Remote Desktop Services – Full Desktop Sessions vs Start Program Automatically vs RemoteApp/RDWeb

FULL DESKTOP SESSIONS:   The most common method of using Remote Desktop Services (RDS) in Windows Server 2016 or Windows Server 2019 is using full “desktop sessions” where each user has their own desktop session to modify/customize the desktop, open programs (usually in simultaneous, multi-user mode – i.e. split MS Access application where each user has their own front-end), save and share files, open MS Office documents (if Office is installed), etc.   Users can share files with other users through the use of public folders.  Desktop sessions are the default method in RDS and are typically easy to use from any device with the Microsoft Remote Desktop Connection client which is built-in on Windows PCs and can be downloaded for MACs, iPhone, android, etc. If you need to share and save files, interface with Office, install several applications, or have full desktop features, you will likely want to use regular/full desktop sessions without adding the advanced configurations and complexity of RemoteApp/RDWeb.  A RDS setup with full desktop sessions can be setup within a few hours.

START PROGRAM AUTOMATICALLY UPON LOGON:  If you want some (or all) users to only open one particular program/application when logging into the server and don’t want to provide a full desktop session, you can set this up within each individual user’s profile settings in the environments tab under properties.  This is easy to setup and you can do it on a user-by-user basis.  Starting with Windows Server 2016, there is a registry key that must be set for this to work so please contact Riptide Hosting to change this registry key.   Using this will make it so your application will open automatically when a user logs into the server and when they close the application the entire session will close without ever providing a desktop session.  This option may works if you have a single program for users to access and don’t want to provide a desktop session.  This option probably will not work well for you if you have multiple applications, need users to save or share files, or export files to Excel, etc. (then you would want to have full desktop sessions).  Contact us for a few screenshots on this option.   For example, in the Environment tab of the particular user’s properties, enable the box by “start the following program at logon” and in the “program file name” field, use a path similar to this which would start a MS Access Application:  “C:\Program Files (x86)\Microsoft Office\Office16\MSACCESS.EXE” “C:\users\xxx\xxx.mdb or .accde”

REMOTEAPP/REMOTEWEB:  RemoteApp/RDWeb is a RDS role that can be installed separately where users login to a website (https://yourdomainname/rdweb or https://yourIPaddress/rdweb) and only see applications that you have published to them.  RemoteApp/RDWeb is a great role to use when you don’t want to provide a desktop session, but it is much more complex to setup and requires the server to be connected to a domain (either domain joined or install the Active Directory Domain Services (ADDS) role on the server), and that you install the RD Connection Broker role and the RD Web Access role.  If you install the ADDS role on the same/single server, you must install ADDS before you install the RDS roles (RD Session Host, RD Gateway, RD Connection Broker, RD License Server, and RD Web Access).   With RemoteApp you will want to install trusted SSL certificates for use with all RDS roles.  Historically RemoteApp did not work particularly good for MAC users and browsers beyond Internet Explorer (due to ActiveX requirements) but these limitations have gone away in newer versions Windows Server.  With RemoteApp/RDweb, you would access your applications through a website at: https://IPADDRESSorFQDN/rdweb.  We recommend you use an IT consultant/firm for setting up RemoteApp/RDWeb that has done it before and we can provide referrals if needed.

FULL DESKTOP SESSIONS WITH GROUP POLICIES:  If you want to provide full desktop sessions but want to lock down what users can see or do more than what is provided by default, you can setup group policies that affect non-administrators users.  Here is an old blog post on doing this on a workgroup server (if your server is domain joined, you can do this through the domain controller):    Setting up group polices is a very powerful method to locking down the server for regular users.  That said, this is relatively complex and easy to accidently lock yourself out so we would recommend you have us take a snapshot first before applying group policies.

Purchasing and Installing a Trusted SSL Certificate to use for RDGW & RDSH

Below are general steps to purchase/install a Trusted SSL Certificate for use with Remote Desktop Gateway (RDGW) and Remote Desktop Session Host (RDSH) that are installed on the same/single server in workgroup mode.  We created this based on using a Trusted SSL Cert from GoDadddy.  Our clients can ask for a more detailed tutorial of this process too.

