

1. Open advanced system properties

Windows 8

• Windows button + X
• Choose “System”
• Then choose “Advanced system properties”

Windows 7

• Click start
• Right click “Computer”
• Choose “Advanced System Properties”

2. Choose the “Remote” tab

3. Under “remote Assistance” deselect “Allow remote assistance connection to this computer” unless you would like to have the
option to invite other people to access your PC.

4. Under “Remote Desktop” select:

• Windows 8: “Allow remote connections to this computer” and also tick the box “Allow connections only from computers running Remote Desktop with Network Level Authentication”

• Windows 7: “Allow connections only from computers running Remote Desktop with Network Level Authentication” Notice: The above settings may prevent older Windows systems from connecting (Windows 2000, Windows XP and Windows server 2003)

5. Under “Remote Desktop” click “Select Users…” and click on the “Add” button. Type in your username and click “Check”. Then confirm with Ok. This will give your user the right to connect using remote desktop.

6. Close System properties and return to the desktop.

Part 2

Configuring the local security policy for remote desktop

1. Press Windows button + R to bring up the run command window
2. Type in secpol.msc and press enter
3. Under Security settings expand “Local Policies”
4. Click on “User Rights Assignment”
5. Double click “Allow log on through “Remote Desktop Services”
6.  Remove “Administrators” from this window and click ok. This way only users added to the Remote Desktop users group will be able to access this PC remotely. We have added our user to this group in Part 1 step 5.

7.  Under local policies (In the folder tree to the left) click on “Audit Policy”, then open “Audit logon events”. Check both Success and Failure and click ok. Our machine will now log any attempts to log in; either via a terminal, remote desktop or the actual machine itself. The logs can be check in the Windows event viewer (Right click computer and click manage, expand “Event viewer”, “Windows Logs” and choose “Security”).

8.  You can now close the Local Security Policy window.

Part 3

Configuring advanced remote desktop settings

1. Open the run command dialog (Windows button + R)
2. Type gpedit.msc and click enter
3. Go down the following path in the tree hierarchy: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host
4. Choose “Security”
5. Open “Set client connection encryption level” and choose “High Level”, click ok
6. Open “Always prompt for password upon connection”, set to enabled and click ok
7. Open “Require secure RPC communication”, set to enabled and click ok
8. Open “Require use of specific security layer for remote (RDP) connections”, set to enabled and select “SSL (TLS 1.0)” in the drop down menu. Click ok
9. Open “Require User Authentication for remote connections by using Network Level Authentication”, set to enabled, and click ok.

Part 4

How to change the remote desktop port number.

The reason for this change is that most would be attackers will most often port scan a range of IP-addresses looking for port 3389. For a normal consumer we would evaluate our threat base as kids who are just having a play or maybe someone who will do damage if they gain access. A pinpointed attack on our home is unlikely, for most normal citizens.

To change the standard port number of 3389 to one of our choosing we need to open the registry editor.

Choosing a port number:  Choosing any number from 8000 to 65535 would be optimal however you can choose almost any number up to 65535 if you wish.

1. Windows + R

2.  Type regedit.msc

3. Drill down the registry to the following to RDP-TCP:

• HKEY_LOCAL_MACHINE>
• SYSTEM>
• CurrentControlSet>
• Control>
• Terminal Server>
• WinStations>
• RDP-Tcp

4. In the window to the right hand side you will see a entry called “PortNumber”

Tip: Click in the window on the tight and press “PO” on the keyboard.

5. Double click this entry and choose “Decimal” as the Base and type in your desired port number, click ok

PICTURE OFFLINE – Will be reposted ASAP: 17.12.2012

Part 5

Allowing the new port number through the windows firewall.

Open up the Windows firewall either from the control panel or via a search command box

Windows 8: Windows button + W and search after “Settings”

Windows 7: Press start and type in the search box

1. Click “advanced settings” in the windows firewall dialog window
2. Select “Inbound rules” in the pane to the left
3. Select “New rule” in the pane to the right
4. Select “Port”
5. Select “TCP” and “Specific local ports” and type in your port number you choose in part 4
6. Click Next
7. Make sure “Allow this connection” is selected, click next
8. In “When does this rule apply”, tick all the boxes if you are unsure and click next.
9. Give the rule a name. I choose “RDP Custom port number”. I also gave it a short description so I know what I have done.
10. Click finish
11. Restart your computer to complete the port change

IMPORTANT: You must forward your chosen port number through your router to your desired PC. It would therefore be useful to give your desktop a static internal IP address.

