- Tarisa marongero (GPO), masevhisi, uye muteereri weRDP usati wabata firewall kuparadzanisa kwainobva kuvharika.
- Tarisa port 3389, inoshanda mitemo uye zvitupa; kupokana kana chitupa chakatyoka chinotadzisa muteereri kuteerera.
- Kukanganisa kwechokwadi (CredSSP, NLA, mvumo) zvakajairika sekukanganisa kwetiweki; gadzirisa pamwe nezvinovandudzwa uye mapoka.
- Kana usingakwanise kuvhura madoko, shandisa RDP gedhi neMFA kana bhuroka rakachengeteka rinodzivirira kufumura chiteshi 3389.
Kana yako Remote Desktop yekubatanidza ikangoerekana yamira kushanda, unogona kufunga kuti ndiyo firewall kana kuti muchina wakadzimwa. Asi neRDP, muparadzi chaiye anowanzo... network policy, GPOs, kana masevhisi anovharisa port 3389 Pasina yambiro. Nhau dzakanaka: neakarongedzerwa kutevedzana kwecheki, unogona kupatsanura kukanganisa mumaminitsi.
Mugwaro rino unowana maitiro anoshanda uye akasimbiswa ekuongorora nekugadzirisa mitemo, mitemo, uye zvigadziriso zvinodzivirira RDP kupinda Windows, zvese pamidziyo yemuno neyekure, pane network yemakambani, VPN uye kunyange mumakore akadaro Google Cloud. Iwe uchaonawo maitiro ekuita nezvikanganiso zvehuchokwadi (CredSSP), zvitupa, kupokana kwechiteshi, DNS uye kuita, pamwe neimwe nzira kana iwe uchida chimwe chinhu chinoshanda pasina kuvhura madoko.
Maitiro ekuona kana mutemo kana network iri kuvharira RDP
Usati wabata registry kana firewall, ipfungwa yakanaka kuona kana dambudziko riripo network inosvika, kusefa, kana kuzaraNzira yekudimbudzira inobatsira kubva kune imwe komputa ndeyekuyedza kuwana chiteshi uchishandisa zvishandiso sepsping: psping -accepteula <IP-equipo>:3389. Kana uchiona Kubatanidza ku… nekuedza kusingabudiriri, kana a Komputa iri kure yakaramba kubatanidza netiweki, inoratidza chivharo chepakati kana kupera kwesevhisi.
Edza kubva kune akawanda masosi (imwe subnet, imwe VPN, imba network, kana 4G) kuona kana kuvharika kuri kusarudza nechikamu kana nekwakabvaKana ikatadza kubva kumativi ese, ingangove yakavharwa neperimeter firewall kana Windows pachayo. Kana ikangotadza kubva kune rimwe divi, tarisa matsamba emvumo. ACLs uye firewall mitemo pakati.
Kurumidza kutarisa mamiriro eRDP uye masevhisi ayo
Tanga nekuona kuti iyo iri kure system inobvumira Remote Desktop yekubatanidza uye kuti masevhisi ari kushanda; izvi zvinobvisa zvekutanga nazvo maviri kana matatu rairo.
Pamuchina wemuno, kugonesa RDP kuri nyore sekuvhura Settings uye kuimisa. Remote desktop (ona uchishandisa Windows 11 Remote DesktopKuti udzore zvakanaka (kana iyo UI isingateereri), tarisa irogi pa: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server y HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. Kukosha fDenyTSConnections inofanira kuva 0 (kukosha 1 zvinoreva RDP yakaremara).
Nekure, batanidza kune network registry kubva kuRegistry Editor (Faira> Batanidza kune Network Registry), famba uchienda kumakwara akafanana, uye simbisa kuti hapana mutemo unomanikidza kuvharira; kana zvichionekwa fDenyTSConnections=1, chinja kuti 0 uye cherechedza kuti Inodzokera ku1 mushure memaminitsi mashoma. (chiratidzo cheGPO yakawanda).
