Skip to content

Advance Configurations

Direct RDP/Console Block

Direct access to virtual desktops can introduce significant security risks and session conflicts. This document outlines a feature restricting direct RDP access via MSTSC or non-Accops clients while allowing users to connect only through authorized Accops endpoints, such as Accops Workspace Client and Hylite.

This feature is integrated with the HyWorks DVM agent. In desktop VMs, the administrator can configure the access block using the following registry settings.

Configurations

All configurations related to direct RDP block features are controlled using registry entries at the following location:

HKLM\SOFTWARE\Accops\DVMAgent

Details of these registry configurations are given below:

  1. DirectRDPBlocked:

    1. Description: Enable this flag to block direct RDP access for normal users.

    2. Flag Value: true or false

    3. Behavior:

      1. When set to true, normal users attempting to connect via RDP (MSTSC) will be logged out of their Desktop session. Access is allowed only through the Accops Workspace Client or Hylite.

      2. Admin Access: Admin users are exempt from this restriction and can connect via direct RDP without being logged out.

  2. DirectRdpAdminBlocked:

    1. Description: When enabled, this flag blocks normal and admin users from taking direct RDP.

    2. Flag Value: true or false

    3. Behavior: If set to true, admins will not be able to initiate a direct RDP session.

  3. DirectConsoleBlocked:

    1. Description: This flag controls console access for all users.

    2. Flag Value: true or false

    3. Behavior: When enabled, normal users will be blocked from accessing the console session.

  4. DirectRdpBlockTimeoutSec:

    1. Description: Admins can configure a timeout period in seconds for logging out users from direct RDP.

    2. Timeout Value: (integer value representing seconds).

    3. Behavior: If a user connects via direct RDP, they will be automatically logged out after the specified time.

  5. DirectRDPVerifyViaVC (Enhanced method added in v3.4-SP2 or later):

    1. Flag Value: 0 or 1

    2. Behavior:

      1. If set to 0, the conventional method of direct RDP blocking is used.

      2. If set to 1, latest and advance method. A virtual channel will be used to verify whether the session was established through the client or direct RDP. If it is direct RDP, the user will be logged out.

  6. ActionOnDirectRDPSession (Enhanced method added in v3.4-SP2 or later):

    1. Description: This flag defines the action taken when a user initiates a direct RDP session.

    2. Flag Value: 0 (default) or 1.

    3. Behavior:

      1. If set to 0, the user will be disconnected from the Desktop if the connection is via direct RDP.

      2. If set to 1, the user will be logged out from the Desktop session if it is a direct RDP connection.

Steps to Configure:

  1. Log in to personal/shared desktops with admin user.

  2. Open the registry editor and set all flags according to your desired configuration in the system settings. Example of configurations:

    1. DirectRDPBlocked: True

    2. DirectRdpAdminBlocked:False

    3. DirectConsoleBlocked: False

    4. DirectRdpBlockTimeoutSec:20

    5. DirectRDPVerifyViaVC:1 (It uses the latest and advanced direct RDP block method.)

    6. ActionOnDirectRDPSession:1 [Logout] (Part of the latest and advanced direct RDP block method.)

  3. Restart the Desktop Agent Service

    1. Open the service management console (services.msc) or use a command line interface.

    2. Locate the Desktop Agent Service.

    3. Restart the service to apply the new configuration.

  4. Try to take direct RDP access of the configured virtual desktop using MSTSC and observe the behavior.

Logs:

  • The following log will be generated for sessions that are logged out by an agent via direct RDP:

    • Agent Log location: C:\Program Files (x86)\Accops\HyWorks Desktop Agent\Logs

    • Sample Log:

      Logging-out direct (Non-Accops) RDP session WTS ID [3] for user domain/username. The direct RDP session is not authorized. Logon-Time (34sec) and Connect-Time (37sec)

Advance RDP Block Method

This is the latest RDP block method introduced in v3.4-SP2; it’s faster and has dependencies on the client and server versions.

Newer versions (v3.4-SP2 or later) will use the following registry configurations:

  • DirectRDPBlocked, DirectRdpAdminBlocked, DirectConsoleBlocked, DirectRdpBlockTimeoutSec, DirectRDPVerifyViaVC (Set as 1 for new method), ActionOnDirectRDPSession (Part of new method: 0 to disconnect and 1 to log out invalid session.)

Supported Versions and Prerequisites:

  • HyWorks Controller: v3.4-SP2 or later

  • HyWorks DVM Tools: 3.4.0.1109 or later

  • HyWorks Session Host: v3.4.1.138 or later

  • AUEM: v3.4.0.370 or later

  • Supported Endpoint (Flavors and Versions):

    • Windows Client: v3.2.8472.328472 or later

    • Linux Client v3.2.9526.329526 or later

Flow of events:

  1. User logs in from authorized Accops end-point > Clicks on desktop icon to request connection information from Controller

  2. The controller provides information to the desktop client. In parallel, the controller informs the agent on the virtual desktop about the upcoming session.

  3. User connects to assigned desktop. Desktop connection gets established.

  4. As soon as the connection is made, the desktop agent confirms the session validity with the client.

  5. If the details of the connected session and client response are found valid, it allows the session to continue. If not, the desktop session is logged out.

Important Points:

  • This is available only in v3.4-SP2 or later.

  • It's faster than the conventional method but has dependencies on end-point type and versions.

  • Having configurable actions on direct desktop sessions.

Default Method

This is an old method available in HyWorks agents (Desktop/ Session Host) from older versions.