Part 6

Connecting to your PC via remote desktop

1. Open the Remote Desktop Connection utility. In the “Computer” field type in your IP and your port number, like this:

• IP:PORT – 192.168.1.2:1111
• If you are outside your internal LAN you will need to use your external IP address instead of your internal IP address
  

That’s it. I hope your feel more secure now when connecting using Microsoft remote desktop protocol

Jack.

WIN7與WIN8的RDP安全「備忘」

早前,去了香港買手提電腦同埋桌上電腦.

手提電腦的跟有WIN8,而桌上電腦的是沒跟OS的,於是我在網上某處搵到以GHOST回復便可用的WIN8.

總而言之,身邊突然被WIN8環境所包範住.w

那桌上電腦主要用來RDP的,故作了RDP的設定,不過唔知點解好似唔弄都係唔得,喺網上搵到一個寫得幾全面的說明網站,於是攞唻貼埋在我的部格上.而且,睇完個網站說明之後明白,我之前唔得的原因係因為,要改RDP的PORT唔單只要改註冊表,還要到FireWall上加開埋個Port的.話時話,XP果陣時都係咁樣的,不過,WIN7/WIN8與XP的設定唔同咗好多,所以好難先至搵得到.

Securing remote desktop on Windows 8 and Windows 7 – JKB: Tech & Security

Securing remote desktop on Windows 8 and Windows 7

By Jack On September 2, 2012 · 27 Comments

This tutorial will outline a few simple steps to secure the Windows Remote Desktop Protocol on Windows 7 and Windows 8. The tutorial is divided up into 5 parts which are independent, so if you only require help with one of these parts you may freely skip to that part that takes your interest.

Part 1

Enable remote desktop and give remote access to specific user(s).

1. Open advanced system properties

Windows 8

• Windows button + X
• Choose “System”
• Then choose “Advanced system properties”

Windows 7

• Click start
• Right click “Computer”
• Choose “Advanced System Properties”

2. Choose the “Remote” tab

3. Under “remote Assistance” deselect “Allow remote assistance connection to this computer” unless you would like to have the
option to invite other people to access your PC.

4. Under “Remote Desktop” select:

• Windows 8: “Allow remote connections to this computer” and also tick the box “Allow connections only from computers running Remote Desktop with Network Level Authentication”

• Windows 7: “Allow connections only from computers running Remote Desktop with Network Level Authentication” Notice: The above settings may prevent older Windows systems from connecting (Windows 2000, Windows XP and Windows server 2003)

5. Under “Remote Desktop” click “Select Users…” and click on the “Add” button. Type in your username and click “Check”. Then confirm with Ok. This will give your user the right to connect using remote desktop.

6. Close System properties and return to the desktop.

Part 2

Configuring the local security policy for remote desktop

1. Press Windows button + R to bring up the run command window
2. Type in secpol.msc and press enter
3. Under Security settings expand “Local Policies”
4. Click on “User Rights Assignment”
5. Double click “Allow log on through “Remote Desktop Services”
6.  Remove “Administrators” from this window and click ok. This way only users added to the Remote Desktop users group will be able to access this PC remotely. We have added our user to this group in Part 1 step 5.

7.  Under local policies (In the folder tree to the left) click on “Audit Policy”, then open “Audit logon events”. Check both Success and Failure and click ok. Our machine will now log any attempts to log in; either via a terminal, remote desktop or the actual machine itself. The logs can be check in the Windows event viewer (Right click computer and click manage, expand “Event viewer”, “Windows Logs” and choose “Security”).

8.  You can now close the Local Security Policy window.

Part 3

Configuring advanced remote desktop settings

1. Open the run command dialog (Windows button + R)
2. Type gpedit.msc and click enter
3. Go down the following path in the tree hierarchy: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host
4. Choose “Security”
5. Open “Set client connection encryption level” and choose “High Level”, click ok
6. Open “Always prompt for password upon connection”, set to enabled and click ok
7. Open “Require secure RPC communication”, set to enabled and click ok
8. Open “Require use of specific security layer for remote (RDP) connections”, set to enabled and select “SSL (TLS 1.0)” in the drop down menu. Click ok
9. Open “Require User Authentication for remote connections by using Network Level Authentication”, set to enabled, and click ok.

Part 4

How to change the remote desktop port number.

The reason for this change is that most would be attackers will most often port scan a range of IP-addresses looking for port 3389. For a normal consumer we would evaluate our threat base as kids who are just having a play or maybe someone who will do damage if they gain access. A pinpointed attack on our home is unlikely, for most normal citizens.

To change the standard port number of 3389 to one of our choosing we need to open the registry editor.