1. Assumes you have already installed the RDSH and RDGW roles on the remote Windows Server.

2. You need to have the subdomain/url/domain name that you will purchase the ssl cert for to forward to the IP address of the server.  In this example, we want “” to point to IP address of the server You already own the domain name for (which can be any domain name you own through a registrar like GoDaddy).

Go to the parent domain name in GoDaddy, click on Manage DNS, go to zone file section and click “add record”.  Add “A (Host)” record type and add “RDP” (or whatever you are using in front of the domain name) which will make it be “” and the IP address of the remote server.  Click ok/save and after a few minutes you will be able to ping the full name/url and it should return the IP address of the remote server.

We have tried to use Let’s Encrypt (free certs expiring every 60 days) but found it difficult to use with Windows IIS at the time.

3. Create Certificate Request on the remote Windows Server using IIS Manger

Open IIS Manager on remote Windows Server, in the left side pane under connections, click on your server name.  In the middle window, double-click “server certificates” icon which will open the server certificates screen showing your currently used self-signed cert.  In the far right screen under actions, click “create certificate request”.

Fill out the appropriate fields including, Common name (use the exact name of the url you are requesting for the ssl cert – i.e. “”), Organization and Organization unit could be your legal name, State should be spelled out and not abbreviated, and County can be US.  We recommend changing the bit length to 2048 for crypto.  Create filename for CSR (CSR=certificate signing request) which will be saved in c:\windows\system32 unless you specify full path in the file name request.

4. Purchase SSL Cert at GoDaddy by inputting CSR info

Go back into your GoDaddy account. Purchase a SSL cert (we did DV type in this example) at GoDaddy ($79.99/yr although may be able to find discount code for year 1).  After purchase go back into GoDaddy account to SSL cert and press “setup”. 

Click on New Certificate, then choose “Input a CSR” (you will use the CSR you generated on the remote server via IIS Manager).  Do not select “Domain hosted with GoDaddy”.  Type in domain/url field for what you want the SSL cert to issued for, for example “”. 

Copy in the CSR text from the file you created on the remote server, using the entire text including “—-BEG…—- and —-END…—-” characters.  Select the default GoDaddy SSL algorithm.

You will see the SSL Cert fields change to pending verification and you will have to wait approximately 20 minutes for it to change to ready/certificate issued.

5. Download SSL Cert from GoDaddy and copy it to remote server and install it in IIS Manager

Click download, choose IIS (Windows) and it will download the .zip file with certificate.  Copy this .zip file to the remote server and extract it.

Go back into remote Windows Server, IIS manager, the server certificates icon/section and click on “complete certificate request” under actions.

Attach the security cert from the godaddy zip file and create friendly name (the friendly name is just to identify the certificate).  You can put it in the personal store.  For our example, we were able to skip doing anything with the intermediate cert and only had to attach the actual security cert.  In order to attach the security cert, we had to change the file type selection dropdown to show all files. Press OK and exist IIS manager.  Make sure you keep track of the ssl cert expiration date so you renew/reinstall prior to that date otherwise you will be locked out of the remote server.

6. Modify settings on remote Windows Server in RD Gateway Manager to use new SSL cert

Open Remote Desktop Gateway Manager, then properties and the SSL Cert tab.  Click on existing cert from personal store and select your new SSL cert.  Press Import, which will restart Gateway services and your current connection will be disconnected.  You will then have to connect with the new url/ssl cert name in your local RDP connection client. 

Go back to your local RDP connection client (shortcut on desktop if you created that previously) and change IP address in computer name field (general tab) and gateway name (advanced tab) from IP address to the url/ssl cert/fqdn you created – for example, “”

7. Modify setting on remote Windows Server for RD Session Host to use new SSL cert (if needed)

If you see the warning that certificate name doesn’t match and isn’t from a trusted CA, then it is because the new GoDaddy cert isn’t being used for the RDSH (it is being used for RDGW but not RDSH even though they are both on the same server) and the self signed cert is still being used for the RDSH.  This seems to almost always happen in our experience.    (Note: this warning is different than then the “unknown publisher” warning you may see because you are using a custom rdp connection file shortcut…for the “unknown publisher” warning you can click “don’t ask me again…” if you don’t want to see that message again.)

