Terminal Server Logging Blog Articles | Remote Desktop

User Session Shadowing in Remote Desktop Commander v4.7+

June 12, 2019 By admin Leave a Comment

Until the release of our Remote Desktop Commander v4.7, one of the continuous laments that we used to hear from our customer base for years centered on the user session shadowing in Remote Desktop Services. This is a shame, because the internal architecture for shadowing from Windows Server 2012 R2 onwards is pretty amazing! Using MSTSC to shadow proved however less than smooth. The litany of complaints has always included problems like:

lack of proper shadowing support (zoom out) for multiple monitor sessions;
dreaded permissions errors;
the unfortunate requirement for help desk users to be administrators (!) on the terminal servers they want to shadow;
the inability for Windows 7 systems to initiate shadowing on Server 2012/2016/2019 systems and Windows 8 and 10 workstations.

There was also the small issue that there were no tools for shadowing/remote assistance inside Windows Virtual Desktop in Azure.

By the way: Check out this twisted history of shadowing RDP users.

In the resulting confusion, admins and IT staff have been paying an arm and a leg for remote assistance tools to bridge this gap for years. These tools require heavy install footprints, hundreds or even thousands of dollars per technician per year, and tedious invitation URLs, etc. are required to start helping users.

Which Reminds Us: Delegation of Administration Options for Remote Desktop Services Has Been Nonexistent For W a y T o o L o n g

The other need that we heard frequently from our customers: To have the ability to precisely delegate Remote Desktop Services management permissions to their help desk and front line support staff. For a while, the only real option had been to give help desk staff admin rights on session hosts and connection brokers. Not an ideal situation from a security, or a “whoops I just rebooted a terminal server with 30 user sessions running line of business apps” perspective.

We tried to resolve some of these issues with our RDSConfig utility, that allowed permissions reassignment for users and groups on session hosts. However, in larger RDS collections, you need a way to apply those permissions to a huge swath of session hosts all at once – especially as new session hosts are brought online. Also, to do their jobs, help desk staff need rights to query the Connection Broker to dynamically list RDS collections and the servers that are members of each, plus they should have the ability to read RDS-related performance counters on those session hosts, so they can troubleshoot things like network latency from the client to the server.

So, We Figured Out How To Make User Session Shadowing Much Better AND Created a Wizard To Let You Delegate RDS Management Tasks To Your Help Desk Staff

We call these tools in the Remote Desktop Commander Client Premium Management Features. Want to shadow Server 2012+ systems from Windows 7? No problem. Want to monitor multiple user sessions at once in live view in one window? We do that. Do you have RDS users with multiple monitors that you haven’t been able to shadow before? Again, we’ve got you covered.

Where To Go Next To Find Out More . . .

Request a web demo with an RDPSoft solutions expert to see all our solutions’ features in depth.

Updated: November 2020.

We Fixed Remote Desktop Shadowing (And Some Other Stuff)

May 8, 2019 By Andy Milford Leave a Comment

One of the continuous laments that we’ve heard from our customer base, for years now concerns user session shadowing in Remote Desktop Services. This is a shame, because the internal architecture for shadowing from Windows Server 2012 R2 onwards is pretty amazing.

Using MSTSC to shadow however, eh, not so much.

Let’s Face It: Remote Desktop Shadowing Hasn’t Been a Great Experience For, Well . . . Forever!

The litany of complaints includes problems like:

lack of proper shadowing support (zoom out) for multiple monitor sessions
dreaded permissions errors
the unfortunate requirement for help desk users to be administrators on the terminal servers they want to shadow
the inability for Windows 7 systems to initiate shadowing on Server 2012/2016/2019 systems and Windows 8 and 10 workstations.

There was also the small issue that there were no tools for shadowing/remote assistance inside Windows Virtual Desktop in Azure.

As a result, admins and IT staff have been paying an arm and a leg for remote assistance tools to bridge this gap – tools that require heavy install footprints, hundreds or even thousands of dollars per technician per year, and tedious invitation URLs, etc are required to start helping users.

