Disable built-in Administrator account

Disable built-in Administrator account (create alternative admin account)

All Windows Servers come with the built-in Administrator account (SID 500) by default and all administrator accounts have RDP access by default (when RDP is enabled overall).  Therefore the Administrator account, if port 3389 is open, is frequently the target of repeated brute-force hack attempts against this account name.  Options include disabling the Administrator account completely and setup a separate account that has administrator rights, or removing RDP access from the Administrator account.  Make sure you have a different account with admin rights available before disabling the Administrator account so you don’t get locked out.  Generally it is better to disable the Administrator account (and replace with a different account with administration rights) rather than just renaming the Administrator account because the SID remains 500 when you rename it and there are some non-Microsoft tools that allow authentication by using SID rather than account name (but renaming is still better than doing nothing….you can rename the  Administrator account in Local Security Policy (Security Settings, Local Policies, Security Options, Accounts: Rename administrator account) or via gpedit.msc).   We noted on a test server with port 3389 open that over 50% of the failed login attempts were using the “administrator” user name, followed by admin, user, test, user1, etc.

Whitelist IPs: Use Windows Firewall to restrict RDP access to specific IPs only

Whitelist IPs: Use Windows Firewall to restrict RDP access to specific IPs only

If you always connect from the same IP address, or IP address range (or the range your ISP uses), you can restrict RDP access to those IPs through the Windows Firewall (Inbound Rules for Remote Desktop which may consist of multiple rules, TCP-in and UDP-in, and Remote Desktop-User Mode and Remote Desktop Services-User Mode).  Go to the scope tab of the inbound firewall rule and add your IP addresses to the Remote IP list for both rules.  This is a great method to secure RDP when always working from the same location but it won’t work if you plan to access your Remote Desktop Server while traveling because you won’t be using the same static IP address.

Always use complex usernames and passwords for user accounts

Utilize complex usernames/passwords

It’s very important to use mix of special characters, numbers, upper & lower case letters, non-words and require longer length.  Don’t use standard usernames such as administrator, user, user1, test, admin, etc.  Don’t use usernames that are first names only such as dan, john, tom, etc.  Avoid creating passwords that include your name, dictionary words or reusing passwords from other accounts.   You may want to increase the default minimum length beyond 6 characters.  Using simple passwords is the easiest way for someone to compromise your server – do NOT use simple passwords that are vulnerable to brute-force and dictionary attacks.

You can enforce strong/complex passwords and policies at Local Security Policy, Security Settings, Account Policies, Password Policy, see policies including “password must meet complexity requirements”  (or this can be done via gpedit.msc, Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy) – the password complexity policy should be enabled by default on Windows Server 2016 but you should verify and adjust policies if needed (such as keeping password complexity enabled but increase the password length policy to a higher number of characters).  After changing policies, you should always test your changes.

Also, please note that the “user much change password at next logon” selection box in user properties does not work with RDP sessions.  A workaround is to have users manually change their password upon logon by pressing control-alt-end and following the change password prompts within a desktop session.

See following links for additional info:

https://technet.microsoft.com/en-us/library/hh994562(v=ws.11).aspx

https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/password-must-meet-complexity-requirements

Make sure to keep this policy Disabled, “Store password using reversible encryption”, as described here:  https://technet.microsoft.com/en-us/library/hh994559%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396

Windows 2016 Remote Desktop Server RDS doesn’t allow change password at next logon

We have seen several users have this issue where they cannot login if the checkbox in user properties for “user much change password at next logon” has been enabled.  Various comments and posts online indicate that changes in the windows authentication process in recent OS versions don’t allow expired users to change their password via RDP once it expires when Network Level Authentication or Credential Security Support Provider (CredSSP) is enabled.  This is only an issue trying to force users to change their password on a RDP session – it works fine from a console session if you are local to the machine.

Try to un-check this box by “user must change password at next logon” if it is currently checked. Remember to always create complex, strong passwords!

Users can manually change their password upon logon by pressing control-alt-end and following the change password prompts).

Advantages to using Riptide Hosting SPLA Microsoft Licenses

Advantages to using Riptide Hosting SPLA Microsoft Licenses

Most customers use our Microsoft licensing (Windows Server, Office, SQL Server, Remote Desktop Services – RDS) provided under the SPLA program (Service Provider Licensing Agreement) on a monthly basis rather than purchasing their own MS Volume Licenses.  (Windows Server CAL licenses are not required with our SPLA licensing which are required under regular MS Volume Licensing).

Using our Microsoft SPLA licensing eliminates upfront fees and makes it easy to increase and decrease licenses each month.