To fix this, use powershell (run as admin) below to change the certificate used for RDSH (NOT GW) to the GoDaddy SSL cert you purchased.  Type each line separately below exactly as shown except the thumbprint info in row 3 will need to be added after the row 1 info has generated (after the first line/row is entered, you will see the thumbprint for the new ssl cert which you will need to enter for line 3 between the “”). 

Get-ChildItem “Cert:\LocalMachine\My”

$PATH = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices)

Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash=”ENTER-THUMBPRINT-HERE“}

Next try to connect again and you should not see the Certificate error message anymore.

Lastly, some clients have noted that they had to enter username as SERVERNAME\username when connecting via rdp connection client, so if you are still having issues, try that method in the rdp file too.

Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019

Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019 to force RDP over HTTPS (port 443) instead of port 3389.

Installing Remote Desktop Gateway (RDGW) Role on Windows Server 2019

In this example, we had already installed the RD Session Host (RDSH) and RD License Server roles previously on the server.  This server is in workgroup mode and not joined to a domain.  Steps below are used to install the RDGW role on a single server (installing RDGW also installs IIS) so all three roles (RDSH, RDlic, RDGW) are installed on the same server. If you are already licensing RDS with RDS user licenses, there is no additional cost to installing the RD Gateway Role (other than if you purchase a trusted SSL certificate).

  1. Go to Server manager, add roles & features, role-based or feature-based installation, select existing server, in Server roles expand Remote Desktop Services and select Remote Desktop Gateway, click through everything else as defaults. It will take about 5 minutes to install. Although it won’t force a reboot, it is typically a good idea to reboot the server after this step.Installing RD Gateway

2. Next go to Server Manager, Remote Desktop Services, Servers, click on server name and right click into properties and to “RD Gateway Manager”.  (note: in RDS, Overview, you will see a message about needing to be logged in as domain user to manage servers and collections – to have this functionality you need to be connected to a domain instead of in workgroup mode, we are proceeding with workgroup mode only below).RD Gateway Manager

3. In RD Gateway Manager, expand tree and go to policies.  Create a “Connection Authorization Policy” (CAP) for which users can login to the gateway and a “Resource Authorization Policy” (RAP) for what resources can be accessed.  For example, we created policies called CAP1 and RAP1 and used defaults for most everything.  For CAP1, you probably want to add Remote Desktop Users and Administrators to “user group membership”.  For RAP1, under Network Resource, you should change selection to “allow users to connect to any resource” since this is a single server setup.  You can modify these policies later to be more specific and restrictive. RDGW CAP

4. For SSL cert (go back to RD Gateway Manager, Properties), create a self-signed cert by going to properties, SSL tab, create self-signed cert, click on “create and import certificate”, change certificate name to the IP address “” of the server in the certificate name field.  Copy the self-signed cert to your local PC because you will need it in order to login through the gateway (all users will need it).  If you use a trusted SSL cert from CA then you won’t need to install self-signed cert on each local PC/client like you will with a self signed certificate.  Take note of the self-signed certificate expiration date which should be in 6 months – if you decide to continue to use a self-signed certificate, you will need to generate a new cert before the expiration date.

Note: using a self-signed certificate will require you to install the certificate on each client device.  It is recommended to use a trusted cert (instead of self-signed cert) where you would need to purchase the SSL cert from a company like GoDaddy and it will be in the name of a URL/domain instead of IP address.RDGW properties SSL tab

5. At this point, all items in RD Gateway Manager status should be showing as green / green check marks.RDGW status

6. Go to Services and change the Remote Desktop Gateway Service (service name is TSGateway) to be startup type “automatic” instead of “automatic (delayed)” and make sure it is started/running.  This will allow gateway service to start quicker upon a server reboot otherwise you may get a message that the gateway service is unavailable when trying to log in until you wait several minutes for the service to start.Change RDGW service to automatic