Which Reminds Us: Delegation of Administration Options for Remote Desktop Services Have Been Nonexistent For Way Too Long!

The other need that we hear frequently from our customers is the ability to precisely delegate Remote Desktop Services management permissions to their help desk and front line support staff. To date, the only real option has been to give help desk staff admin rights on session hosts and connection brokers. Not an ideal situation from a security, or a “whoops I just rebooted a terminal server with 30 user sessions running line of business apps” perspective.

So, We Figured Out How To Make Shadowing Much Better AND Created a Wizard To Let You Delegate RDS Management Tasks To Your Help Desk Staff

We call these new tools in the Remote Desktop Commander Client Premium Management Features. For $99.99 per admin or help desk user per year, all of the aforementioned problems go away. Want to shadow Server 2012+ systems from Windows 7? No problem. Want to monitor multiple user sessions at once in live view in one window? We do that. Do you have RDS users with multiple monitors that you haven’t been able to shadow before? Again, we’ve got you covered.

Watch this quick video on YouTube to see these features in action:

Next, download the latest copy of the Remote Desktop Commander Lite client. Once you install it, you’ll be able to preview the SuperShadow features for 15 days. The RDS Management Delegation Wizard becomes available after you purchase a subscription from us.

Once you start your subscription, you’ll immediately be emailed a license file that will unlock all of those features.

**Note 1: With the release of Premium Management Features in Remote Desktop Commander Lite, legacy shadowing support for Windows Server 2008 and legacy shadowing through the MSTSC client were retired. These features remain available in our Remote Desktop Commander Suite solution however.

**Note 2: If you are an existing Remote Desktop Commander Suite customer who would like to test these new Premium Management Features, please install the latest client on a VM or system OTHER than the system running the core Remote Desktop Commander Suite components.

Updated: November 2020.

Track RDP Hack Attacks With RDS Log Viewer 2.0

October 11, 2018 By admin Leave a Comment

For many, the first time the threat of RDP hack attacks became real was when in September of 2018, the FBI and Department of Homeland Security issued a Public Service Announcement on the proliferation of hacking and ransomware attacks taking place via the Remote Desktop Protocol. Here are some key takeaways from that announcement:

Remote administration tools, such as Remote Desktop Protocol (RDP), as an attack vector has been on the rise since mid-late 2016 with the rise of dark markets selling RDP Access. Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the Internet to compromise identities, steal login credentials, and ransom other sensitive information.

CrySiS Ransomware: CrySIS ransomware primarily targets US businesses through open RDP ports, using both brute-force and dictionary attacks to gain unauthorized remote access. CrySiS then drops its ransomware onto the device and executes it. The threat actors demand payment in Bitcoin in exchange for a decryption key.

Dark Web Exchange: Threat actors buy and sell stolen RDP login credentials on the Dark Web. The value of credentials is determined by the location of the compromised machine, software utilized in the session, and any additional attributes that increase the usability of the stolen resources.

Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.

Years later, and with many more using RDP for every day business, if you haven’t been keeping tabs on RDP access attempts into your network or Azure cloud environment, it’s time to start.

Remote Desktop Commander Suite v4.5+ Features: Audit and Visualize All RDS Login and Logon Failure Activity

Consolidate All RDS Logins and Logon Failures, Regardless
Of Whether Or Not They Occurred On Session Hosts Or Remote Desktop Gateway Servers

Attempting to track successful RDP logins is no picnic, as multiple log files from multiple different systems – the session host servers and remote desktop gateway servers – must be consulted and the information correlated.

In version 4.5+ of the Remote Desktop Commander Suite, the Remote Desktop Reporter Service automatically collects and correlates key events from event log files on Session Host servers and Remote Desktop Gateway servers. The result is a treasure trove of valuable login and logon failure data that it retains in its SQL database, allowing us to deliver the incredible new features described below.

