Enabling Remote Desktop on a Remote Machine

What if you want to use Remote Desktop on a server that's already off-site? Here's how to do it.

You can access some properties pages of System using Computer Management by first connecting the console to a remote computer, then right-clicking on the root node and selecting Properties. Unfortunately however, the Remote tab is not available when you access System properties this way on a remote machine, so you can't enable Remote Desktop on a remote machine using this approach. But there's a workaround: start Registry Editor on your administrator workstation and select the Connect Network Registry option under the File menu. This opens the Select Computer search box. Either browse Active Directory to locate the remote server, or type its name in the textbox. Click OK and a node will be displayed in Registry Editor for the remote machine. Now browse HKLM on SRV to find the following Registry key: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server. Under the Terminal Server key, you'll find a REG_DWORD value named fDenyTSConnection. Double-click on that value to open the Edit DWORD Value box and change the value data from 1 (Remote Desktop disabled) to 0 (Remote Desktop enabled). The remote machine needs to be rebooted for the change to take effect, so open a command prompt and type the following command: shutdown -m \\servername -r

After the remote machine reboots, Remote Desktop should be enabled on it. To test this from your workstation, open Start --> All Programs --> Accessories --> Communications --> Remote Desktop Connection, enter the name of the remote server in the Remote Desktop Connection logon box, supply your administrator password when prompted, and you're in.

Recover Lost Windows NT Administrator Password

This tip is in the Administrators section. Use this information at your own risk. Any attempt to circumvent an OSs normal security can be disastrous. If you are really, really stuck - this tip may be for you. No warranty is suggested or implied. I have used some of these tools. Sometimes successfully and sometimes not. Those that attempt to overcome Syskey, in particular, seem risky. I have had the most success with the Linux boot disks and a manual brute force dictionary attack using L0phtcrack. These are do-it-yourself tools. There is something to be said for the comfort level of the commercial tools. Consider ElcomSoft for a commercial approach.

If you are interested in these tools or procedures, I suggest download the code and print the procedures now (I have had to remove dead links from this page more than any other - this kind of data seems to disappear fast).

This article kicked off my interest in Penetration Testing. In particular, depending on what you are searching for, you may want to check on my Penetration Testing Tip #12: Password Recovery Resources tip. For core security issues see Wayne's Security Resources.

If your organization has not brought in a team to do a full scope penetration test, you really have no idea how insecure and vulnerable your network really is to internal and external hackers. I guarantee that you will be shocked but its a better security practice to make penetration testing part of your yearly risk analysis than to wait until you have a real incident. Given my experience as an NT systems admin and my experience hacking just such an environment, I will be writing white papers to help the NT admin protect his/her *ss. A critical resource is the administrator's workstation. I strongly recommend you read my paper on how to protect this resource.

There are various offline attacks. Do you have auditing turned on so you can detect when a server has been turned off? Making it vulnerable to offline attacks. If you are not aware of it:

Without physical security, there can be no security.

If you have a resource which needs to be protected, the single most important protection is to restrict physical access.

Easiest: Linux boot disks

There are Linux boot disks that have DOS and NTFS filesystem drivers and software that will read the registry and rewrite the password hashes for any account including the Administrators. It is as simply as:

shutdown or turnoff the PC
put the book disk in the PC and reboot
respond to the Linux prompts
the highest barrier is understanding unix media descriptors
select the account whose password hash needs to be rewritten & enter a new password
reboot & access using the new password

This process requires physical access to the console and an available floppy drive.

The following site provides the downloadable boot disk image, image to disk utility, source code, and supporting documentation: Offline NT password utility. This version can disable syskey protect. They do note that turning off syskey under Windows 2000 damages the SAM and is not to be attempted except as a last resort to reinstallation. Watch for updates.

See Analysis of Alleged Vulnerability in Windows 2000 Syskey and the Encrypting File System for Microsoft's perspective.

I have seen the Linux boot disks fail primarily on scsi-based boxes when the boot disk did not have the proper scsi driver or when there was some problem detected in the scsi setup. I have also seen PCs where the Linux boot disk works but the SAM seems to be invisible to Linux (although its in its standard location and later access with NTFSDOS allows it to be copied).

What would raise barriers to these types of tools?