Connecting to RDGW from your local PC

  1. 7Open the Remote Desktop Connection client on your local PC and expand all field by clicking show options.
  2. On the general tab, make sure computer name field is the IP address of the server.  You will be entering the IP address on both the General tab and the Advanced tab using the same IP address since the RDSH server and the RDGW server are the same server in this example.
  3. Before connecting, going to the Advanced tab
  4. Click on Settings box under Connect from Anywhere
  5. Select “use these gateway settings”
  6. Enter IP address of the server for Server Name
  7. Uncheck the box to “Bypass RD gateway server for local addresses”
  8. Check the box to use same credentials for RD gateway server and remote computer since same server in this exampleLocal Connection Client Gateway settings
  9. Press OK, go back to local resources tab and select what local devices should be redirected (typically printers and clipboard should be redirected, but not local drives under the more button – redirecting local drives uses bandwidth/resources so only do it when needed)
  10. Go to general tab, decide if you want credentials to be allowed to be saved, and save the customized rdp file as a shortcut on your desktop by clicking “save as” and give it a useful name.
  11. When you connect, you may first get a warning message that says “The publisher of this remote connection can’t be identified. Do you want to connect anyway? OR “the identity of the remote computer cannot be verified. Do you want to connect anyway?” You can click the box to “don’t ask me again for connections to this computer” if you don’t want to see this message every time, and continue.  This message typically happens because you are using a rdp shortcut on your local desktop that you customized or because you are using a self-signed certificate.
  12. Connect and you will get a message to enter your credentials which will be used for both RDSH and RDGW, select whether to remember credentials or not.
  13. If you try to connect and you get a message “This computer can’t verify the identity of the RD Gateway XXXXX….” and it won’t connect, it is because you are using a self-signed certificate and haven’t put a copy of the certificate in your trusted root certificate authorities on your local PC.  So go back on the server and copy the cert from the users\username\documents\certname.cer folder of server to you local PC/desktop, then double click it on your local PC, select “install certificate” and select “Local Machine” store location and select this specific location “Trusted Root Certificate Authorities” (don’t do automatic location).  THIS WILL HAVE TO BE DONE ON ALL LOCAL PCs TO CONNECT WHEN USING SELF-SIGNED CERTS.
  14. If you are have trouble logging in, try typing username as servername\username so WIN-XXXXXX\Administrator or ServerX\Dan etc.

Turn off port 3389 to internet to force traffic to use port 443/RDGW

  1. Next, turn off the four inbound Windows firewall rules for Remote Desktop for port 3389 FOR PUBLIC PROFILE (Remote Desktop – User Mode (TCP-In) and (UDP-In) and Remote Desktop Services – User Mode (TCP-In) and (UDP-In).  Click into the firewall rule, go to the advanced tab, and uncheck the “Public” box so the rule doesn’t apply to the public profile.RDGW firewall rules
  2. RDP Traffic then should go over port 443 from the outside to the server and then 3389 internal to the server.  You can test this by trying to login via RDP without Gateway settings.
  3. You can modify/disable other Remote Desktop inbound firewall rules if needed too.

Additional Notes:

See different post on how to purchase and install a SSL certificate from a trusted CA.

How to Install VPN server on Windows Server 2019

Windows Server 2019 has a built-in VPN server role that can be added to the server OS at no charge. The below method will setup PPTP VPN using Windows Authentication so it is password based and strong/complex passwords are still very important.  There are other protocols such as L2TP/IPSec, certificate authentication, etc. which can result in a stronger security setup depending on your needs and environment. Toward the end of this document we will show you how to enable L2TP with preshared key and disable PPTP if you want to do that. This post will detail how to setup the VPN role on a Windows server, how to setup the VPN connection client on your local Windows PC, how to disable RDP and other protocols from using the public profile in the Windows firewall, and finally how to extend the VPN setup to LT2P. There is no additional cost for installing the VPN/RRAS role on Windows Server.