Choosing a port number:  Choosing any number from 8000 to 65535 would be optimal however you can choose almost any number up to 65535 if you wish.

1. Windows + R

2.  Type regedit.msc

3. Drill down the registry to the following to RDP-TCP:

• HKEY_LOCAL_MACHINE>
• SYSTEM>
• CurrentControlSet>
• Control>
• Terminal Server>
• WinStations>
• RDP-Tcp

4. In the window to the right hand side you will see a entry called “PortNumber”

Tip: Click in the window on the tight and press “PO” on the keyboard.

5. Double click this entry and choose “Decimal” as the Base and type in your desired port number, click ok

PICTURE OFFLINE – Will be reposted ASAP: 17.12.2012

Part 5

Allowing the new port number through the windows firewall.

Open up the Windows firewall either from the control panel or via a search command box

Windows 8: Windows button + W and search after “Settings”

Windows 7: Press start and type in the search box

1. Click “advanced settings” in the windows firewall dialog window
2. Select “Inbound rules” in the pane to the left
3. Select “New rule” in the pane to the right
4. Select “Port”
5. Select “TCP” and “Specific local ports” and type in your port number you choose in part 4
6. Click Next
7. Make sure “Allow this connection” is selected, click next
8. In “When does this rule apply”, tick all the boxes if you are unsure and click next.
9. Give the rule a name. I choose “RDP Custom port number”. I also gave it a short description so I know what I have done.
10. Click finish
11. Restart your computer to complete the port change

IMPORTANT: You must forward your chosen port number through your router to your desired PC. It would therefore be useful to give your desktop a static internal IP address.

Part 6

Connecting to your PC via remote desktop

1. Open the Remote Desktop Connection utility. In the “Computer” field type in your IP and your port number, like this:

• IP:PORT – 192.168.1.2:1111
• If you are outside your internal LAN you will need to use your external IP address instead of your internal IP address
  

That’s it. I hope your feel more secure now when connecting using Microsoft remote desktop protocol

Jack.

Remote Desktop Protocolの記録を完全に削除する方法

リモートデスクトップをよくやってるが、たまには公衆パソコンでまた記録を残したくない場合にもあるんで、RDPで接続してた記録をきれいに消したいと思い、ネットで調べたら、batファイルまでもあるんで、メモとしてブログにのせた。

reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” /va /f
del /a:h “%USERPROFILE%\My Documents\default.rdp”
del /a:h “%USERPROFILE%\Documents\default.rdp”

雖常用遠端桌面連線,可是有陣時用公眾電腦又或者唔想留吓紀錄的時候,想把紀錄清除,上網查到有方法甚至有可以以bat形式運作添,於是記下來寫在部落格上.

reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” /va /f
del /a:h “%USERPROFILE%\My Documents\default.rdp”
del /a:h “%USERPROFILE%\Documents\default.rdp”

昨日、新しく買ったHP mini 110のWindows 7 Starterを長く使ってみたら、なんかおかしいこと見つかった。
デジカメで撮って気になってる写真を背景に設定してみたかったが、どうしてもなんども設定しても背景はまったく反映されなく変わらないんだ。自分のパソコンかOSか問題になってるかと困っていた。
ネットで調べたら、Windows 7 Starterにはこんな恐ろしい制限があるんだ。驚

Windows 7 Starterにはない機能を並べると：

• Aero Glass 表示。タイトルバーの半透明やFlip 3D、あるいはAero Peek (タスクバー上プレビュー)。
• 壁紙やウィンドウの色、サウンドなどのカスタマイズ。
• マルチモニタサポート
• DVD再生
• Windows Media Center
• (Windows 7の売りである) リモートメディアストリーミング
• ビジネス向けのドメインサポート
• 旧アプリの互換性のためのXPモード

まぁ、確かにWindows 7 Starterっていえば、ビギナーのイメージで実に多く機能ついてなくても無理もないだが、壁紙の設定すらできないなんて、実に可愛すぎと思わない？売上のためアップグレードやらせろとやってんじゃない？それから、Windows 7の操作はほんまにWindows XPよりずっと重い気がする。いっそとWindows XPに戻したら、Windows 7のライセンスはもったいないとこの間は思ったが、こんなクソWindows 7 Starterのライセンスなんて早くとも捨てればいいと思う。とにかく、まずはHPのオフィサイトで自分のネットブックHP mini 110 1160TUのドライブを揃えとく、WIN XP SP3に戻してやるっわ。