If you own Microsoft Volume Licenses, you can use our Dedicated Hardware Server offering and transfer your own licenses but depending on which licenses you own and how many users you have, it may still be cheaper to utilize our virtual servers/VMs with our SPLA licenses.  Contact us to review options and pricing.  We discuss the advantages to using SPLA licenses below.

SPLA LICENSES — Advantages to using our MS Licensing under SPLA:

  • Pay monthly with no commitment (versus Volume Licenses which may be 1-3 year term)
  • Pay for exactly the number of licenses you need today, not more (for user based licensing (i.e. RDS SALs/user licenses, Office SALs), we can increase the number of licenses easily so you can only license what is needed)
  • For Windows Server under SPLA, no additional Windows Server CALs are needed (you still need RDS SALs if applicable).
  • Upgrade rights (similar to software assurance) are included– You can upgrade to the latest version.
  • No large upfront payment like if you purchase perpetual MS Volume Licenses.
  • No minimum purchase – Can increase user licenses in increments of one user. (Some volume licensing programs have a minimum purchase or minimum points)
  • You cannot install or use your own licenses for SQL Server, RDS, Office or Office 365 on our Virtual Servers due to Microsoft licensing restrictions.
  • Example Pricing:
    • Windows Server licensing is included in our base server cost
    • RDS user licenses are $8.99 per user per month
    • SQL Server Standard is $316/mo per 4 cores versus retail pricing of approx. $7,500 per 4 cores plus add Software Assurance annually.

VOLUME LICENSES — Advantages to using/purchasing your own Volume Licensing

  • If measuring over a long-term period, perpetual volume license may cost less than monthly SPLA license (but you have a long-term agreement with large upfront fee, plus you have to purchase Software Assurance separately, as well as Windows CALs on top of Windows Server).
    **If you end up needing fewer licenses you will still pay for all the licenses you purchased.
  • SQL Server Standard and Enterprise can be very expensive (often times as much as the underlying server cost!) and if you have already purchased these licenses you may want to use them to save money, although you are required to use our Dedicated Hardware Server hosting to use your own licensing.
  • If you have a large number of users and already have your own Office licensing (or Office 365 plan that will work on a server or terminal server), then you may want to use them to save money, although you are required to use our Dedicated Hardware Server hosting to use your own licensing.

VIRTUAL SERVER HOSTING — Virtual Server Environment at Riptide Hosting:

  • SPLA licenses only. You must license SQL Server, RDS and Office through us (SPLA) in our VM environment.  You cannot use your own licensing of SQL Server, RDS, Office, or Office 365 on our VMs.
  • Lower entry costs, VMs start at $100/month
  • Best for VMs with fewer resources (less than 25 users, less than 200 GB space, less than 8g RAM and 4vCPU)
  • Less expensive full image backup options with quick restores
  • May be less expensive to use our SPLA licenses on a VM with full image backup, even in scenarios where you have your own licensing.

DEDICATED SERVER HOSTING — Dedicated Hardware Server Environment at Riptide Hosting:

  • You can use our SPLA licenses or use your own Volume Licenses. Where the server hardware is fully dedicated to you, the outsourcing language within Microsoft Product Terms applies.
  • Best when you need significant resources (greater than 25 users, more than 200 GB disk space, more than 8g RAM and 4vCPU).
  • Our Dedicated Servers start around $300/month. Compare this to AWS Dedicated Instances or AWS Dedicated Hosts that start at over $1k per month and you have to bring all your own licensing.
  • Requires more expensive full server image backup options due to much higher disk space provided.
  • Only hosting offering we provide that allows you to use your own SQL Server, RDS, Office, or Office 365 licenses. Even if you have your own licensing, make sure it can be use on a remote hosted server.  For example, Office 365 Business Plans won’t work on a Windows Server with Remote Desktop Services because Office 365 Business doesn’t include Pro Plus.

RDS — Remote Desktop Services (RDS) Licensing Notes:

  • We get asked a lot of questions about RDS licenses and here are some of our most common discussions.
  • Many hosting providers don’t even offer the ability to license RDS SALs through them and require you to have your own licenses. If you are using Remote Desktop Services (RDS), make sure you understand whether your hosting provider can provide the required licenses or not.  **If you can only login with two accounts then they did not provide you licensing for RDS access other than for maintenance.
  • The RDS CALs/SALs are not part of the Windows Server OS licensing and are applied separately. Riptide Hosting provides RDS SALs on a monthly basis (with no long-term commitment) at $8.99 per user. For example, AWS doesn’t offer RDS user licensing.  You have to buy them from MS and then bring them to AWS via License Mobility which requires that you maintain active Software Assurance on the RDS CALs and go through a MS license verification process.
  • Microsoft only provides RDS user licenses on a per-unique-end-user basis. There is no concurrent licensing model available from Microsoft for RDS.  All users, regardless of actual usage, require a license. 