Older versions will continue to use the following registry configurations:

  • DirectRDPBlocked, DirectRdpAdminBlocked, DirectConsoleBlocked, DirectRdpBlockTimeoutSec

Newer versions (v3.4-SP2 or later) will use the following registry configurations:

  • DirectRDPBlocked, DirectRdpAdminBlocked, DirectConsoleBlocked, DirectRdpBlockTimeoutSec, DirectRDPVerifyViaVC (Set as 0 for default method), ActionOnDirectRDPSession (Part of new method and will not change behavior unless new method is used.)

Flow of Events:

  1. User logs in from authorized Accops end-point > Clicks on desktop icon to request connection information from Controller

  2. The controller provides information to the desktop client. In parallel, the controller informs the agent on the virtual desktop about the upcoming session.

  3. User connects to assigned desktop. Desktop connection gets established.

  4. The agent validates the connected desktop with the information given by the Controller in step# 2.

  5. If the details of the connected session and information received from the Controller are found valid, it allows the session to continue. If not, the desktop session is logged out.

Important Points

-   With the advance method in use, having incompatible client version may cause sessions to be disconnected or logged out as per configurations.

    -   If the deployment has non supporting clients and versions, it is recommended to use the old method.

-   Direct RDP block is enabled by default in the latest DVM agent using the default method.

-   In some cases, where profile loading or connection takes more time than the configured time limit of direct RDP block, the agent may interrupt the session as a direct RDP connection and may log it out. The cases can be understood from logs and as per the environment.

-   The timeout duration can be increased.

External log Settings

In some deployments, it is required to get user session monitoring for audit purposes, the feature is integrated with HyWorks DVM Agent. Two types of monitoring are available:

  1. User Session Monitoring
  2. Process Monitoring

Registry Base:

HKEY_LOCAL_MACHINE\SOFTWARE\Accops\DVMAgent\ADVANCE SETTINGS\EXTERNAL LOG SETTINGS

The administrator will be able to configure the session monitoring by updating the registry entries. Details about the registry key values are as follows.

Key Name Default Value Type Value Range
TrackingType 0 String 0: Disabled
1: User Session Monitoring
2: Process Monitoring
3: Both
IgnoreList C:\Windows\System32* Multi String Processes/folders to be ignored for process tracking
SyslogHost 0.0.0.0 String Syslog server or Accops ARS Server IP address or Hostname
SyslogPort 514 String Syslog server or Accops ARS Server Port number
DumpProcessMonToSyslog False String On setting it as true, it will start pushing process monitoring logs to the configured syslog server.
DumpUserSessionMonToSyslog False String On setting to true, it will start pushing user session monitoring logs to a configured syslog server.

Allow calls from authorized controller(s) only

In some deployments, blocking unauthorized access to the DVM Agent service is required. The administrator can configure the unauthorized access block by updating the authorized controller IPs list at (default value: '*').

HKLM\SOFTWARE\Accops\DVMAgent\AuthorizedControllerIPs

Note

- The Default value is set as '*', which means all controllers are open to connecting.

- Replacing '*' with one or more (multi-string) controller IPs allows only those listed controller(s) to communicate with the local DVM Agent Service.

- If an unauthorized controller tries to communicate, an error log will be created in both the DVM Agent and the controller logs.

Pre-Post OS Customization Batch Scripts

In some deployments, it is required to execute some scripts before the OS customization (SysPrep or HyPrep) executes. The feature is integrated with HyWorks v3.3.

Two types of customization scripts are supported here:

  1. Pre-customization [Pre_Customization_System.bat]
  2. Post-customization [Post_Customization_System.bat]

Path:

C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts

Post Reset Computer Domain Trust Batch Script

In some deployments, it is required to execute some scripts after broken domain trust is being reset, the feature is integrated in HyWorks. The path of the script is as follows:

C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Post_Reset_ComputerDomainTrust.bat

Note

HyWorks only provides a platform to execute the scripts on different events on the system. The scripts have to be generated as per requirements.

Suspending Processes in Disconnected Sessions

HyWorks Session Host Server and HyWorks DVM Agent (v3.3-R2 or later) can be configured to suspend the process in disconnected sessions. The feature helps free up CPU resources in disconnected sessions, allowing other users on the system to benefit from the available CPU.

How does it work

  • On session disconnection, the session host server/DVM agent will suspend processes.
  • On session reconnection, suspended processes will be resumed.

Configurations to Suspend Processes on Session Disconnection

To enable process suspending:

  1. Open the registry editor with administrator privileges.

  2. Update registry settings, as mentioned below:

    • Registry Location: HKEY_LOCAL_MACHINE\SOFTWARE\Accops\DVMAgent\SUSPEND PROCESS
    • Registry Name/ Type: Enable (String).
    • Registry Value: Set as True to enable process suspending/ Set as False to disable process suspending.

  3. Save registry settings.

  4. Open services with administrator privileges.

  5. Locate Accops HyWorks Desktop Agent service and restart.

Advance Configurations

The following additional registry configurations are available, which can be used to enable process suspending for specific users/ processes only:

  • exclude_users: To exclude suspension of processes for a particular user. Provide a list of users in comma-separated format, for example, user1.demo,user2.demo,user3.demo. Use this option to enable process suspension for all users except a few.

  • exclude_processes: Provided processes will not get suspended. Provide a list of processes in comma-separated format, for example: notepad, write,mspaint. Use this option to enable process suspension for all processes except a few.

Note

Some critical system processes are already added into the exclude processes list and should not be removed for smooth operations.

  • include_users: The Suspend process will work only for the provided list of users. All other users will be exempted. Use this option to enable process suspension for specific users only.

  • include_processes: Only provided processes will get suspended; all other processes will be exempted. Use this option to enable process suspension for specific processes only.

Important

For any registry changes, DVM agent service needs to be restarted for changes to take effect.