Tarisa zvakare kuti masevhisi anodiwa ari kushanda kumativi ese ari maviri: Remote Desktop Services (TermService) y Remote Desktop Services UserMode Port Redirector (UmRdpService)Iwe unogona kuzviita mumasevhisi.msc kana ne PowerShellKana iwe uchida madhairekitori ekugadzirisa masevhisi, bvunza Shandura masevhisi mukati Windows 11Kana munhu akasungwa, Tanga iyo uye edza zvakare.
Group Policy Object (GPO): Nzira yekuvharisa uye sei kuvhura
Kana RDP isingagone kuvhurwa kuburikidza neiyo interface, kana kukosha kweregistry kudzoserwa, inenge ichinyatso kusimbiswa nepolicy. Kuti uone mutemo uyu pamushini wakakanganisika, mhanyisa unotevera kuraira pane a CMD yakakwira gpresult /H c:\gpresult.html uye anovhura mushumo; under Kugadziriswa kweKombuta> Administrative Matemplate> Windows Zvikamu> Remote Desktop Services> Remote Desktop Session Host> Zvinobatanidza kuraira kuri kutsvaga Bvumira vashandisi kuti vabatane vari kure vachishandisa Remote Desktop Services.
Kana iwe uchiona se AkaremaraBvunza mushumo kuti uzive kuti chii GPO inokunda uye muchikamu chipi chazvinoshanda (saiti, domain, kana OU). Ongorora zvakare kuti sei Kujoinha domain muWindows Kana iwe uchifungidzira matambudziko edomasi, kubva kuGroup Policy Object Editor (GPE) padanho rakakodzera, shandura iyo mutemo kuti Yakagoneswa kana isina Kugadziriswauye muzvikwata zvinobatanidzwa, inomanikidza application ne gpupdate /force.
Kana iwe uchigona kuburikidza neGPMC, unogona zvakare kubvisa chinongedzo kubva kune iyo GPO mu chikwata chesangano uko inoshanda kune yakakanganiswa midziyo. Rangarira kuti kana block yakabva SOFTWARE\MitemoIyo GPO ichanyora zvakare registry kusvika wadzima kana kugadzirisa mutemo.
Kune muchina uri kure, gadzira iyo report yakafanana neyepamuchina wemuno, uchiwedzera komputa parameter: gpresult /S <nombre-equipo> /H c:\gpresult-<nombre-equipo>.htmliyo inokupa iwe yakafanana data chimiro kuti uongorore inokonzeresa GPO.
Mutereri, chiteshi uye kupokana pa3389
Kunyangwe nekuraira chaiko, kana muteereri weRDP asiri kuteerera, hapazove nechikamu. Mune yakasimudzwa PowerShell (yemunharaunda kana kure ne Enter-PSSession -ComputerName <equipo>), anoita qwinsta uye simbisa kuti chinopinda chiripo rdp-tcp with state teereraKana ikasaoneka, muteereri angakuvadzwa.
Nzira yakavimbika inosanganisira kutumira kunze kiyi yekuteerera kubva kumuchina une hutano une vhezheni yakafanana yeWindows: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TcpPakombuta yakakanganiswa, chengetedza kopi yemamiriro azvino ne reg export "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp" C:\Rdp-tcp-backup.reg, anobvisa kiyi (Remove-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp' -Recurse -Force), iyo yakanaka .reg faira nyaya uye inotangazve TermService.
Mushure meizvozvo, tarisa chiteshi. RDP inofanirwa kuteerera 3389. Buda HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\<listener> uye kukosha PortNumberKana isiri 3389 uye usina chikonzero chekuchengetedza chekuchinja, dzokera ku3389 uye wotangazve sevhisi.
