In the discord chat this came up today as a need to utilize the Private Remote Control on a machine when by default the new windows 10 boxes come out of the box with Remote Connections disabled, and NLA enabled. I have a series of three scripts that I put together that I use in this scenario.
The first enables RDP, Disables NLA, and sets the windows firewall to allow RDP.
The second sets RDP to Disabled, and re-enables NLA.
The third script runs the first script and then schedules the second script to run 15 minutes later so that you are just temporarily enabling RDP and NLA, and you don't have to remember to go back later and disable it. Note that in my testing disabling RDP and Enabling NLA doesn't seem to kick you out immediately. But would result in not being able to reconnect with Private Remote Control, or the upcoming "one click access" from that point forward.
One note on this after extensive testing and seeing that the script that disables RDP and re-enables NLA doesn't kick out your existing session, and given the recent security issues with NLA being disabled, on my VSA I specifically deleted the "Permanently Enable RDP" script, and cut the time the temporary enable rDP script waits to run the disable RDP script down to 5 minutes... So you run the temporary eanble RDP script, make your connection, and then it's disabled again in 5 minutes making the vulnerability window negligible. This should also help with the OneClick access in the .21
Now, if only Kaseya would integrate that thinking into the one-click process rather than telling us to Disable NLM to make it work :)
I was thinking that it'd be great if they did... Couldn't be that hard to adapt this... In point of fact it could probably done better than my quick and dirty scripts. Run something *before* you enable RDP and disable NLA and store the current status of it first. Then enable RDP, Disable NLA start the session, once the session is established, set RDP and NLA back to exactly how they were before you launched the script.
In fact after thinking it through a bit more.. I redid these... The version attached to this comment is slightly different. It only has two scripts. The first one will first check the Remote Desktop Settings, Firewall settings, and NLA settings, and use those to build a powerscript file that can be used to set the settings back to what they are right now..and then it enabled Remote Desktop, Sets the firewall to allow RDP, and disabled NLA. It schedules a script for 5 minutes later to run the powershell file and then delete the powershell file.
That way it doesn't "break" anything that you might already have set on a machine. So for example if you already had RDP enabled, but NLA was also enabled, it will set it back that way afterwards rather than turning RDP off as well.
Thank you for sharing Jonathan - this is a great share to the community.
Added it to the Automation exchange as well... Oscar it'd be great to see Kaseya implement something like this built *in* to the Private KRC and OneClick access :). Especially since you guys would have the immediate feedback to know when the connection is made, and could run the second half immediately rather than a 5 minute delay..