How to deploy and audit remote desktop services

Remote Desktop Services (RDS) enables users to connect to a remote computer or a virtual machine over the network. With RDS, users can control a remote computer, just like they do their own. From another perspective, RDS allows a server to host multiple, simultaneous client sessions. In a PC-based environment, every user in an organization will have different applications installed in their machines. However, in a RDS-based environment, users can be provided with "thin clients" that merely connect to a terminal server. The terminal server can then connect to other servers to access data.

Adopting RDS within the organization reduces cost, increases mobility, and provides scalability. It also reduces time and effort for the set-up of end user workstations. On the flip side, there is a big security challenge—implementing RDS increases the number of vulnerable endpoints, and cyber attackers can now have one more way of orchestrating a data breach. Therefore, IT administrators must monitor RDS sessions continuously and make sure no malicious actions are performed.

In this article, we'll first look at how organizations can deploy RDS using PowerShell. We'll then see how ADAudit Plus, a comprehensive Active Directory auditing solution, can help keep remote desktop connections secure.

Steps to deploy RDS using PowerShell

The PowerShell cmdlet New-SessionDeployment is used to deploy RDS. Three compulsory RDS components that need to be installed at the time of deployment are: 1) Connection broker, 2) Session host, and 3) Web access. These components define how users can use the RDS once deployed.

Here's how you can deploy RDS:

• Open PowerShell with administrative privileges.
• Run this PowerShell script:

New-SessionDeployment -ConnectionBroker server1.manageengine.com -WebAccessServer server1.manageengine.com -SessionHost server1.manageengine.com

After deployment, to audit the activities happening in RDS, administrators can use PowerShell. For instance to get the list of events related to successful RDP authentication (EventID 4624), IT administrators can use this PowerShell cmdlet:

Get-EventLog security -after (Get-date -hour 0 -minute 0 -second 0) | ?{$_.eventid -eq 4624 -and $_.Message -match 'logon type:\s+(10)\s'} | Out-GridView

However, the easier way to audit RDS activities is to use ManageEngine ADAudit Plus

Steps to audit RDS with ADAudit Plus

• Log in to the ADAudit Plus web console.
• Navigate to Reports > Local Logon-Logoff > Remote Desktop Services Activity.
• Select the Period for which you want to get information.
• A graphical display with a detailed events summary lists the audit information for the selected period.
• The report shows granular information on all the RDS activity.
  
• Clicking on an event in the bar graph, filters the report view highlighting only the selected event.
• The quick and advanced search options can be used for precise filtering.