Windows 2003 – “Enable Remote Desktop on this computer” greyed out

 

Background

This is another post to address the Terminal Services intrusion we discovered a few weeks ago.

Terminal Services Configuration

Configuration

The specific area of the vulnerability that we will like to address in this post is the fact that TS is always enabled.

If we access “Control Panel” \ “System Properties” \ “Remote” Tab, we will notice that “Enable Remote Desktop on this computer” is checked and grayed out.

Implication

So it appears that we are unable to disable Terminal Services.

 

Remediation

  1. Registry
    • Policies
      • Terminal Services
    • Services
      • Control
        • Terminal Services
  2. Group Policy

 

Registry

Section Branch Item
 Policy HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services fDenyTSConnections
 Services  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server  fDenyTSConnections

 

 

Policies – Terminal Services – fDenyTSConnections

Branch :- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Item :- fDenyTSConnections

Current

Revised

Rename fDenyTSConnections to fDenyTSConnections.20170701.0800AM.

Also feel free to rename it altogether.

Control – Terminal Server – fDenyTSConnections

Branch :- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
Item :- fDenyTSConnections

Current

Revised

Rename fDenyTSConnections to fDenyTSConnections.20170701.1154AM.

Also feel free to rename it altogether.

 

Group Policy

Connected to the Domain Controller and launched “Group Policy Object Editor” ( gpedit.msc ).

Policy Group :- “Local Computer Policy” \ “Computer Configuration” \ “Administrative Templates” \ “Terminal Services”

Item :- “Allow User to connect remotely using Terminal Services”

Image

Image – Terminal Services

Image – Terminal Services – Setting

Explanation

Reviewed “Allow User to connect remotely using Terminal Services” and confirmed it is not configured.

And, so we definitely know that TS is not being forced on us.

Auditing

Windows Firewall

Log – pfirewall.log

Image

Explanation

In the process of preparing this post we experienced active attacks against the default Remote Desktop Port ( 3389).

Summary

It looks like the intruder accessed the registry and change the registry entries mentioned above to 0.

In so doing they prevented us from being able to use the GUI to make a choice as to whether we want to allow Remote Desktop Connections.

The inability to re-configure ability to accept TS Connection was likely applied via the Registry’s Policy branch identified above.

 

References

  1. Server Fault
    • Difference between HKLM:\SOFTWARE\Policies\ and HKLM:\SYSTEM\CurrentControlSet\
      Link
  2. MSSQLServerTips.com
    • Troubleshooting Windows Remote Desktop Connection
      Link
  3. Windows Command Line
    • Enable remote desktop from command line (CMD)
      Link
  4.  WinHelpOnline
    • “Allow users to remotely connect to this computer” Remote Desktop option is grayed out
      Link
  5. Tech Republic
    • Terminal Server 2003; not accepting connections
      Link
  6. ars technica
    • “Enable Remote Desktop” option greyed out
      Link

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s