Lock the PC up.
Recognized requirement for servers. How many workstations are behind locked doors? Given what you have learned here, shouldn't at least a select set of workstations be secured? Say the officers, personnel, security personnel, ...
Power on passwords.
A decent barrier. There are physical hacks. Are the cases locked?
Set BIOS to boot from HD and not from floppy
Raises the barrier a little.
Remove the floppy and lock the case - higher barrier. For a high security environment. Would this fly where you work?
Apply Microsoft's syskey to encrypt the hashes. See atips92. Syskey stymies the freeware Linux offline attacks at this point in time. Some of the commercial products state they can reset the password even if Syskey has been applied.
Encrypt the hard drive. There are commercial products to do this. NT2000 includes encryption as an NT feature similar to NT4's NT compression feature. None of the methods I am aware of at this time will work under NT2000, even without the encrypting file system feature.

It is not practical in most environments to have high security applied to workstations. But one or more of the less intrusion barriers would increase the time to break in and would increase the probability of exposure to the hacker. This would increase the probability of management acceptance of usage of these tools by legitimate support personnel trying to solve a difficult problems.

Some of the Linux boot disk utility variants leave a footprint. The password is changed. Some include backup/restore features for the sam. With this feature, one could boot a Windows NT PC; backup the sam data; overwrite the pw; reboot; login using the compromised account and do mischief including sending inappropriate email or deleting bits and pieces here and there - darn those unreliable PCs; restore the sam and the owner's pw; since the attack was offline, unless the shutdowns are monitored, the episode is essentially invisible.

The automated nature of these tools makes this available to putzes, baby hackers, and the guy/gal in the office next door. It took me 5 minutes with a very simple search to find the utilities and procedures documented on this page. The security by ignorance barrier is incredibly low.

The level of expertise to take advantage of physical access does vary. These baby tools for NT should make one seriously consider how to improve server and workstation security. Server physical security is generally good except in departmentally distributed servers. Workstation security is a nonentity in all but the most paranoid shops. These tools should give one pause, a act to protect your officers and other PCs with highly sensitive data from hackers.

Sunbelt released NTAccess which can replace the administrator password of a Windows NT; Windows 2000 system with or without Active Directory; or XP. It can bypass syskey protection. NTAccess can replace the administrator password of a Windows XP, Windows NT or Windows 2000 system by rebooting the computer with a special set of boot disks or CD-ROM (XP only). This is useful if you forgot the administrator password and cannot access the Windows XP/2000/NT system.

AccessData are in the business of password recovery and sell toolkits which can reset the administrator password under Netware and NT as well as office and personal application products such as Word and Quicken. They provide technical support should things go awry. Given the consequences of problems, tech support can be worth every penny. They also have a set of freebies utilities.

The Passware Kit also offer a fairly extensive password recovery suite including NT and many applications fairly inexpensively. They have recently announced a version of their product to reset Administrator password, secure boot password or key disk if lost: Windows 2000 password product with the following features:

100% recovery rate
Windows XP Home and Professional Editions are supported
Windows 2000 Professional, Server and Advanced Server are supported
Windows NT Workstation and Server 3.50, 3.51, 4.0 are supported
Loads third party mass storage (SCSI, RAID, etc.) drivers when using Windows XP, 2000 or NT 4.0 setup disks
All secure boot options are supported
All Service Packs are supported

WInternals offer NTLockSmith to reset lost NT passwords. It only works in conjunction with NT Recover which is designed to recover data from damaged NT boxes. It sounds much like the Linux solution but uses NT Recover to get to the registry of the target NT box. I suggest you take a close look at their admin tools. Their product is Windows 2000 compatible.

Dieter Spaar's NTAccess uses boot disks to access the NT / Windows 2000 system and change the administrator password. It can turnoff Syskey protection at the cost of the loss of all passwords except the administrators account which it resets. My guess is that they achieve this by deleting the LSA SecureBoot value and replacing the Administrator's password hash. They are not breaking the encryption. Just are turning it off. See my Syskey tip for more information.

Many sites document a rather complex method of resetting the administrator's password. The method takes advantage of the fact that certain system services, such as the spooler, operate under the security context of the local system. By changing the file name of the spooler to another executable it is possible to launch an application with privilege to change password. There are several versions. They work. They are complex. They have the advantage that they do not appeal to hackers - take too long - too much danger of exposure. This technique has the disadvantage that there must be enough space to install another copy of NT. This method is documented : here, here, here, and many other locations.