Find Out Where Your Users Are Working From, and Locate the Source Of Potential Brute Force RDP Hacks

Geolocate RDP Logon Failures — Perform deep analysis of RDP logon failures and user logins using the User IP Geolocation Dashboard.

Remote Desktop Services login and logon failure data correlation from session hosts and gateways is a valuable feature in its own right, but the rich visualizations of this data is what sets Remote Desktop Commander Version 4.5+ apart from the competition. The User IP Geolocation Dashboard combines IP geolocation data with interactive worldwide maps and tabular, filterable tables so administrators can zero in on both legitimate RDS users and hackers.

Locate The Source of RDP Brute Force Hack Attempts — Filter RDP logon failure and login data by username, time frame, computer, and sort the data by username, region, country etc.

Our dashboard is completely extensible via PowerShell scripts, which are designed to receive selected server names, usernames, and IP addresses as input parameters. This is especially useful for the remediation of inbound hack attempts.

Remediate Brute Force RDP Attacks — Extend the capabilities of the dashboard with PowerShell

Instantly build reports from the filtered RDP login and logon failure data in the dashboard, or simply export the data to comma-delimited text.

Report on RDP Logon Failures — Export RDP login data and generate reports in PDF, Word, or Excel.

Schedule Daily User Login and Logon Failure Reports

RDP Logon Failure Reports — Build RDP login reports manually, or schedule them to run daily to gain insight on where users are connecting from.

With routine review of these reports, you can quickly spot geographic RDP login anomalies that could be suggestive of a compromised user account.

See The Actual IP Address and Geolocation Information for User Sessions In Existing Time Tracking Reports

By default, the Microsoft Terminal Services client (MSTSC) does not report its actual global IP address when connecting to a terminal server. And, when connecting through a Remote Desktop Gateway system, no IP address information is transmitted at all. Many admins requested that we transform the incorrect or missing IP address information with the actual global IP address of the user, whether or not they are connecting through a RD Gateway.

Based on this feedback, we retrofitted several existing reports, such as the User Sessions – Session Details By User report family, to include the correct global IP of the user based on the correlated log data now collected by our central polling service. Also, when possible, the global IP address is accompanied with the geographic region of the user’s ISP

Remote Desktop User Time Tracking Report — Many existing user activity reports now include the resolved, Global IP of the user, and ISP geolocation information when available.

RDS Log Viewer 2.0+ Featuring Remote Desktop Gateway Login and Logon Failure Tracking

Our RDS Log Viewer 2.0+ has the ability to track RDS connections through a Remote Desktop Gateway Server, and it will also show you some of the logon failures on your Remote Desktop Gateway. This is useful for several reasons:

- You can see what IP addresses your users are connecting from through your RD Gateway server, to see if there are significant discrepancies in source IP. You can manually geolocate these IP addresses if you want. A user account that connects through the gateway using IP addresses from ISPs in different regions may be compromised.

- You can view the first 30 logon failures from your Gateway server. If you see user accounts that are not part of your domain in the initial list of failures, your RD Gateway may be experiencing repeated brute force attacks. You can investigate further by starting a subscription to our Remote Desktop Commander Suite, which has the ability to track all logon failures and puts you in a position to fix the problem.

Next Steps . . .

Learn more about the Remote Desktop Commander Suite, including its feature set and how to start a subscription.

Or, to download RDS Log Viewer v2.0, please click here.

And, if you’re not sure where to go next, request a web demo with an RDPSoft solutions expert to see all our solutions’ features in depth.

Updated: November 2020.

RDS Logins & Logon Failure Tracking (And More) in Remote Desktop Commander v4.5+

September 27, 2018 By admin Leave a Comment

Though later versions of our Remote Desktop Commander Suite build on these key features, it’s worth drilling into these specific capabilities in RDS logins and logon failure tracking (plus some extra stuff we’re sure will interest you) that were introduced starting with v4.5:

Consolidate All RDS Logins and Logon Failures, Regardless Whether Or Not They Occurred On Session Hosts Or Remote Desktop Gateway Servers

Our CEO, Andy Milford, has written at length about the challenges faced when attempting to correlate RDP logon failure data from session hosts at his PureRDS.org blog. Attempting to track successful RDP logins is no picnic either, as multiple log files from multiple different systems – the session host servers and remote desktop gateway servers – must be consulted and the information correlated.