Kuti uone kusawirirana, mhanya cmd /c 'netstat -ano | find "3389"' uye cherechedza iyo PID iri muhurumende KUTEERERAZvadaro, pamwe cmd /c 'tasklist /svc | find "<PID>"' Ziva maitiro. Kana zvisiri TermServiceGadzirisazve iyo sevhisi kune imwe chiteshi, isunungure kana isingaite, kana seyekupedzisira sarudzo, shandura RDP port uye batanidza nekutsanangura IP: port (isina kunaka kune yakajairwa manejimendi).
RDP zvitupa uye MachineKeys mvumo
Chimwe chikonzero chinowanzokonzera kusabatanidzwa kusina kukwana ndeye chitupa cheRDP chakaputsika kana chisina kuumbwaVhura chitupa MMC cheakaundi yechikwata, enda ku Remote Desktop> Zvitupa uye bvisa chitupa cheRDP chakasaina wega. Tangazve iyo Remote Desktop sevhisi uye zorodza: itsva inofanirwa kugadzirwa otomatiki.
Kana ikasaoneka, tarisa mvumo ye C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. Ita shuwa kuti BUILTIN\Administrators vane hutongi hwakakwana uye Munhu wese count on Kuverenga nekunyoraPasina ma ACL aya, Windows haigone kugadzira kiyi uye chitupa chinodiwa kuRDP.
Windows Firewall uye chiyero chekuyedza
Pane vatengi uye server masisitimu, Windows Defender Iyo firewall inoda yakavhurika inbound mitemo yeRDP. Tarisa iyo yakavakirwa-mukati mutemo "Remote Desktop - Mushandisi Modhi (TCP-In)"Na netsh advfirewall firewall show rule name="Remote Desktop - User Mode (TCP-In)"; inofanirwa Kugoneswa, kuiswa kune yakakodzera Profiles, TCP Protocol uye Local Port 3389.
Kana iwe uchigona kuburikidza neinterface, enda kuWindows Defender Firewall> Bvumira app kana chimiro uye sarudza "Remote Desktop" mukati Privado (uye muRuzhinji chete kana uine zvikonzero zvakajeka). Mu "Advanced Settings", simbisa kuti inbound mutemo weTCP 3389 unoshanda. Sedanho rekugadzirisa dambudziko (kwete paruzhinji network), unogona kudzima kwenguva pfupi firewall kuti utarise kana kubatana kwacho kuchipfuura uye wobva wagonesa zvakare.
Kubva kunze, nzira yakajeka yekuona kusvika pachiteshi ndeye psping: psping -accepteula <IP>:3389Kana ukawana 0% kurasikirwaIyo network stack uye firewall inobvumira kubatana. Kana zvose zvirizvo 100% kurasikirwa o akarambaYave nguva yekukwira kune yepakati network / firewall kana kuongorora NAT, VPN uye mafirita pakati pezvikamu.
Kuvimbiswa: zvitupa, CredSSP uye mvumo
Nyora kukanganisa "Zvitupa zvako hazvina kushanda"Kana kuti"Iyo account haina mvumo yekupinda kure"Idzo dzinowanzoita zvidiki kugadzirisa: tarisa zita rekushandisa/password rakanyorwa nemazvo (semuenzaniso, DOMINIO\usuario), inodzima chero zvitupa zvechinyakare mu Kwechokwadi maneja uye simbisa kuti account haina kuvharwa.
NeCredSSP, kana midziyo isiri yemazuva ano, kutadza kududzira kwechokwadi kuchaitika. Iva nechokwadi chokuti waita Windows yakagadziridzwa pane zvese mutengi nemugamuchiri. Senzira yekudimbudzira munzvimbo dzechikuru, unogona kugonesa muGPO "Bvumira kutumirwa kwezvitupa zvakachengetwa neNTLM-chete server kuvimbiswa" kana, kuburikidza neregistry, set. AllowEncryptionOracle a 2 en HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System.