Some take a much more direct approach. This is actually a method to escalate a user's account to admin level. If you have another account on the box, even though it is not admin, lets say account manager or backup account, you can log onto the system, rename spoolss.exe to spoolssbak.exe, rename usrmgr.exe to spoolss.exe, reboot. When you logon after reboot, User Manager will be running in the foreground running as localsystem. This gives you the ability to reset the admin password to whatever you want, or to create an new admin account for example. You need to logoff and back on using the administrator command to get the renamed files back under their proper names.
Note: for NT workstation, User Manager is musrmgr.exe.

kira bomba states

       I have found out that this method (as described above) doesn't work
      on a Windows 2000 box. However, you can make it work if you consider
      the following:
     
      1. It happens that you can't delete the "spoolsv.exe" (win2000 version
      of "spoolss.exe") file from your harddisk (usually it's in the
      \winnt\system32 directory). This file is loaded on start-up and can't
      be stopped using the Task Manager. As long as you can't stop the
      corresponding process, you can't delete the file, it's locked by the
      operating system. Even if you find a way to stop the process you can't
      delete or substitute the file, Windows will automatically replace it
      with the default version.

      A solution to this problem is to delete the file "offline", i. e. after
      booting from a DOS floppy. If the harddisk is FAT formatted it will work
      out just fine. If the harddisk is NTFS formatted you'll need a NTFS driver,
      like NTFSDOS Pro, downloadable from
      www.sometips.com/goodstuff/default.htm.
      When you have booted from  a floppy it's no problem any more to delete
      "spoolsv.exe" or to replace it. Replace with what? In Windows 2000, there
      is no "usrmgr.exe" nor "musrmgr.exe". Well, compile the following C program,
      name it "spoolsv.exe" and put it to where the original file was:

       *****************
       #include 

       int main(void)
        {
         system("control userpasswords");
         return 0;
        };
      *****************
      "mmc lusrmgr.msc" instead of "control userpasswords" should work too. When you
      start Windows next time, as a normal user or as an admin, the User Manager
      window will open...

Another technique reported on the web which requires a 2nd copy of NT :

Install an alternate copy of Windows NT.
Boot up the alternate install.
Use Start / Control Panel / System / Startup to change the default boot instance to your original install.
In the original Windows NT folder, navigate to the \System32 sub-folder.
Save a copy of logon.scr, the default logon screen saver.
Delete logon.scr.
Copy CMD.EXE to logon.scr.
Shutdown and restart your original install.
Wait for the logon screen saver to initiate. It will actually open a CMD prompt, in the security context of the local system account. Be patient, it sometimes takes several minutes for the command window to popup.
Type MUSRMGR, into the CMD prompt to execute User Manager, and reset the Administrator's password.
Delete the logon.scr from %SystemRoot%\System32.
Rename the saved default screen saver back to logon.scr.

If you have an old ERD from when you knew the admin password, you could use it during a Windows NT repair install to get back to that point. Just be careful, any accounts created since that point will be lost and those not lost will have their passwords reset to an old version.

A method involving removing the HD and placing it in another NT box as an additional drive, is documented here . This approach normally works when nothing else will in most OSs not using encrypting file systems. Guess whether I have tried this approach. Not in NT.

If you have access to current ERD disks or the repair directory, you can use L0phtCrack to access the password hashes and perform a brute force attack on the password hashes. It will break any password (it may take a day or two). L0phtCrack has the advantage that it does not modify the passwords. Additionally in another context, a run by the administrator against the password hashes using a simple dictionary will give you an idea if your users passwords are too weak. See ElCOM for dictionaries that you can download as well as a significant suite of password breaker software.

L0phtCrack can be used as an offline method:

Create an DOS bootable floppy
If NT is installed as a FAT partition, use the DOS boot disk to copy the SAM, winnt\system32\config\sam
If NT is installed on NT, use NTFSDOS.EXE to get the SAM.
Copy the SAM to a temp directory on a working NT box
Use pwdump to pull out the hashes and break them with l0phtcrack.

See atips174 if you are unfamiliar with NTFSDOS.EXE.

If you need to break a password set by an application or perhaps a password for zipped files, see these sites:

www.passwordservice.com/
www.lostpassword.com
www.elcomsoft.com
www.soft4you.com
www.pwcrack.com
Microsoft Office pw crackers

These sites were just a few I am aware of. There are many. Unfortunately, as this article should make you aware of, passwords can give one a false sense of security when its all you have protecting your a$.