In version 4.5 of the Remote Desktop Commander Suite, the Remote Desktop Reporter Service automatically collects and correlates key events from event log files on Session Host servers and Remote Desktop Gateway servers. The result is a treasure trove of valuable login and logon failure data that it retains in its SQL database, allowing us to deliver the incredible new features described below.

Geolocate RDS Logins and Logon Failures In the User IP Geolocation Dashboard – Find Out Where Your Users Are Working From, and Locate the Source Of Brute Force RDP Hack Attempts

Instantly build reports from the filtered RDP login and logon failure data in the dashboard, or simply export the data to comma-delimited text.

Schedule Daily User Login and Logon Failure Reports

Scheduled reports make it easy to keep track of both where your users are routinely connecting from, as well as the sources of hacking and penetration attempts. Group login and logon failure data by country or by user. With routine review of these reports, you can quickly spot geographic RDP login anomalies that could be suggestive of a compromised user account.

See The Actual IP Address and Geolocation Information for User Sessions In Existing Time Tracking Reports.

By default, the Microsoft Terminal Services client (MSTSC) does not report its actual global IP address when connecting to a terminal server. When connecting through a Remote Desktop Gateway system, no IP address information is transmitted at all. Many admins have requested that we transform the incorrect or missing IP address information with the actual global IP address of the user, whether or not they are connecting through a RD Gateway.

Based on this feedback, we have retrofitted several existing reports, such as the User Sessions – Session Details By User report family, to include the correct global IP of the user based on the correlated log data now collected by our central polling service. Also, when possible, the global IP address is accompanied with the geographic region of the user’s ISP

Massively Reduce Database Storage Requirements With Performance Threshold Database Pruning

As you can see, we’ve mainly talked about logins and logon failures so far, and we’re talking about lots of data that we work with. So, we have to be ready to handle it all. Which brings us to a related feature.

Collecting in-depth performance data on a per-user and per-program basis with our agent service is great, but it’s easy to generate a lot of data in SQL by doing so. Version 4.5+ has a nifty new feature that we call “Performance Threshold Database Pruning.”

Now, in addition to purging out agent-based performance data based on date, you can elect to keep only the agent data associated with times of high load on session host servers. You can define what you consider to be high load both in terms of CPU usage or memory utilization, or a combination of both. Using this new feature can drastically reduce the amount of data stored in SQL over time, in many cases by over 80%.

Control RDS Performance Database Growth — Using Performance Threshold Database Tuning, tightly control the size of your SQL database growth.

. . . And What’s The Latest?

Of course, features change and mature, so be sure to find out the latest developments with our Remote Desktop Commander Suite by requesting a web demo with an RDPSoft solutions expert.

Updated: November 2020.

Windows Virtual Desktop Officially Announced – My Take

September 24, 2018 By Andy Milford Leave a Comment

This week at Ignite, Microsoft is announcing the introduction of Windows Virtual Desktop, a multi-user version of Windows 10 Enterprise that is deployable in Azure. Please see their blog post here about it.

I will have much more to say about this in future blog posts, but coupled with their heavy investments in “Remote Desktop Modern Infrastructure” (a.k.a RDmi for short) where RDS roles like the Connection Broker, Web Access, and Gateway are now simply PaaS components in Azure, this is going to upend the EUC/virtualization industry in an extreme way. The downward cost pressure Microsoft will place on user desktop and app hosting with this play will be tremendous. In the future at this blog and in webinars we host, we will analyze Windows Virtual Desktop licensing (with RDmi and compute costs factored in) versus traditional on-premise or datacenter-based Remote Desktop Services hosting on Server 2016/2019.