Usakanganwa kuve nhengo yeboka: pane zvisiri-domain zvikwata, wedzera iyo account kune Remote Desktop Vashandisi Kubva kuComputer Management> Vashandisi Venzvimbo uye Mapoka. Munzvimbo, simbisa kuti nhengo inoenderana ne Active Directory policy chaizvoizvo usati wabata chero chinhu.
DNS, VPN, uye mamwe madhizaini akasiyana
Kana ukabatanidza nezita uye IP kero yemugamuchiri yachinja, mutengi anogona kunge achiri kunongedzera kukero yekare nekuda kwecaching. Chenesa ne ipconfig /flushdns uye, kana zvikaramba zvakadaro, shandisa iyo Yakananga IP Kuti ubvise dambudziko rekugadzirisa, tarisa kuti adapta inoshandisa iyo yakarurama DNS server muKudzora Panel> Network Center> Shandura zvigadziriso zveadapter.
NeVPNs, vamwe vanopa vanovhara kana kuendesa chiteshi 3389, kana kuifukidza nenzira inopokana neRDP encryption. Bvisa VPN uye edza, kana gadzirisa mutemo kuti ubvumire RDP. split tunneling kana kuti “bvumira mapurogiramu”. Kana iwe ukaona kukanganisa kana zvitema zvidzitiro, dzikisa iyo MTU nepoindi imwe: netsh interface ipv4 show subinterfaces kuzviona uye netsh interface ipv4 set subinterface "Ethernet" mtu=1458 store=persistent kuzvigadzirisa.
Kana mutengi achiita seasingateereri asi chikamu chichiripo, inogona kunge iri nyaya resolution kana saizi yehwindoMutengi reRemote Desktop Connection (mstsc), tinya "Ratidza Sarudzo" uye paTarisa tab fambisa inotsvedza yekugadzirisa kana kugonesa sikirini yakazara; akawanda "makonikisheni asiri kushanda" anogadziriswa. kugadzirisa hwindo.
Nyaya dzinozivikanwa uye masevhisi emakore: Windows 11 24H2 uye Google Cloud
Mhosva dzakataurwa uko kunobatanidza kuburikidza neRDP kuenda Windows 11 24H2 Chikamu chinomira pakatanga, kunyanya mukati michina chaiyo Nezve hypervisor. Zvimwe zvigamba zvenguva pfupi hazvina kuzvigadzirisa; chengetedza system yako zvizere uye edza iyo hypervisor vhidhiyo / vGPU vatyairi, sezvo dzimwe nguva dambudziko riri ne hypervisor. RDP chati kana stackKutangazve mugadziri kunodzoreredza kubatana, asi mhinduro inosanganisira kuwanda kwekugadzirisa uye vatyairi / firmware.
MuGoogle Compute Injini, kuwedzera kune yemuno Windows password (igadzirise zvakare kubva gcloud kana koni), tarisa mutemo default-allow-rdpRondedzero yemitemo ne gcloud compute firewall-rules list uye, kana isipo, gadzira imwe nayo gcloud compute firewall-rules create allow-rdp --allow tcp:3389. Iva nechokwadi chokuti uri kushandisa Yakarurama yekunze IP kero game gcloud compute instances listKana iyo OS isina kurongeka, iwane kuburikidza interactive serial console uye kuita:
• Basa: net start | find "Remote Desktop Services" (kana isipo, net start "Remote Desktop Services")
• Gonesa RDP: reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections (0 zvakanaka; kana 1: reg add ... /d 0)
• Firewall: netsh advfirewall firewall show rule name="Remote Desktop - User Mode (TCP-In)" (asi, netsh firewall set service remotedesktop enable)
• Chengetedzo layer: reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 1 /f
• Default NLA: reg add ... /v UserAuthentication /t REG_DWORD /d 0 /f
Yepamberi diagnostics: zviitiko, network uye maturusi
Kana zviri pamusoro apa zvisingagadzirise dambudziko, inguva yekutarisa zviitiko uye mitsvaVhura Chiitiko Chekuona uye tarisa muWindows Logs> Chishandiso uye Sisitimu, uye mune masosi TerminalServices-RemoteConnectionManager y Microsoft-Windows-RemoteDesktopServices-RdpCoreTS nokuda kwezvikanganiso zvakajeka mukuedza kwega kwega.