As an aside, if you have Win9x and have set a password and forgot it, you can bypass Windows with F8 during startup and choose the Command Prompt Only option. At the prompt, go to the Windows directory and delete .pwl files. No password will be required on the next boot. A new password can be set if you wish at the Start|Settings|Control Panel|Passwords and click on Change Windows Password.

CMOS/BIOS password info:

PC BIOS Security and Maintains Toolkit
Cracking Programs
Forgotten Password Utilites

Microsoft has reprint a Windows NT Magazine background article on Where Windows NT Stores Passwords.

Microsoft's Administration Tools for Windows 2000

Microsoft provides a fairly comprehensive set of tools for administrators. I would call some of these tools and some services. Some are integral to NT and W2K like Event Viewer. The tools are:

Tool	Description
Active Directory Domains and Trusts	administer domain trusts, change domain mode, add and change user principal name suffixes
Active Directory Sites and Services	establishes and administers sites, replication, and security services
Active Directory Users and Computers	manages users, computers, and groups within a domain
Certification Authority	manages certificate services which issues certificates for public key security
Cluster Administrator (advanced server only)	handles the configuration of clusters and nodes
Component Services	configures and administers COM components and apps
Computer Management	administers disks, shares, users, groups, and services on the local computer
Configure Your Server	sets up and configures windows services
Connection Manager Administration Kit	manages and customizes local and remote connections
Data Sources	adds, removes, and configures ODBC databases and drivers
DHCP	manages DHCP services
DHCP	manages DHCP services
Distributed files system (DFS)	manages DFS installations, topology, and replication
DNS	manages DNS services
Event Viewer	display application, security and system logs
Internet Authentication Service	configures security and authenication for dialin users
Internet Services Manager	manages IIS
Licensing Manager	manages client licenses
Local Security Policy	views and configures user rights, audit policy, and misc security settings applicable to local computer
Network Monitor	captures network data for analysis
Performance Monitor	views system performance graphs and configures performance logs and alerts
QoS Admission Control	Quality of Service: assign network bandwidth by subnet
Remote Storage	manages the storage of infrequently accessed files
Routing and Remote Access	administers dialup, vpn, and internetwork connections
Server Extensions Administrator	manages Front Page server extensions
Servies Manager	start, stop, and configure services
Telephony	manages telephony clients and servers
Telnet Server Administration	start, stop, and provide info about Telnet server
Terminal Services Client Creator	make floppy disks for installing Terminal Services client software
Terminal Services Configuration	configures new connections for Terminal Services; modifies and deletes existing connections
Terminal Services Manager	display terminal servers in trusted domains
WINS	adminster WINS

Most admins want to run these tools from their W2K workstation. Open the i386 folder in the W2K server CD and double-click Adminpak.msi. This will start the Administration Tools Setup Wizard which you can use to install or remove admin tools. This version of the Admin tools will not install under XP. The .NET version of Adminpak.msi will. You can download the beta3 version of the Windows XP Administration Tools Pack .

Check If A Single User Can't Log On To Domain? and Active Directory Remote Admin Scripts

What To Check If A Single User Can't Log On To Domain?

Explains the tips you can use to troubleshoot the problem for a user who can't log on to the domain.

Sometimes a single user might be not able to log on to domain. You can follow the checklist given below:

Make sure:

You can ping the domain controller from the user's computer.
There is no white space in the User's Home Profile in User's Property > Check it using the DSA.MSC.
The user computer is configured with the correct DNS Server to find the domain controller > Check in TCP/IP property of the user's computer.
The Computer Account in the domain for the user's computer is not missing > Check using the DSA.MSC
The Computer Account in the domain is not disabled > Check using the DSA.MSC
The Time between the domain controller and the client computer is synchronized > Check using Net Time command.
The Domain Controller can be found > Check environment variables and check "LOGONSERVER" value or execute Nltest /DsGetDc:domain to re-locate the domain controller for the user.