  1. Log on to Windows Server 2019 using the Administrator account or an account with administrative rights.
  2. Open Server Manager, Dashboard, “Add Roles and Features” wizard, next, then select “role-based or feature-based installation”, next, select your server, next, then on select server roles screen select “Remote Access”, on select features screen can use defaults and press next.  Under Remote Access Role Services select only “DirectAccess and VPN (RAS)” (select to add the features that are automatically selected) and leave the other options of Routing and Web Application Proxy unchecked, next, leave defaults under the Web Server Role Services, next, Click Install (takes a few minutes to install but usually doesn’t require a reboot). Installing Remote Access VPN-1Installing Remote Access VPN-2
  3. At the top bar of Server Manager, you will see a yellow triangle can click on it to select “Open the Getting Started Wizard” or click on “Remote Access” in the left window and click on more in the right windows to get the “Open the Getting Started Wizard”.Open the Getting Started Wizard
  4. Select “Deploy VPN only” (may take up to 1 minute to open) (note: If you deploy DirectAccess, this option requires the server to be connected to a domain – not workgroup mode) Open the Getting Started Wizard-Deploy VPN only selection
  5. Right click on Server name and select “configure and enable routing and remote access” Configure RRAS-1Configure RRAS-2
  6. Select “Custom configuration” Configure RRAS-3
  7. Select “VPN access” only, then Finish, Start Service.  Windows Firewall should automatically open the necessary ports (or you might see message below telling you to manually open the firewall rules). And press OK by message reminding you to open/enable firewall rules. Configure RRAS-4Configure RRAS-5Configure RRAS-6
  8. Go back to Routing and Remote Access by going to Server Manager, Tools (dropdown near upper right corner of server manager), select “Routing and Remote Access”.  Then right click on the server name and select properties.  Then go to IPv4 tab to add static IP address pool in IPv4 tab – see screenshots below: Configure RRAS-7
  9. Next, open “Network and Sharing Center” and click on “change adaptor settings”.  Right click on the ethernet adaptor, highlight the “Internet Protocol Version 4 TCP/IPv4” row, click on properties, advanced and add a secondary IP Address which is private IP in the same subnet as pool above – in this example, used (this will be the IP address you can use to RDP to the server after the VPN connection is made). Ethernet adaptor propertiesEthernet adaptor properties-2
  10. Next, adjust settings for each user you want to be able to VPN to the server by going to Computer Management, Local Users and Groups, Users, and right click on the individual User and enter Properties.  Go to “Dial-In” tab and change “Network Access Permission” section to “Allow Access” (instead of “control access through NPS network policy”.  You need to do this for each user you want to allow VPN access to the server.Change User Properties Dial-In to Allow Access
  11. Open Windows Firewall rules for PPTP (PPTP requires both PPTP-In and GRE-In) and other VPN protocols if you might use them (L2TP or SSTP): Windows Firewall Inbound Rule PPTP GRE L2TP SSTP
  12. Usually it is a good idea to reboot server at this point even if it doesn’t ask for a reboot.

SETUP VPN CONNECTION ON LOCAL PC (to connect loca PC to offsite server via VPN)

  1. On your local PC, Go to Control Panel, Network and Internet, Network and Sharing Center, and “Setup a new connection or network” and then “Connect to a workplace / setup a VPN” or “Add a VPN connection”.  Select “Use My Internet Connection”Setup VPN connection on Local PC
  2. Enter IP address of server you will connect to – this is a public IP address (not private IP address you setup above 192.168.x.x)
  3. Enter description name for connection, then create.
  4. Then go to your VPN connection by clicking start icon and typing VPN, or going to notifications and clicking VPN
  5. Click on the VPN Connection you just setup and press connect.  Enter Username and Password on next screen and click “Connect”
  6. You can adjust setting (security settings and other) by going back to the Connection and entering properties (go to change adaptor settings, find connection, right click for properties where you can change settings to match VPN settings on the server if needed.).  Also you can change VPN settings on the server.

