1
your RDP session stays connected (no reboots)
any new RDP connection is refused.
RDP session stays connected why?
phillytechguy
Posted 2019-11-08T16:45:04.163
Reputation: 13
0
The RDP server has not been instructed to check if the connection is still alive, so it is just sitting there waiting for something to happen.
Such a disconnection can also arrive when an RDP session is kept open for longer than the ISP or router is willing to keep any single connection on the same socket.
To have the remote connection send a keep-alive packet (also called heart beat packet), apply this registry tweak to the server that the user is connecting to.
Enter the following text into a .reg file and execute it:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"TcpMaxDataRetransmissions"=dword:00000010
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"KeepAliveEnable"=dword:00000001
harrymc
Posted 2019-11-08T16:45:04.163
Reputation: 306 093
1
open port 3389 on router
If by that you mean "port forwarding", there is quite a simple answer to this:
Port forwarding on consumer routers merely accepts an incoming TCP connection (SYN) through NAT and maps it to an internal IP address.
There are separate rules for established connections, which are typically allowed to continue as long as the connection has not been closed (FIN) or reset (RST).
If you remove a forwarded port, established connections will continue to be allowed while new ones (SYN) will be blocked. (Or, rather, they won't have a valid NAT mapping.)
Bob
Posted 2019-11-08T16:45:04.163
Reputation: 51 526
Excellent. Thanks – phillytechguy – 2020-02-27T13:29:30.603
That's the bug..."The RDP server has not been instructed to check if the connection is still alive, so it is just sitting there waiting for something to happen." the issue no disconnection of the socket except on reboot. Now the RDP port is blocked, the connection is refused. – phillytechguy – 2019-11-09T02:47:20.193
The question is why does it hold persistance once the scoket is connected and then the port is blocked. My guess is the port blocking is only effective on socket negotiation. once negotiations is successful you have a persistant tunnel by default. – phillytechguy – 2019-11-09T03:01:40.560
Yes, the socket must show failure, and for that it must be used, which is what keep-alive does periodically. Without that, both sides can wait a long time for each other.
– harrymc – 2019-11-09T07:38:09.063it's been over 48 hours since my socket connection and the port 3389 has been closed. I am still connected. is there anyway to hijack the socket connection as to bypass the port authenication? in other words, I am connected through a closed port.can my connection be hijacked? – phillytechguy – 2019-11-09T15:36:12.440
Nothing can bypass a closed port. You are absolutely safe on that account. Was it possible to apply the above registry fix? – harrymc – 2019-11-09T17:58:02.533
That's not entirely true. because I am connected. I have full access to the network remotely. The only difference is I connected while the port was open. Then I closed the port. I stayed connected. (of course I am the superuser Admin) System processes show persistant connection for RDP.... I did not change the registry keys, as you suggested, because I want the connection to stay open. you understand I am remote using RDP with all ports closed, right? I am wondering since the socket is open, can the connection be Hijacked. I mean from the outside world. – phillytechguy – 2019-11-09T18:59:38.507
The registry fix is for keeping the connection open. The socket cannot be accessed across a closed port. It is just blocked, that's all. – harrymc – 2019-11-09T19:02:36.403
LOL Yes the registry is set by deault. Thanks for letting me know the key to limit or maximize the connection. So just blocked. but socket is persistant. I gotcha. – phillytechguy – 2019-11-09T19:07:25.567