Windows Server and SQL Server Licensing Notes:

  • SQL Server is licensed per core but with a minimum of 4 cores per VM or per processor.
  • Windows Server is also now licensed per core (starting with Windows Server 2016)
  • SQL Server comes in multiple editions: Express (free), Web (through SPLA only; for publicly accessible web pages, etc.), Standard, Enterprise. Contact us for differences and monthly SPLA pricing.

Deleting a user profile on Windows Server 2016

Follow this two-step process to delete a user profile in Windows Server 2016 in workgroup mode:

  1. Go to advanced system settings (sysdm.cpl), advanced tab, click on settings in the user profiles box (middle of screen), under “profiles stored on this computer” click on the user profile you want to delete and press Delete.
  2. Then go into Computer Management, Local Users and Groups, Local Users, and select the user you want to delete and delete it.
  3. Reboot and confirm that user no longer exists in User Profiles, Computer Mgt, and c:\users.
  4. Note: If you only delete the username in Computer Management, the user will continue to shot up in advanced system settings in user profiles (label changed to unknown) and the c:\users\username folder should still exist. If you only delete the username in User Profiles, the c:\users folder should be gone but the user account will still show up in Computer Management.  This is why you should perform both steps to delete User Profile in Advanced System Settings first, then User account in Computer Management.

See this link from Microsoft:  https://support.microsoft.com/en-us/help/2462308/delete-a-user-profile-in-windows-server-2008-and-later

Logging off users on Windows Server 2016 with Remote Desktop Services

You may want to see which users are logged on to your Windows 2016 Server at any given time and may want to logoff a user. Users can be “active” on a server or in a “disconnected” session status which means they disconnected from the server but didn’t log off.  Since disconnected sessions continue to utilize server resources, we recommend you enable a group policy to log off disconnected sessions automatically after a specific time period such as 5 minutes or X hours – easiest method is to enable a group policy to set session time limits for all users as follows:

  1. Cmd prompt, gpedit.msc
  2. Computer Configuration, Admin Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Session Time Limits
    1. Enable appropriate group policies and modify as needed
    2. We recommend setting this one because it will prevent disconnected sessions from consuming server resources — “Set time limit for disconnect sessions”
  3. After modifying group policies, you can force an update without rebooting by typing “gpupdate /force” at cmd prompt

 

By default, we now release Windows 2016 Servers with the disconnected session limit set at 5 minutes.  We strongly recommend keeping this group policy at 5 minutes or change it to another time amount that you want.  We don’t enable a default policy to log off “idle” sessions after X period of time but it is recommended that you enable this at X hours or X days.

To see detail on each users session (how long it has been active, if disconnected or idle, etc.), you can open a command prompt and type in “quser” which will show each user with session stats.

We haven’t seen this happen very frequently, but if a user logs on to the server and the screen remains black, it is likely because the user has an existing disconnected session that has not be fully logged off. To resolve this, log into the server as an Administrator and log off the User’s disconnected session.  When the User logs in again, they should see their full desktop session without any issues.

Steps to view and log off users:

  1. Login as Administrator or account with administrator rights
  2. Open Task Manager by right clicking the bottom tool bar
  3. Click on “More” or “Detail” to view all tabs of Task Manager
  4. Go to the “Users” tab which will show the users that are logged on the server
  5. Right click on a username and select “Log Off”
  6. Task_manager_log_off_users

We recommend that users be educated to log off from the server when their tasks are completed (start, click on username, select log-off or sign-off) instead of just disconnecting the session by clicking the X in the upper right corner which doesn’t log the user off and only disconnects the session.

How to Shadow a user’s remote desktop session on Windows Server 2016 in workgroup mode

This post is about how to shadow a user session if the Windows Remote Desktop Server is not connected to a domain. If the server is connected to a domain, you can go to server manager, RDS Manager, and right click on current sessions to shadow and connect. When the server is in Workgroup mode (not connected to domain) the Remote Desktop Services Manager page is not accessible in Server Manager. To shadow another user’s sessions in Windows Server 2016 in Workgroup mode, use the following steps:

1) Open command window by clicking start, CMD. You must be using an account with administrative privileges. If you are using an account with administrative privileges that isn’t the named Administrator account, you must run in administrator mode (right click on cmd and click run as administrator)

2) Type quser.exe to determine the session number of the user session you want to shadow.
C:\Users\administrator.computer>quser.exe (note: typing “>qwinsta” without .exe will show similar information)
USERNAME SESSIONNAME ID STATE
administrator rdp-tcp#0 1 Active
user1 rdp-tcp#1 3 Active

3) In this example, the Administrator is going to shadow the user1 session which is session 3. You need to know the session number (“3”) for the next step.