VERIFY THIS AND UNCHECK THE BOX BY “USE DEFAULT GATEWAY ON REMOTE NETWORK” OTHERWISE ALL YOUR TRAFFIC INCLUDING WEB BROWSING WILL GO THROUGH THE REMOTE SERVER WHICH WILL LESSEN YOUR PERFORMANCE. NOTE:   If you can no longer access the internet on your local machine once the VPN connects, you can change this by going to the networking tab in Properties of the VPN Connection, highlight the TCP/IPv4 row, click Properties, click Advanced, and uncheck “use default gateway on remote network”.  (you may have to disconnect and reconnect before this change will apply)Local PC VPN connection - uncheck use default gateway


Note: there are many adjustments you can make to the Windows Firewall and this is just one example/method.  You should properly test any changes made.

  1. Make sure you are logged in via RDP via VPN to the private IP ( in this example) first before changing these rules below.
  2. First make sure the RAS interface on the server is set to private firewall profile in “network and sharing center” on the server.  If it isn’t (and most likely it is set to public so you will have to change it), change it as follows:  gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Network List Manager Policies and assign “RAS (Dial In) Interface” to a Private Network Profile. (alternative method– start, secpol, network list manager policies, right click on RAS Interface, network location tab, change it to private) RAS interface must be changed to Private ProfileRAS interface must be changed to Private Profile-2RAS interface must be changed to Private Profile-3
  • Next, Open Windows Firewall with Advanced Security and modify 4 x Inbound Rules,
    • “Remote Desktop Services – User Mode (TCP-In)”
    • “Remote Desktop Services – User Mode (UDP-In)”
    • “Remote Desktop – User Mode (TCP-In)”
    • “Remote Desktop – User Mode (UDP-In)”

and turn it off for Public Profile.  You could/should also modify other rules affecting the public profile to restrict access to private profile only. Adjust inbound firewall rules to exclude public profile

  • Now it is time to connect and test your changes.
  • Connect to the server via VPN first, then you can RDP to the server using the private IP ( in example above) when VPN is active.  You shouldn’t be able to RDP to the public IP address.  You should test all scenarios after deployment.

Congratulations, Now your PPTP VPN should be setup and working!


The steps above will create a “point-to-point tunneling protocol” (PPTP) VPN connection and will open the Windows Server firewall for PPTP, L2TP and SSTP (or you manually enabled these rules) although L2TP & SSTP require additional configuration to work.   You can increase security by implementing L2TP or SSTP.  One example is L2TP with “pre-shared key” where you enter a pre-shared key in RRAS properties on the security tab (on server) and then also enter the pre-shared key on the client PC VPN connection.  When you connect, the windows VPN client on the PC will show if connected as PPTP or L2TP.  In security options on the PC VPN client, you can select which protocol to use if more than PPTP has been setup on the server.  If you are using L2TP instead of PPTP, you can then turn off PPTP on the Windows Server and also disable the PPTP firewall rule (see below).

How to enable L2TP/IPsec VPN and disable PPTP protocol

Configure L2TP with preshared key:

  1. First may sure the Windows Firewall inbound rules on the server allow L2TP (if you had only enabled the inbound firewall rules for PPTP and GRE earlier, you should also enable L2TP now).  Open RAAS Management Console, right click on server name, and go to properties.  Go to security tab and enable the checkbox by “allow custom IPsec policy for L2TP/IKEv2 connection” and create/enter a complex password in the “preshared key” field.L2TP preshared key on server settings
  2. The preshared key is something that is the same for all users
  3. Now disconnect your current PPTP session and reconnect using L2TP/preshared key settings in your local connection client.  Go to you local VPN network adaptor settings and adjust accordingly.L2TP preshared key on local PC VPN connection settings
  4. Now login to server and disable PPTP by clicking on ports, right click to properties, highlight the PPTP row and uncheck the top two boxes to disable PPTP. Disable PPTP ports
  5. Last, disable Windows firewall rules for PPTP and GRE if only using L2TP.