Pane network, tora neWireshark uye kusefa ne tcp.port==3389 Tarisa uone maSYN/SYN-ACK masaini, kusetazve, kana madonhwe epakati-yekubatanidza. Kana pasina traffic, block iri munzira; kana paine traffic uye inodonha panguva yekutaurirana nezvekuchengetedza, fungidzira ... encryption mismatch/NLASekukurumidza kuyedza kuvhurika kwechiteshi, telnet <IP> 3389 (Kana ikabatana, chiteshi chengarava chinowanikwa.) Unogonawo kushandisa zvimwe zvinoshandiswa zvakadai se kushandisa ntttcp muWindows yekuita uye saturation kuyedzwa.
Microsoft inopa RDP Protocol Monitor/Analyzer, uye muWindows Server 2012/2012 R2, iyo Remote Desktop Services Diagnostic Tool Kuziva mabhodhoro. Kana usingakwanise kupa nguva kumagazini yega yega, gadzirira zvinyorwa: netsh int ip reset && netsh winsock reset kune network, uye taskkill /F /IM mstsc.exe && net stop termservice && net start termservice kujekesa zvikamu zveRDP uye kutangazve masevhisi (yambiro: kupfupisa zvirongwa zvinoshanda).
Iyo yakashata "RDP - Chikanganiso chemukati chakaitika"
Meseji iyi inowanzovanza a kuchengetedzwa zvisizvo pakati pemutengi uye server. Tarisa kuti iyo encryption level uye chengetedzo layer inofanana (muGPO: Session Host Chengetedzo> "Inoda kushandiswa kweiyo chengetedzo layer" uye sarudza RDP (kana TLS yakundikana). Kana sevha ichida NLA uye mutengi haakwanise, regedza NLA kwenguva pfupi muSystem Properties> Remote kuti uone kana ichi chiri chikonzero.
Zvimwe zvinhu: vatengi veRDP dzechinyakare vachipesana nemaseva matsva, domain trust nyaya (Kujoinha iyo domain dzimwe nguva kunogadzirisa izvi), kana maprofile ekuchengetedza anomanikidza encryption iyo imwe magumo isingatsigire. MuMutengi Zvakaitika, shandisa otomatiki reconnection uye inoshingirira bitmap cache kune mamwe masisitimu akatsiga.
Kana kukanganisa kwakaonekwa mushure mekuvandudzwa kweWindows uye hapana chimwe chezviri pamusoro chine musoro, funga kudzoreredza icho chaicho chigamba (Panel> Windows Update > Nhoroondo > Uninstall zvigadziriso), mushure mekubvunza maforamu ehunyanzvi (semuenzaniso, tambo dze Patch Chipiri) kana iri dambudziko rinozivikanwa.
Kuita, kugona uye multimedia
Kana kunyunyuta kusiri "hakuzobatana" asi "kwakaoma," tanga nekudzikisa mutoro kubva kumutengi weRDP: dzika kugadzirisa uye kudzika kwemavaraDzima mabviro, zvitayera zvinoonekwa, uye kutsvedzerera kwefonti muExperience tab. Aya matanho anoderedza kushandiswa kwebandwidth uye anovandudza latency.
Pane sevha, tarisa CPU/RAM/Disk mu Task ManagerKana iri pamuganho wayo, chero chikamu cheRDP chinotadza. Rangarira kuti Windows Desktop inobvumira chete musangano wepamwe cheteWindows Server ine marezinesi maviri ekutadza ekutonga uye inoda mamwe marezinesi eRSS CAL.
