Enabling Remote Desktop on Windows Server 2008 R2

Recently I've started upgrading some of our infrastructure here at work. The previous Network Administrator invested in a 1/2 dozen Super Micro servers which, until now, have played a critical role in my development, staging, and production environments. These servers are now getting to the ripe old age of 3 years and for the past 5 months I've been planning their replacement. One change in particular that I am only too happy to announce is our migration from towers to racks, Dell R710's to be exact.

These racks in particular have the following specs:

PowerEdge R710 with Chassis for Up to Six 3.5-Inch Hard Drives

1 DVD ROM, SATA, INTERNAL

1 72GB Memory (18x4GB), 800MHz Dual Ranked RDIMMs for 2 Processors, Optimized

1 E5520 Xeon Processor, 2.26GHz 8M Cache, Turbo, HT, 1066MHz Max Mem

1 PowerEdge R710 Heat Sinks for 2 Processors

1 E5520 Xeon Processor, 2.26GHz 8M Cache, Turbo, HT, 1066MHz Max Mem

1 High Output Power Supply Redundant, 870W

1 Sliding Ready Rails With CableManagement Arm

1 Dell Management Console

1 Dual-External-Port SAS 5/E HBAfor Power Vault MD3000, PCI Express

1 RAID 1 for H700, PERC 6/i, H200 or SAS 6/iR Controllers

1 146GB 15K RPM Serial-Attach SCSI 3Gbps 3.5in Hotplug Hard Drive

1 146GB 15K RPM Serial-Attach SCSI 3Gbps 3.5in Hotplug Hard Drive

1 Server Management License, 1 Server (Managed by SCE/SVMM)

1 Embedded Broadcom, GB Ethernet NICS with TOE

1 Dell Hardware Limited Warranty Plus On Site Service Initial Year

1 Pro Support for IT: Next Business Day Onsite Service After Problem Diagnosis, 3 Year Extended

1 Dell Hardware Limited Warranty Extended Year

I also purchased Dell's 24U rack cabinet (PDF) which is built like a tank. Very strong, very accessible, and with Dell's sliding rail system I was able to install my racks in 5 minutes a piece, by myself. However, I do recommend having a coworker/friend give you a hand. These racks generally weigh about 50+ lbs.

Now, once you haveWindows Server 2008 R2 installed and are up and running there are a few things you'll need to do in order to securely RDP into your new server. Firstly, by default Remote Desktop is disabled. To enable this:

• run Server Manager, select Server Manager at left
• select "Configure Remote Desktop" under the "Server Summary" section.
• under Remote Desktop you'll want to select "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)". Utilizing NLA will protect your server from denial-of-service (DOS) attacks since authentication will need to be completed before resources are consumed on the remote machine.

The next step is to modify your inbound firewall to allow for RDP sessions. To do this:

• click Start, Control Panel
• select "Check Firewall Status" from the System and Security options
• select "Advanced Settings" on the left
• select "Inbound Rules"
• right-click and select enable for the following two rules: Remote Administration (RPC) and Remote Desktop (TCP-In). Without making these two changes you will be able to establish an RDP session but it will quickly be closed on you.
• by default these rules are applied to both domain, public and private firewalls. If your server is part of a domain and you wish to restrict these exceptions to that domain (a good idea) simply right-click the rule, select properties, goto the Advanced tab and uncheck the profiles to which this rule will not apply. In my case I left only Domain checked off.

Now our server is properly configured and we can now do our work on our XP / Vista workstation which we will be connecting from. The first step is to ensure that we have an RDP client (mstsc.exe) which supports NLA. If you're running XP SP3 (highly reccomended) then you most likely have a usable client (6+). If not you can use Microsoft's KB hotfix to update your client. This hotfix can be found here.

Once the updated RDP client is installed we will need to make two registry changes. These changes only apply to Windows XP SP3 and can be found in this Microsoft KB article: http://support.microsoft.com/kb/951608/

The changes are:

• Click Start, click Run, type regedit, and then press ENTER.
• In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
• In the details pane, right-click Security Packages, and then click Modify.
• In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.
• In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
• In the details pane, right-click SecurityProviders, and then click Modify.
• In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.
• Exit Registry Editor.
• Restart the computer.

Once this is done and your workstation is rebooted you should be able to successfully connect via RDP with NLA to your Windows 2008 R2 server.