If you missed the first article in this series please read Customizing the Microsoft RDP Client (Part 1).
In the first part of this article we discussed the customizations you can do at the interface level on the Microsoft Remote Desktop client and the reasons for doing that.
Now moving to part two, we will cover another great modification you can do that in my opinion, will greatly enhance security on your Terminal Services environment. After reading this article you will also understand why this little tweak can help you protecting all your servers you access remotely using RDP, TS or not. I think most of us today simply use RDP to manage Domain Controllers, Exchange, SQL and so on and this article applies to all of these as well! So keep reading.
Introduction
If you did not read Part 1, here we go again. As any other ‘hands-on’ article, I must clarify a couple things. If you remember reading any Microsoft knowledge base article where they mention the word ‘registry’, they always state that if you say the word registry ten times in front of a server running Windows when you are facing west, things may happen and your server may go to the cyber-limbo. The same rules/great ideas apply here. You will use tools that let’s say can cause some damage depending where and how you use them. So I am NOT responsible for your actions, do it at your OWN risk.
And ALWAYS have a backup ready!
The Tools
For this second part we will need an Hex Editor to change one file, MSTSCAX.DLL. There are many available and of course I did not have time to test everything out there. One I tried and liked a lot is the Free Hex Editor from HHD Software (Fig. 1). You can download it at:
http://www.hhdsoftware.com/free-hex-editor.html
Fig. 1
Simply download it at the link provided and install it on your machine.
Doing some work…
Ok, the main question you are asking yourself now is ‘What the hell are we going to do that will somehow increase security on my servers that I access using RDP, TS or not?’. Simple. When you connect to a server using RDP, if you launch TSADMIN on that server and take a look at your connection details you will see this screen (Fig. 2):
Fig. 2
On the right hand side panel you can see something that says ‘Client build number’. In my case, using the regular Microsoft RDP Client that comes with Windows XP Pro SP2, it lists it as 2600. So what can we do with this?
There is a GREAT piece of software out there that was originally developed by Terminal-Services.NET and is now given away for FREE by 2X Software Ltd. (http://www.2x.com). It is called SecureRDP and it basically allows you to filter incoming connections based on many different things like IP address, MAC address, Computer Name and of course, CLIENT VERSION!
So the idea here is to change the client version to a four digit number that only YOU know and use SecureRDP to allow only that particular version to connect to your servers! For example if you change the Microsoft RDP Client to version 3455 and load SecureRDP on all your domain controllers configuring it to allow version 3455 only, if a regular user gets your username and password and tries to connect from his PC to your domain controller, SecureRDP will intercept that and will show your user a message (that you can customize) and he will NOT be able to login (as you are the only one that has such RDP client version 3455).
Now let’s move to the hands on part. Assuming you got the Free Hex Editor and installed it properly, simply launch it (double click the Free Hex Editor icon). Now go to FILE | OPEN and browse for ‘MSTSCAX.DLL’. Usually this file is under WINDOWS\SYSTEM32. If it is not there for you simply search for it on your hard drive.
After opening you should see something like this (Fig. 3):
Fig. 3
Now simply go to EDIT | Goto and type 45c30 (make sure it says ‘Hexadecimal Number’) and click ‘Goto’ (Fig. 4).
Fig. 4
Now back to Fig. 3 you can see on the first line, 00045C430, 5th and 6th column, two numbers: 28 and 0A. These are in reversed order so the right number is 0A28 that converted to decimal is 2600! So this is where the client version number is stored. Our job is very easy now…
After many hours discussing this internally with your administrators you decide to use the number 3030 for your customized RDP Client. If you use CALC (yes, the old and good calculator) to convert 3030 to hexadecimal the result is 0BD6.
Keep in mind we must use the REVERSE order here so we will replace 28 0A with D6 0B. Simply type the new numbers on top of the old ones. Once you are done, go to FILE | SAVE AS and save it somewhere like C:\TOOLS. Now copy the MSTSC.EXE executable (the one you changed on Part 1 of this article) to the same folder and let’s test it! Make sure you CLOSE the file or EXIT the Free Hex Editor!
Launch MSTSC.EXE from your C:\TOOLS folder where the new MSTSCAX.DLL is and connect to your TS. After connecting launch TSADMIN and check the client version (Fig. 5).
Fig. 5
As you can see the client version reported is now version 3030! Perfect! Exactly what we wanted to achieve.
Final touches
After we have our own customized Microsoft RDP Client version 3030, the next step is to have SecureRDP loaded on our server and test it! As I said you can download it directly from http://www.2x.com and again, it is FREE.
I am not going to cover the installation of the product (as it is straight forward). After installing and launching it you should have a screen like this (Fig. 6):
Fig. 6
Simply click on ‘Client Version’ and on the first box where you see the ‘Allow’ word, type 3030. Make sure you check the checkbox ‘Enable Client Version Filter’. After doing this, click on FILE | APPLY CONFIGURATION.
So now if you try to connect using the regular RDP client, you should see something like this on the screen (Fig. 7).
Fig.7
As you can see SecureRDP intercepts the request before you can even see the logon screen! By doing that, it prevents a possible hacker to even see your domain/computer name! Great!
Now if you use the customized version to connect, you will connect without any issues. I tried just to be safe and yes, it works!
So this customization goes beyond terminal services and can (and SHOULD) be used when accessing ANY backend server. This is a cheap (cannot get cheaper than that right?) and very effective way to protect your Terminal Servers, Domain Controllers, Exchange Servers and so on.
Conclusion
In my opinion this is one of the easiest and most effective ways to protect a terminal server. If you give this customized client to your users connecting from home and on the terminal server you allow that particular version only, anyone else that tries to connect to your server over the internet will be denied access. And yes, SecureRDP logs all that information for you. Pretty cool. Many thanks to 2X that made this great application available to everyone at no cost.
Finnaly, as s in Part 1, the main thing now is to find a way to redeploy this new client to all your users, administrators, etc. This is beyond the scope of this article but as pretty much anything, this is no rocket science. Any packaging tool like Wise Installer will do the trick easily and there is a lot of freeware out there that will allow you to create an MSI. Cheers!
If you missed the first article in this series please read Customizing the Microsoft RDP Client (Part 1).