Comparison of Riptide Hosting’s Windows VMs and Dedicated Hardware Servers

Windows Server Virtual Servers VMs:

  • Lower cost entry point when you have fewer users and fewer resource needs
  • Very flexible because cpu/ram/disk space can be added in minutes – so start smaller/less expensive and expand as needed
  • Able to bundle Riptide’s Microsoft Licensing via SPLA on both VMs or Dedicated for Windows, RDS, Office & SQL
  • Limitation on our VMs: Cannot use your own MS licensing, free SQL Express is ok.  Can only use Office & SQL Standard licensing through Riptide.
  • Full image backup included where we can restore a full VM in minutes
  • Includes 1 Public/Static IP address
  • Cannot use your own hardware firewall/vpn device (which you can colocate with a dedicated server)
  • Generally limited to 300 GB disk space is which plenty for most but not all clients

Windows Dedicated Hardware Servers:

  • Great for handling much higher levels of users, cpu, ram and disk space
  • Comes with much higher amounts of CPU, disk space and RAM
  • Includes 3 Public/Static IP addresses
  • Dedicated server is the only option to use your own Microsoft licensing for SQL Server Standard or Office due to Microsoft Licensing Terms
  • Not as flexible because we have to swap out hardware pieces to increase ram, cpu, disk space
  • More expensive entry-point
  • Able to use Riptide’s Microsoft Licensing via SPLA on both VMs or Dedicated for Windows, RDS, Office & SQL
  • If applicable, having a dedicated server is the only option for a client to co-locate a hardware firewall/VPN device in front of the server
  • We have an optional full image backup offering (starting at $150/mo) (which is more expensive than on VMs)
  • Dell Idrac Enterprise offering out-of-band console access (uses one of the three IP addresses)

MS Access Error Query is Corrupt from November 12, 2019 Office Updates

The November 12, 2019 Microsoft Office updates introduced a bug in MS Access where users are seeing errors like this “Query is corrupt”.  Microsoft has acknowledged the bug and says a fix will be out with the updates on December 10.  See link here from Microsoft for more information:

To fix the issues in the meantime, you can uninstall the application Office Update for Access 2010, 2013 or 2016 as follows:

Office 2010: Description of the security update for Office 2010: November 12, 2019(KB4484127)
Office 2013: Description of the security update for Office 2013: November 12, 2019 (KB4484119)
Office 2016: Description of the security update for Office 2016: November 12, 2019 (KB4484113)

To uninstall the update in Windows Server 2016, go to Settings, Windows Update, Update History, click hyperlink toward top of page for Uninstall Updates, search for KB noted above, uninstall.  Even though it doesn’t require a reboot, we recommend you reboot your server after the uninstall.

Next you will want to disable automatic Windows Updates so the same buggy update does not get automatically installed again.  If you are a Riptide Hosting client, contact us to disable automatic updates which varies depending on which Windows Server OS you are on.  If you disable automatic updates temporarily (under MS releases the fix by December 10 according to the link above), you need to remember to enable them to keep your system secure and up-to-date.  If you are a Riptide Hosting client, please contact us before disabling automatic updates. 

Microsoft licensing terms being modified for dedicated hosting cloud services; Now is a great time to consider monthly MS licensing through the SPLA program

Starting October 1, 2019, Microsoft is modifying their licensing terms related to outsourcing rights and dedicated hosted cloud services.  Beginning October 1, 2019, on-premises Microsoft licenses purchased without Software Assurance cannot be deployed on dedicated hosted cloud services offered by the following “Listed Providers”: Microsoft, Alibaba, Amazon and Google.  Riptide Hosting is not one of the “Listed Providers” noted above and these changes don’t apply to deployments at Riptide Hosting.   You read more about theses changes here:

Alternatively, instead of buying your own MS Volume Licenses and purchasing Software Assurance, contact Riptide Hosting to compare options using Riptide Hosting’s Microsoft licensing through the Services Provider Licensing Agreement (SPLA) program.  Riptide Hosting can offer MS Licenses for Windows Server, SQL Server, MS Office, and more, through the MS SPLA program on a monthly basis.  Advantages to monthly MS licensing through our SPLA is that you, a) don’t need to make a large upfront perpetual licensing payment, b) you are not locked into using your licenses for a 3 or 5 year term, and c) you can increase or decrease licenses (i.e. per user RDS or MS Access licenses) on a monthly basis.  All of our Windows Servers on VMs or Dedicated Servers come with Windows Server 2016 Standard Licensing built into the base price.  Optional licenses include SQL Server, MS Office, Components of MS Office such as MS Access or MS Excel, and more. 