Active Directory Remote Admin Scripts

The Windows 2000 Resource Kits include vbs scripts to aid in Active Directory remote administration. They include:

chkusers.vbs : searches a domain for a user with specific properties or attributes.
createusers.vbs : create new users.
group.vbs : returns list of the groups contained within a specific domain.
groupdescription.vbs : returns description assigned to a specific group.
listdcs.vbs : returns list of all domain controllers in a domain.
listdomains.vbs : returns list of all domains in a namespace.
listmembers.vbs : returns list of all members of an Active Directory group.
listprinters.vbs : returns list of all printers and their properties for a specified server.
modifyldap.vbs : control LDAP admin policies.
modifyusers.vbs : modifies multiple user accounts on a domain or system.
schemadiff.vbs : compares schema between two forests.
systemaccount.vbs : returns config info for system account on a system.
useraccount.vbs : returns info contained within a user account.
usergroup.vbs : add or remove multiple users from a group.

Modify Logon Rights On Multiple Computers

To Get A List Of Security Groups A User Belongs???

Explains a simple command you can use to modify the "Log On Locally" rights on all the server remotely.

Log On Locally rights allows your users to log on locally on the server. By default, all the users in the Active Directory Forest are able to log on to any server except domain controllers. The Local Users Security Group is added to the "Allow Log On Locally" rights on local server and this security group contains the Domain Users security local group. If you have created a security group and want to allow only the members of this Security Group should be able to log on locally on specified servers then you must do it manually, using a Group Policy or using a script.

In this example, I have created a domain security group named: RDP Access and members of this security group should be able to log on locally on 100 servers out of 500 servers in my environment.

Steps:

Create a text file: Servers.txt
Copy all the 100 server names in this text file.
Run the following command:

For /F "Tokens=*" %a in (Servers.txt) Do Ntrights.exe -m \\%a -u "Domain_Name\RDP Access" +r SeInteractiveLogonRight

The above command will assign the Log On Locally rights to RDP Access which is a domain local security group on the servers mentioned in the Servers.txt file.

Check If Servers In DMZ Are Up and Running Or Pinging

How To Check If Servers In DMZ Are Up and Running Or Pinging?

Explains the steps you have use to make sure the Servers in the DMZ are pinging from a Desktop computer which is running out of the DMZ.

The servers in DMZ are protected by the firewall. The firewall rules are used to block any incoming traffic such as ICMP. ICMP is used by the Ping utility. So you can not ping a server from your desktop.

You have a desktop computer which is out of DMZ. You have a task assigned to you which involves pinging all the servers in the DMZ to make sure they are up and running. As a manual process, you will log on to a server (generally called a Management Server) in DMZ and then check all the servers one by one or run a Ping Script which will show you the results in a text file. What if you want to check the connectivity from the Desktop computer? In this situation, you can use a simple command to process the Ping from within the DMZ's Management Server. This is how you do it:

Steps:

Create a text file by name ServersDMZ.txt
Copy all the server names in the text you created and then save it.
Run the following command from your "desktop" on a Server in DMZ from which all other servers in the DMZ are reachable.

For /f "Tokens=*" %a in (ServersDMZ.txt) do Psexec.exe \\ManagementServer Ping %a > Results.txt

The above command will run on a Management Server running in the DMZ and then check the connectivity of all the Servers specified in the ServersDMZ.txt.

Remote Desktop with Windows XP

What is Remote Desktop?

With the Remote Desktop feature in Windows XP, you can remotely control a computer from another office, from home, or while traveling. This allows you to use the data, applications, and network resources that are on your office computer, without being in your office. In the Illustration below, you can see that an Systems Administrator can quickly (and securely) get into their corporate offices and do that, system down, no problem, you can fix from anywhere you can find an Internet connection that is stable enough to let you work.

Remote Desktop is the new name for the older Windows based Terminal Services Client that (like with Windows 2000), would allow you to connect to and manage a server remotely for up to two connections, allowing you to do maintenance on the server and so on. Remote Desktop (Windows Server 2003 / XP), allows the same functionality, except it's enhanced and easier to use.

To use Remote Desktop, you need the following:

Windows XP Professional installed on your office computer, or whichever computer you plan to operate remotely. This computer is known as the host. This article was written using Microsoft’s most current operating system – Windows XP Professional.
Display data and keyboard data are sent over a WAN or Internet connection so make sure that you are working over a good connection… to use Remote Desktop over a slow connection could be a burden. It will work, but it may not respond as well as you would like. You can use low bandwidth connections, it will allow you to remotely control a system.

Get Remote Desktop

The Remote Desktop Connection software is pre-installed with Windows XP so to verify that you have it, use the following URL:
- Start => All Programs => Accessories => Communications, => Remote Desktop Connection
If you don’t have it, then you need to get it. There are options. First, you can get the Remote Desktop Connection software on the Windows XP Professional and Windows XP Home Edition product CDs
If you don’t have a CD, then you can get it online. Use the links I provided in the links and references section to get the clients if you don’t have it currently available on your system.