Zvekuteerera, gadzira iyo RDP mutengi> Zvemunharaunda> Remote Audio kuti "Tamba pakombuta iyi", uye simbisa kuti masevhisi Windows Audio uye "Windows Audio Endpoint Generator" iri kushanda. Kune vhidhiyo inorema, RDP haigari yakanaka; dzimwe nharaunda dzechikuru dzinotaura RemoteFX, asi nhasi zviri nani kusarudza Adaptive codec uye kukurumidza kwemazuva ano kana kuongorora maturusi akagadzirirwa kumhanyira graphic
Nyaya dzinokurumidza uye ratidza mhinduro
Kana Windows Defender iri kuvharira kubatana mukati Windows 10/11, enda kuWindows Defender Firewall> Bvumira application uye shandisa "Remote Desktop" nekutarisa Private mabhokisi (uye Public chete kana zvichiita), tinya kubvuma uye test. Muzviitiko zvakawanda zvepasi rose, izvi kudzvanya katatu Ndivo vanga vari musiyano pakati pekuora mwoyo uye kubudirira.
Kana iwe uchida kushandura chiteshi nekuti imwe sevhisi iri kushandisa 3389, gadzirisa HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp > PortNumberSemuenzaniso, isa 3390, tangazve sevhisi uye ubatanidze se IP:3390Rangarira kugadzirisa firewall uye NAT kuchiteshi chitsva icho.
Dzimwe nzira uye magedhi kana iwe usingakwanise kuvhura madoko
Mumanetiweki umo kuvhura 3389 kusingaite (kana kuti iwe haudi kuiburitsa pachena), funga mhinduro ne cloud murevereri iyo inodzivirira mitemo yemanyorero uye DNS zvinonetsa: RealVNC Connect inopa SSO uye nechepakati manejimendi; Chrome Remote Desktop Izvo ndezvemahara uye zviri nyore kana iwe uchitoshandisa Chrome; TeamViewer uye CheroDesk Ivo vanoisa pamberi nyore kushandisa uye kuyambuka-chikuva kumhanya. Kune zvakare masutu akadai TSplus, yakanangana nekusimbisa chengetedzo uye kurerutsa kuwana kure kure pamwero.
Kana iwe uchizogara muRDP, sarudzo yakachengeteka ndeyekumisa a Remote Desktop Gateway (RD Gateway)Inoda NLA neMFA, uye rambidza kupinda kuburikidza neVPN kana IPSec. Iyi ndiyo yakajairika nzira yekupa mukana pasina kuvhura port 3389 kupasirese.
Kuchengetedza kwakanaka uye maitiro ekuteerera
Simbisa RDP nekuita NLAUchishandisa mapuroteni emazuva ano ekuvharidzira uye, kana dhizaini yako ichiida (GDPR/HIPAA), ichigonesa yakasimba cryptography mitemo (semuenzaniso, FIPS) uye zvitupa zvinoshanda zvakapihwa neCA inovimbwa. Vhara kuratidzwa kweruzhinji, muganho kune akavanzika network / VPNs, uye simbisa MFA pagedhi kana bhuroka.
Pakupedzisira, ramba wakatarisa pane matandaIsa zvigamba nguva nenguva uye ita nguva nenguva ongororo. Matambudziko mazhinji eRDP anogona kudzivirirwa nemusanganiswa wematanho aya. mitemo yakanakayakajeka firewall mitemo uye kutarisa.
Anofarira munyori nezve nyika yemabytes uye tekinoroji zvakazara. Ini ndinoda kugovera ruzivo rwangu kuburikidza nekunyora, uye ndizvo zvandichaita mune ino blog, kukuratidza zvinhu zvese zvinonyanya kufadza nezve gadget, software, hardware, tekinoroji maitiro, nezvimwe. Chinangwa changu ndechekukubatsira kufamba munyika yedhijitari nenzira iri nyore uye inonakidza.