Riptide Virtual Servers: We must provide all MS licensing through our MS SPLA Agreement.  You can not use your own MS Licensing (i.e. SQL Server (other than free SQL Express), Office365 or other MS Licensing.

Riptide Dedicated Servers: You could use your own MS licensing on the dedicated server, or we can provide MS licensing monthly through our MS SPLA.  But please note that for Office365, only certain plans will work on a RDS/terminal server which are Office365 ProPlus Standalone or Office365 Enterprise E3 and above.  Office365 Business plans do not include ProPlus and will not work on a Windows RDS server

If your users don’t need a local install of Office on the server (to do things like export reports from an application to Excel), then users might be able to just use the web based versions of Excel/Word by logging into their Microsoft account with OneDrive (or Google Docs, etc).  Heavy users of Office will likely want it installed on the server but the web based versions might work fine for occasional use.

Avoiding Downtime – How Riptide Hosting helps keep your business server & applications running.

Power Failures – Our datacenters have redundant commercial power feeds, UPS systems and diesel generators. Compare this to a single power feed that is typical in an office building.

Network / Internet / ISP Failures – Riptide Hosting uses premium bandwidth with multiple network providers blended together for maximum update. Compare this to a single telecom provider that is typical in an office building.

Hard Drive Failures – Our servers are deployed with hard drives in mirrored array(s) – RAID1 or more, so a single drive failure does not cause data loss.

Riptide Hosting offers several types of hosting from Windows Server VMs to fully Dedicated Hardware Servers. We offer a 100% SLA for power and network availability. Our enterprise datacenters are staffed 24/7. We offer backup offerings and MS Licensing through the MS SPLA program.

Our VMs are scalable where it is easy to increase server resources such as ram, cpu and disk space. And the MS SPLA program allows us to offer Microsoft licensing on a monthly basis without you have to commit to long-term licensing or large up-front capital investments for licensing.

Focus on your business and relieve yourself of worries about server hardware, network connectivity issues and MS licensing complexities. Our datacenters are designed with infrastructure to keep your business applications and servers running with redundant power and network bandwidth.

Methods to Secure Windows Remote Desktop RDP

How To Secure Windows Remote Desktop

In September 2018 the FBI issued a public service announcement regarding risks and hacking attempts again the RDP protocol.  See the announcement here which includes some suggestions (with additional considerations below)

Considerations For Securing your Windows Server / RDP Terminal Server

Here is a list of various actions to consider to help secure your remote server environment:

After applying any of the actions above, make sure to test whether they are working properly.  You can open multiple RDP sessions using different user names initiated from one PC which can be useful for testing.

The information provided in this document/post is intended to provide general information only and is not a complete listing of available considerations.  The content is provided AS IS without any express or implied warranties of any kind with respect to the accuracy, correctness, reliability, or fitness for a particular purpose.  You should be discussing all security policies and related procedures, configurations, monitoring and other server management functions with your IT staff or consultants.  Riptide Hosting does not provide managed services and is not a substitute for you maintaining your own IT staff/consultants. 

RD Session Host Security settings in Windows Server 2016

RD Session Host Security settings in Windows Server 2016 (SSL, High encryption, etc.)

Gpedit.msc, computer configuration, administrative templates, windows components, remote desktop services, remote desktop session host, security, see various options.

  • “Require use of specific security layer for remote (RDP) connections” – Changing Security Layer to SSL is the recommendation listed in Windows 2016,
  • “Client Connection Encryption Level to High” – enabled/Yes
  • “Require Secure RPC communication” – enabled/Yes
  • “Require user authentication for remote connections by using NLA” – enabled/Yes