Skip to content

Windows DVM RDP Console Block

Direct RDP/Console Block

Direct access to virtual desktops can introduce significant security risks and session conflicts. This document outlines a feature restricting direct RDP access via MSTSC or non-Accops clients while allowing users to connect only through authorized Accops endpoints, such as Accops Workspace Client and Hylite.

This feature is integrated with the HyWorks DVM agent. In desktop VMs, the administrator can configure the access block using the following registry settings.

Configurations

All configurations related to direct RDP block features are controlled using registry entries at the following location:

HKLM\SOFTWARE\Accops\DVMAgent

Details of these registry configurations are given below:

  1. DirectRDPBlocked:

    1. Description: Enable this flag to block direct RDP access for normal users.

    2. Flag Value: true or false

    3. Behavior:

      1. When set to true, normal users attempting to connect via RDP (MSTSC) will be logged out of their Desktop session. Access is allowed only through the Accops Workspace Client or Hylite.

      2. Admin Access: Admin users are exempt from this restriction and can connect via direct RDP without being logged out.

  2. DirectRdpAdminBlocked:

    1. Description: When enabled, this flag blocks normal and admin users from taking direct RDP.

    2. Flag Value: true or false

    3. Behavior: If set to true, admins will not be able to initiate a direct RDP session.

  3. DirectConsoleBlocked:

    1. Description: This flag controls console access for all users.

    2. Flag Value: true or false

    3. Behavior: When enabled, normal users will be blocked from accessing the console session.

  4. DirectRdpBlockTimeoutSec:

    1. Description: Admins can configure a timeout period in seconds for logging out users from direct RDP.

    2. Timeout Value: (integer value representing seconds).

    3. Behavior: If a user connects via direct RDP, they will be automatically logged out after the specified time.

  5. DirectRDPVerifyViaVC (Enhanced method added in v3.4-SP2 or later):

    1. Flag Value: 0 or 1

    2. Behavior:

      1. If set to 0, the conventional method of direct RDP blocking is used.

      2. If set to 1, latest and advance method. A virtual channel will be used to verify whether the session was established through the client or direct RDP. If it is direct RDP, the user will be logged out.

  6. ActionOnDirectRDPSession (Enhanced method added in v3.4-SP2 or later):

    1. Description: This flag defines the action taken when a user initiates a direct RDP session.

    2. Flag Value: 0 (default) or 1.

    3. Behavior:

      1. If set to 0, the user will be disconnected from the Desktop if the connection is via direct RDP.

      2. If set to 1, the user will be logged out from the Desktop session if it is a direct RDP connection.

Steps to Configure:

  1. Log in to personal/shared desktops with admin user.

  2. Open the registry editor and set all flags according to your desired configuration in the system settings. Example of configurations:

    1. DirectRDPBlocked: True

    2. DirectRdpAdminBlocked:False

    3. DirectConsoleBlocked: False

    4. DirectRdpBlockTimeoutSec:20

    5. DirectRDPVerifyViaVC:1 (It uses the latest and advanced direct RDP block method.)

    6. ActionOnDirectRDPSession:1 [Logout] (Part of the latest and advanced direct RDP block method.)

  3. Restart the Desktop Agent Service

    1. Open the service management console (services.msc) or use a command line interface.

    2. Locate the Desktop Agent Service.

    3. Restart the service to apply the new configuration.

  4. Try to take direct RDP access of the configured virtual desktop using MSTSC and observe the behavior.

Logs:

  • The following log will be generated for sessions that are logged out by an agent via direct RDP:

    • Agent Log location: C:\Program Files (x86)\Accops\HyWorks Desktop Agent\Logs

    • Sample Log:

      Logging-out direct (Non-Accops) RDP session WTS ID [3] for user domain/username. The direct RDP session is not authorized. Logon-Time (34sec) and Connect-Time (37sec)

Advance RDP Block Method

This is the latest RDP block method introduced in v3.4-SP2; it’s faster and has dependencies on the client and server versions.

Newer versions (v3.4-SP2 or later) will use the following registry configurations:

  • DirectRDPBlocked, DirectRdpAdminBlocked, DirectConsoleBlocked, DirectRdpBlockTimeoutSec, DirectRDPVerifyViaVC (Set as 1 for new method), ActionOnDirectRDPSession (Part of new method: 0 to disconnect and 1 to log out invalid session.)

Supported Versions and Prerequisites:

  • HyWorks Controller: v3.4-SP2 or later

  • HyWorks DVM Tools: 3.4.0.1109 or later

  • HyWorks Session Host: v3.4.1.138 or later

  • AUEM: v3.4.0.370 or later

  • Supported Endpoint (Flavors and Versions):

    • Windows Client: v3.2.8472.328472 or later

    • Linux Client v3.2.9526.329526 or later

Flow of events:

  1. User logs in from authorized Accops end-point > Clicks on desktop icon to request connection information from Controller

  2. The controller provides information to the desktop client. In parallel, the controller informs the agent on the virtual desktop about the upcoming session.

  3. User connects to assigned desktop. Desktop connection gets established.

  4. As soon as the connection is made, the desktop agent confirms the session validity with the client.

  5. If the details of the connected session and client response are found valid, it allows the session to continue. If not, the desktop session is logged out.

Important Points:

  • This is available only in v3.4-SP2 or later.

  • It's faster than the conventional method but has dependencies on end-point type and versions.

  • Having configurable actions on direct desktop sessions.

Default Method

This is an old method available in HyWorks agents (Desktop/ Session Host) from older versions.

Older versions will continue to use the following registry configurations:

  • DirectRDPBlocked, DirectRdpAdminBlocked, DirectConsoleBlocked, DirectRdpBlockTimeoutSec

Newer versions (v3.4-SP2 or later) will use the following registry configurations:

  • DirectRDPBlocked, DirectRdpAdminBlocked, DirectConsoleBlocked, DirectRdpBlockTimeoutSec, DirectRDPVerifyViaVC (Set as 0 for default method), ActionOnDirectRDPSession (Part of new method and will not change behavior unless new method is used.)

Flow of Events:

  1. User logs in from authorized Accops end-point > Clicks on desktop icon to request connection information from Controller

  2. The controller provides information to the desktop client. In parallel, the controller informs the agent on the virtual desktop about the upcoming session.

  3. User connects to assigned desktop. Desktop connection gets established.

  4. The agent validates the connected desktop with the information given by the Controller in step# 2.

  5. If the details of the connected session and information received from the Controller are found valid, it allows the session to continue. If not, the desktop session is logged out.

Important Points

-   With the advance method in use, having incompatible client version may cause sessions to be disconnected or logged out as per configurations.

    -   If the deployment has non supporting clients and versions, it is recommended to use the old method.

-   Direct RDP block is enabled by default in the latest DVM agent using the default method.

-   In some cases, where profile loading or connection takes more time than the configured time limit of direct RDP block, the agent may interrupt the session as a direct RDP connection and may log it out. The cases can be understood from logs and as per the environment.

-   The timeout duration can be increased.