At first glance, I don’t think Windows Virtual Desktop will be good for Citrix, and I certainly think it will threaten Amazon’s DaaS offering. It’s also probably going to put a good swath of non-Azure based MSPs and CSPs out of business. I could be wrong, of course, but that’s my read on it right now.

Fortunately for our customers, we will be Windows Virtual Desktop ready in Q1 2019, and will be able to monitor multi-user Windows 10 instances just like Windows Server RDS session hosts. We look forward to continue to serving the Remote Desktop Services management and monitoring needs of all organizations, whether they run Windows Server or Windows 10 on premise, in the datacenter, or in Azure.

« Previous Page
1
…
6
7
8
9
10
…
19
Next Page »

User Session Shadowing in Remote Desktop Commander v4.7+

Which Reminds Us: Delegation of Administration Options for Remote Desktop Services Has Been Nonexistent For W a y T o o L o n g

So, We Figured Out How To Make User Session Shadowing Much Better AND Created a Wizard To Let You Delegate RDS Management Tasks To Your Help Desk Staff

Where To Go Next To Find Out More . . .

We Fixed Remote Desktop Shadowing (And Some Other Stuff)

Let’s Face It: Remote Desktop Shadowing Hasn’t Been a Great Experience For, Well . . . Forever!

Which Reminds Us: Delegation of Administration Options for Remote Desktop Services Have Been Nonexistent For Way Too Long!

So, We Figured Out How To Make Shadowing Much Better AND Created a Wizard To Let You Delegate RDS Management Tasks To Your Help Desk Staff

Windows Virtual Desktop Officially Announced – My Take

From the RDPSoft Blog

We Do “Single Pane of Glass” Monitoring and Management for RDS

Reach Out

Which Reminds Us: Delegation of Administration Options for Remote Desktop Services Has Been Nonexistent For W a y T o o L o n g

So, We Figured Out How To Make User Session Shadowing Much Better AND Created a Wizard To Let You Delegate RDS Management Tasks To Your Help Desk Staff

Where To Go Next To Find Out More . . .

Let’s Face It: Remote Desktop Shadowing Hasn’t Been a Great Experience For, Well . . . Forever!

Which Reminds Us: Delegation of Administration Options for Remote Desktop Services Have Been Nonexistent For Way Too Long!

So, We Figured Out How To Make Shadowing Much Better AND Created a Wizard To Let You Delegate RDS Management Tasks To Your Help Desk Staff

Remote Desktop Commander Suite v4.5+ Features: Audit and Visualize All RDS Login and Logon Failure Activity

Consolidate All RDS Logins and Logon Failures, RegardlessOf Whether Or Not They Occurred On Session Hosts Or Remote Desktop Gateway Servers

Find Out Where Your Users Are Working From, and Locate the Source Of Potential Brute Force RDP Hacks

Schedule Daily User Login and Logon Failure Reports

See The Actual IP Address and Geolocation Information for User Sessions In Existing Time Tracking Reports

RDS Log Viewer 2.0+ Featuring Remote Desktop Gateway Login and Logon Failure Tracking

Next Steps . . .

Consolidate All RDS Logins and Logon Failures, Regardless Whether Or Not They Occurred On Session Hosts Or Remote Desktop Gateway Servers

Geolocate RDS Logins and Logon Failures In the User IP Geolocation Dashboard – Find Out Where Your Users Are Working From, and Locate the Source Of Brute Force RDP Hack Attempts

Schedule Daily User Login and Logon Failure Reports

See The Actual IP Address and Geolocation Information for User Sessions In Existing Time Tracking Reports.

Massively Reduce Database Storage Requirements With Performance Threshold Database Pruning

. . . And What’s The Latest?

From the RDPSoft Blog

We Do “Single Pane of Glass” Monitoring and Management for RDS

Reach Out

Consolidate All RDS Logins and Logon Failures, Regardless
Of Whether Or Not They Occurred On Session Hosts Or Remote Desktop Gateway Servers