Not all system administrators feel comfortable on the command line and most system administrators don’t feel comfortable behind the console of their servers in their airconditioned and windowless (no pun intented) serverrooms for longer periods of time.
I believe it’s time to look at the ways you can remotely manage your Server Core boxes. These ways allow you to manage your Server Core machines from the comfort of your own office (or cubicle) or home. The only restriction is you’re only granted one simultaneous Remote Desktop session… (instead of two in the Full installation)
In early versions of Windows Server Codename “Longhorn” and Windows Server 2008 the standard password for your administrator account would be blank. While some qualify this behavior as secure (some requirements should be met) others might not. It’s an ongoing discussion, really
One thing is obvious though. Keeping it blank will keep your server unmanageable remotely, since accounts with a blank password cannot be used as a network credential.
In recent versions of Windows Server 2008 you’re forced to change the password at first logon and the firewall is enabled by default. This should ensure your Server Core box is safe from the network until you touch it. Remember this.
The Remote Desktop is one of the most common used ways to remotely manage Windows Servers nowadays in environments without delegation. Although Server Core doesn’t utilize explorer.exe as its shell and doesn’t offer the Computer Properties screen to enable Remote Desktop or select users to remote desktop towards the server, Server Core does offer Remote Desktop.
Enabling Remote Desktop
From the command line
To enable Remote Desktop you can use the SCregEdit.wsf script in the System32 subfolder of your Windows folder. Simply type the following commands:
cscript SCregEdit.wsf /AR 0
This command will also automatically create the Firewall exception for you. This makes using SCregEdit.wsf the preferred method for enabling Remote Desktop for lazy admins.
Using the registry
The Remote Desktop can also be enabled using the Registry. To enable it change the data for the DWORD registry key fDenyTSConnection from 1 to 0. This key is located in the Registry in the following location:
Changing this value will not automatically open up the firewall to allow Remote Desktop traffic. (This might even be what you want if you have high standards) Take a look here to open up the firewall to allow RDP traffic to and from specific subnets and other advanced firewall options.
You need to restart your Server Core box before you can actually use Remote Desktop when you enable it this way. On the other side you can use this method to enable Remote Desktop remotely, which might save you a nice bit of much dreaded exercise when walking up and down to the serverroom.
You can also enable Remote Desktop using Group Policy Objects in your Active Directory environment, which might be useful when you want to enable Remote Desktop on loads of Windows Servers.
To enable Remote Desktop using a Group Policy first open the Group Policy. Browse down the Computer Configuration, Administrative Templates, Windows Components until you reach Terminal Services. Double-click the Allows users to connect remotely using Terminal Services setting and select Enabled.
Setting a Group Policy will not automatically or immediately allow you to Remote Desktop to your Server Core box. First of all your Server Core firewall will not allow you to talk to your Server Core box on TCP port 3389 until you open it up. Secondly, you’ll have to wait until the Group Policy Background Refresh has taken place (90 minutes by default) or issue the following command on the console of your Server Core box:
Filtering the use of Remote Desktop
Filtering can be done in two ways:
- On IP addresses using Firewall rules
- On accounts allowed to use Remote Desktop
On IP addresses
The first way is based upon the Windows Advanced Firewall. When you use NetSh in the advfirewall context you can specify the remoteip for which you want to enable the Remote Desktop rulegroup. You can use the following command:
Netsh advfirewall firewall set rule group=”Remote Desktop” new enable=yes remoteip=Context
Where Context might for instance be localsubnet or any.
Configuring Remote Desktop can also be done by selecting users that are allowed to use Remote Desktop. While the Administrator account is allowed by default, you might want to enable other users to use Remote Desktop. This is configured through membership of the Remote Desktop Users local group on the Server Core box. You can add users to the local group using the commandline tool net localgroup or using a Group Policy Object.
Inside a Group Policy Object browse to the Computer Configuration, then Windows Settings and Security Settings, until you reach Restricted Groups. Right-click Restricted Groups and then click Add Group.
Type Remote Desktop Users in the Enter the object names to select text box and then click Check Names. Or, click Advanced, and then click Find Now to list all available groups. Click the Remote Desktop Users group and then click OK. Click OK in the Add Groups dialog box to close it. The Remote Desktop Users Properties dialog box is then displayed. Click Add in the Members of this group section of the dialog box. Don’t forget to add Administrator, since a Restricted Group will delete the memberships already in the group. Click OK twice to close the open screens.
Securing Remote Desktop
Luckily in Windows Server 2008 Remote Desktop is configured by default to negotiate encryption with the client, so if both support it, it will be used to encrypt the traffic between the server and the administrator’s PC, so malicious users won’t be able to sniff important keystrokes.
When the people you want to enable to connect to your Server Core box are using previous versions of the Remote Desktop program (older thin clients are notorious) you need to enable Windows Server 2008 to allow these clients. Microsoft introduced a new Credential Security Service Provider (CredSSP) In Windows Vista and Windows Server 2008, but the old clients won’t work with it, because it’s more restrictive. Effectively you enable the old way of User Authentication for Terminal Services. If you can avoid it, it would be best.
To allow older clients and therefor disable CredSSP for Terminal Services, type the following command on the console of your Server Core box:
cscript SCregEdit.wsf /CS 0
Using Remote Desktop with your Server Core installation can make your life much easier.
It might be a hassle to turn on if you don’t have physical access to the server or need to allow older versions of the RDP client to connect, but it’s nothing a little reboot and a bit of fiddling at the command line won’t fix.
Disable that Pesky Built-in Administrator Account!
Firewall management in Server Core, Part 2
Windows Server Hacks: Remotely Enable Remote Desktop
Enable or disable Remote Desktop
Requirements for Configuring Group Policy for Terminal Services
New Authentication Functionality in Windows Vista
Disclaimer Beta Software
The information on this webpage applies to software from Microsoft that was in testing phase but utilizable by experienced users by the time the webpage was written. This software has not been released for sale, distribution or usage for the general public. The information on this webpage and the beta software are provided “as is” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.