4) Start shadow session by typing “mstsc /shadow:# /control” where # is the session number to shadow and /control allows you to control the session.
C:\Users\administrator.computer>mstsc /shadow:3 /control

5) The other user (user1 in this example) will get a popup called “remote control request” and must press Yes before shadow session will open.

6) The shadow session will open and you’ll be able to view the user1 session desktop screen.

IF YOU WANT TO SHADOW A USER SESSION WITHOUT NEEDING THEIR CONSENT FOR THE SHADOW SESSION TO OPEN:

  • Enable the following group policy by going to gpedit.msc and then Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Connections.
  • Enable the setting “set rules for remote control of Remote Desktop Services user sessions” and select the option for “Full Control without user’s permission” in the dropdown.
  • Reboot the server to make the group policy take effect (or open elevated command prompt and type in gpupdate.exe /force)
  • Then using the same command as in the section above add “/noconsentprompt” like this:
  • mstsc /shadow:3 /control /noconsentprompt
  • It will still prompt the user to authorize control but if they don’t within 5-10 seconds, the shadow session will open even without their authorization.

Deploy your MS Access Database, MS Access Application online to the cloud with Remote Desktop Services (terminal services)

The quickest and easiest method to move your Microsoft Access Database online (to the cloud) is to deploy it on a hosted Windows Remote Desktop Server.  You should be able to move to a Window Remote Desktop server with MS Access and be up and running on the same day!  We have been providing terminal server (remote desktop) hosting solutions for over 15 years.  Contact us and to discuss your options, pricing, MS licensing, etc.   We host your Access database on its own server (not shared OS, not sharepoint) with resources dedicated to you.  You will have a better experience hosting your MS Access database with us than other providers using a shared OS environment.

As previously announced by Microsoft, Access-based web apps (Access Web Apps) and Access web databases in Office 365 and Sharepoint Online were shut down in April 2018.  See link here:  Access Services in Sharepoint shut-down

You can also review our pricing calculator here:  http://www.riptidehosting.com/Remote-Desktop-Hosting-Pricing.aspx

When comparing options for hosting your Access application online, ask the hosting provider if it will be a Windows Server with Remote Desktop Services or if they are hosting the Access application on a Sharepoint server.  We do not provide hosting services on Sharepoint.  If your MS Access application has VBA coding, it may not work in a sharepoint environment.  You should also ask if your application is hosted in a dedicated OS environment (dedicated VM for you), or if it is on a shared OS environment, or if running on Sharepoint.

RDP authentication error due to CredSSP encryption oracle remediation after May 2018 Windows Updates

 

If you are getting an error using RDP to connect to a Windows Server and error say “Remote Desktop Connection: An authentication error has occurred.  The function requested is not supported. This could be due to CredSSP encryption oracle remediation”, this is because you are connected from an unpatched client to a patched server or a patched client to an unpatched server.

To fix this issue, install the May 2018 Windows Updates on both the server and the local PCs.

Microsoft has been patching a vulnerability in RDP/CREDSSP with the patches released this month (May 2018) and previous month or two, and as of the May 8 updates, it requires BOTH the client PCs and the Windows Server to both have the May patches installed.

Below is a link about it but best is to apply the patches….
https://blogs.technet.microsoft.com/yongrhee/2018/05/09/after-may-2018-security-update-rdp-an-authentication-error-occurred-this-could-be-due-to-credssp-encryption-oracle-remediation/

 

UPDATED 5/10/2018 –

Additional links discussing this issue below.  Best approach is just install Windows Updates on both Servers & Client/local PCs  and everything should work.  If you are unable to patch your server immediately, there are some suggested workarounds (registy/GPO modifications, disable NLA (not recommended due to lower security), etc.  We strongly recommend you apply the May 2018 Windows Updates.

https://blogs.technet.microsoft.com/askpfeplat/2018/05/07/credssp-rdp-and-raven/

https://community.spiceworks.com/topic/2120195-get-patching-cve-2018-0886-credssp-flaw-in-rdp-affects-all-versions-of-windows?page=3