The Remote Desktop Connection software can be installed on any supported Windows platform. One you get it, install it and open it up.

Let’s look at how install Remote Desktop (if not already installed)

Install the Client Software

To install Remote Desktop Connection software on a client computer

Insert the Windows XP CD into your CD-ROM drive.
When the Welcome page appears, click Perform additional tasks, and then click Setup Remote Desktop Connection as shown below.

When the installation wizard starts, follow the directions that appear on your screen.
You will have to agree to the license agreement

Enter your personal information and click Next
Finish the installation and you will now have Remote Desktop Installed on your XP system.

Enable Your Computer as the Host

Before you use Remote Desktop, your systems have to be set up properly to allow it to be ‘controlled’. One of the first things you will need to do is to ‘enable’ the remote control of a system. To do that, you will need to make a quick setting change in the System Properties.

Log in as an Administrator (or as a member of the Administrators group)
Open the System Applet in the Control Panel.
Click Start => Control Panel => System Applet => Remote Tab

On the Remote tab, select the Allow users to connect remotely to this computer check box, as shown below.

Make sure that you have the proper permissions to connect to a computer remotely, and click OK.

Remote Desktop and XP Service Pack 2

If you're running Windows XP Service Pack 2 (SP2) and you enable Remote Desktop, Windows Firewall will be automatically configured to allow Remote Desktop connections to your computer. There is one exception; this will not happen unless you have the Windows Firewall configured to allow no exceptions.

To allow exceptions in Windows Firewall:

Open the Control Panel, Double Click the Security Center applet

When the Security Center opens, Click on Windows Firewall

Make sure you Clear the check box next to “Don't allow exceptions”

Start a Session

Once you have enabled your Windows XP Professional computer to allow remote connections, and installed client software on a Windows-based client computer, you are ready to start a Remote Desktop session.

Remember, as I laid out in the diagram in the beginning of this article, you must first establish a virtual private network (VPN) connection or remote access service (RAS) connection from your client computer to your office network. Without a connection ‘into’ the corporate network, you will not be able to remote a server, especially if its not internet facing *like on a DMZ* and using a private RFC 1918 address.

To create a new Remote Desktop Connection

Open Remote Desktop Connection.
Click Start => All Programs => Accessories => Communications => Remote Desktop Connection
In Computer, type the computer name or TCP/IP (shown below) address of the host you want to control… remember, they have to be ‘allowed’ to be controlled first.
Fill in your credentials, Domain if needed, save the connection as a ‘profile’ so you can quickly go back to it later and use it again.

I don’t recommend checking the ‘Save my password’ check box because if your system becomes compromised, your servers (or other systems) have now become exposed to the Hacker. Now in the server, the whole corporate network is potentially exposed.
Once you have put in your credentials and all other pertinent information, Click Connect.
Your request will now be sent to the system you want to connect to. The Log On to Windows dialog box appears.
In the Log On to Windows dialog box, type your user name, password, and domain (if required), and then click OK.
The Remote Desktop window will open and you will see the desktop settings, files, and programs that are the system. The system that is in the corporate network can remain locked and safe while you are now inside it, working on it. Whatever you are doing cannot be seen by someone watching the console.
Problems do occur, most commonly it’s just that the connection is either refused or it timed out because of latency. Here is a commonly seen error message:

Note:
To change your connection settings, (such as screen size, automatic logon information, and performance options), click on the other tabs available when you open the Remote Desktop Client.

To open a saved connection

Saved connections are stored in you’re my Documents folder
Windows Explorer => My Documents folder
Click the .Rdp file for the connection you want to use

A Remote Desktop file (*.rdp) file is a profile that holds a bunch of settings. You can make copies of them as you would any other file and just change the options internally to that profile and save it with another name. You can copy all the *.rdp files and store them in a folder on your desktop; you can even edit the Start Menu and make a folder called RDP with all your profiles in it. Whatever makes it easy for you to manage…

To edit an *.rdp file and change the connections settings it contains, right-click the file and then click Edit.

To log off and end the session

In the Remote Desktop Connection window => click Start => Shut Down.
The Shut Down Windows dialog box appears
In the drop-down menu, select Log Off => click OK

Hacking