琴日,再試耐啲有關我新買的HP mini 110的Windows 7 Starter之後,發現到啲好怪既野.
我用我相機所影的圖片設定背景桌面啦,點知點樣設定,設定咗好多次都係唔得.我以為係我部電腦問題題是個OS問題.
上網搵咗啲資料,發現原來Windows 7 Starter竟然有啲咁既限制架.驚

相較於其他版本，Starter版的功能仍有限。

• 例如它不支援Aero Glass功能
• 也不支援更改桌面背景、視窗顏色，或音效等個人化功能
• 亦不支援DVD播放
• 多重顯示器、遠端媒體串流或XP模式。

的而且確,Windows 7 Starter的話,會俾人有一種初學者的印象唔多功能唔出奇,但係就連背影桌面都設定唔到,會唔會太過可愛咗啲呢?為咗攢錢局你哋要升級嗎?另外,Windows 7的運作真係比起行Windows XP慢好多啊.我早前仲諗緊索性轉返Windows XP的話,Windows 7的License又好似好浪費咁樣,不過呢個咁屎的Windows 7 Starter真係早掉早着啦.總之,先到HP官網下載好我部機HP mini 110 1160TU的driver先,然後轉返到WIN XP SP3啦.

(more…)

先日に香港でこのHP mini 110 1160TUを購入してからいろいろあって、すぐにテストをできなくて、今度は改めてこのネットブックをいじってみた。
ネットブックの購入する最初はSAMSUNGのN140かHP mini 110か迷ってた。SAMSUNGのはバッテリの長持ちでしかしサポートはややこしいそうなので、やっぱりHP mini 110にしろといろんな友達からアドバイスをきいた。確かに、HP miniのキーボードの打ちやすさそれから1366 x 768の高解像度に気になった。
ちなみに、最近はWindows 7かなり人気があって、HP miniのWindows 7バージョンのを買った。
実際にHP miniを使ってみたら、バッテリはほんまに相当にはやく落ちてる。っていうか、普通に写真を見たりするだけでも2時間くらいしかなさそうだった。それに、Windows 7のせいか操作はめちゃ重い気がする。いっそと自分でXPに戻しとこうかな、Windows 7のライセンスはもったいないのでちょっと迷ってる。
Windows Vistaは重いなら、それは常識だが、Windows 7はよく改善されて進んでるそうだが、Windows 7を使ったら、まったくそうと見えないんだ。

早前係香港買咗HP mini 110 1160TU之後,因忙其他事所以未正式試機,今次認真哋試吓部機.
買Netbook時我曾考慮過買SAMSUNG N140好還是買HP mini好.SAMSUNG的電池耐用,不過好似後期支援唔太好,所以聽咗好多朋友推介都係HP mini好.的而且確,HP mini的keyboard好好按,而且1366 x 768的高解像度係唔錯.
另外,最近Windows 7大熱,所以我買了HP mini的Windows 7版本.
實際用呢部HP mini時,真係好快冇電啊.只係睇吓相片都用唔夠兩粒鐘.而且唔知係唔係Windows 7問題,操作速度好慢啊.我諗住不如自已轉返XP啦,不過Windows 7個License又好似好浪費咁,所以仲諗緊轉唔轉好.
Windows Vista好慢,大家都知架啦,聽過話Windows 7改善了不少,但係用過Windows 7之後,真係完全睇唔到佢冇咩改善咗囉.

(more…)

妹の組み立てパソコンに入ってた前のOSは壊れていて、システムの再導入しなければならなくて、ちょうど、ぼくはWindows 7を手にいれたため、妹のパソコンを人柱にしてWindows 7の初体験をさせてもらった。よ～し、これはOS導入直後の画面です。

さすがWindows 7だね、OSの入れたら、オーディオ・ビデオ・無線WIFI・ブルートゥース、とにかく、全部のドライバはすでにそろって導入されてるんだ。ドライバのデータにはかなり苦労してたんですね。

基本の情報のスクリーン・ショット、プライバシーを守るため、いい加減に情報を隠しといてるね。＾＾；

亞妹的砌機電腦之前的OS搞得亂七八糟,以致非重安不可,而咁啱線我又有Windows 7,所以用咗佢部機做吓白老鼠,試安一吓Windows 7.好啦,呢一個係剛安裝完畢的畫面來的.

果然不愧係Windows 7,個OS安裝完畢之後,啲聲效卡,顯示卡,無線wifi手指,芽藍,總之就係全部啲硬件驅動已安好架啦.佢個驅動程式庫都幾勁吓.

呢幅係基本資料的切圖,為了保障個人資料,所以隱藏了部份資料.^^;