How To Rdp To Aws Windows Instance

Remote Admission to Windows EC2 instances, the like shooting fish in a barrel (and secure) mode

September, 28 2021

Getting a Remote Desktop to a Windows instance in AWS EC2 is a long process. Hither we demonstrate how we can reduce the long series of manual steps down to a single PowerShell control.

Some fourth dimension ago I wrote "Remote Access to EC2 instances, the like shooting fish in a barrel (and secure) way", which explored some features of AWS EC2 and Systems Manager for logging into EC2 instances. In the end I had worked out a way to give an instance ID to a special SSH control, and in that single control I'd become a concluding session to whatever EC2 instance, no affair how deeply it was locked downwards within private VPCs. That only worked for Linux instances, so my next challenge was to see if nosotros can exercise the aforementioned with EC2 Windows instances - can a single command start upward a Remote Desktop session to a Windows instance in EC2, even if it's buried inside a private VPC subnet?

This turned out to be quite a claiming…

TL;DR

Decorated? Need the answer right now? Then yeah, it can be washed. Head on over to https://github.com/cloudsoft/EC2Access, follow the installation instructions, and so connect to your Windows instance with a PowerShell command like this:

Start-EC2RemoteDesktopViaSessionManager -InstanceId i-12345678abcd `

                                        -Region eu-west-1 `

                                        -PrivateKeyFileC:\Users\joe\Downloads\windows.pem

But if you lot want to read about the journey to go here, and more details on how to utilize these new commands, read on.

Accessing the Windows desktop using Remote Desktop

The normal-for-AWS way for you to admission a Windows desktop goes like this:

1. Get the Windows Administrator password from the AWS Panel. To do this y'all'll demand to provide your private key file.
2. Brand sure that TCP port 3389 is open to your ain public IP address in the instance'due south security group.
3. Run the Remote Desktop customer, and fill up in the remote host address, username (Administrator) and password.

This is quite a few manual steps and, like with Linux SSH, involves opening ports up which yous wouldn't usually want the Cyberspace to exist able to see. Let's run into what'due south in our toolkit to automate and secure this.

Beginning of all, caput over to https://github.com/cloudsoft/EC2Access and follow the instructions to install our PowerShell module adult for this purpose. Once installed, you lot'll have access to 3 new PowerShell commands:

• Get-EC2Password
• Start-DirectEC2RemoteDesktop
• Outset-EC2RemoteDesktopViaSessionManager

We'll explore these commands in the rest of this post.

Getting the Administrator password

The process here is quite interesting. EC2 stores SSH public keys and when you first an example, you choose which SSH public primal yous desire to associate with the instance. On Linux instances, the central data is simply dropped into the case'southward SSH configuration. On Windows instances, something different happens.

When the case boots, a special EC2 "starting time boot" task is run which generates a random password for the Administrator user. It and then fetches the SSH public key for the instance - simply instead of using it for an SSH purpose, it simply treats it as a generic RSA public key, and uses it to encrypt a re-create of the Ambassador password. This encrypted blob of data is and then sent back to the EC2 control plane.

When yous ask the AWS Console to give you lot the Administrator password, you also supply a copy of your SSH private key. Over again this is treated as a uncomplicated RSA private key, and EC2 uses it to decrypt the encrypted hulk of information, and provides y'all with the cleartext password.

RSA is a standard and well-known cryptosystem, with multiple implementations, so it's entirely possible to repeat these steps in another system that nosotros can automate. We tin exercise this with PowerShell, and write some script that will query the AWS EC2 API to get the encrypted data, and then use our own SSH private key and an off-the-shelf implementation of RSA to decrypt the data ourselves. Brilliant!

This is implemented in the Become-EC2Password control. Give it the details of an instance and a private fundamental file, and it will return a PowerShell SecureString object containing the instance'south Administrator countersign.

Like the residuum of these new commands, the PrivateKeyFile argument is optional. Omit it, and it will default to the OpenSSH default location for the individual key, which is ".ssh\id_rsa" in your home directory. Besides optional is a Region statement - omitting information technology volition apply the default region configured in your environment variables or AWS configuration files.

Starting Remote Desktop

Having got the credentials we need to log in, we need to pass those into the Remote Desktop client somehow. The Remote Desktop customer is actually mstsc.exe, and if nosotros run mstsc.exe /? to see if information technology accepts whatever relevant parameters for credentials, we're disappointed - there'due south many parameters simply nothing relevant to our needs.

The solution turns out to be something called cmdkey.exe, a tool for managing saved credentials. Nosotros tin use this to store the case'southward credentials, and as long equally we format the credential in exactly the right way, mstsc.exe will already know the credentials needed to connect to the instance. This is key for our requirement to get the remote desktop started without it needing to ask any questions.

A correctly-formed invocation of this control will look something similar this:

C:\Windows\system32\cmdkey.exe /generic:TERMSRV/hostname /user:username /pass:password

In this example, the hostname is the public DNS proper name (or IP address, if you prefer) of the EC2 instance. (At this point we're just thinking about publicly-addressable instances - the Systems Manager magic for individual subnets comes a flake later.) The username will always be Ambassador, and the password we got in the previous footstep.

Now nosotros can start the remote desktop session:

C:\Windows\system32\mstsc.exe /v hostname

As long equally we utilise the same hostname as our cmdkey control (we can't use the DNS proper noun in ane and the IP address in the other), Remote Desktop will first and directly away log in to your EC2 instance without any farther questions.

This is implemented in the Start-DirectEC2RemoteDesktop command. Give it an instance ID, and optional region name and private key file path, and it volition outset a Remote Desktop session - you don't need to do annihilation except click a button to accept the certificate validation bank check.

Integrating with Session Manager

In my previous post on this subject field, we saw how AWS Systems Manager Session Managing director gave us a fashion to access instances that had no public IP address, or even were buried deep within a private subnet. As long as the instance can reach a Systems Manager API endpoint, and the example has the Systems Managing director agents installed, it can tunnel connections through the Systems Manager API instead of needing the public Internet.

For Windows instances, we tin set up a port forwarding session. This opens upwards a TCP port listening for connections on our local workstation. When a connection is made to this port, Systems Manager proxies the data to a port on the EC2 instance. Nosotros tin can use this to tunnel the example's Remote Desktop port - TCP port 3389 - onto our workstation, and and so direct the Remote Desktop client to connect to the local port. This needs a helper app, the "session manager plugin", which is available from AWS and easily installed on Windows.

In that location'due south only one flaw. You can come across it hither in the documentation for Start-SSMSession PowerShell control.

Did you spot it?

Yes, in quite small messages at the cease of a paragraph is the bulletin "Start-SSMSession is not currently supported by AWS Tools for PowerShell on Windows local machines."

This is because AWS Tools for PowerShell is not capable of invoking the session-manager-plugin helper app. The Python-based awscli tool special-cases this API operation to not simply invoke the API, but too start session-director-plugin with advisable parameters. AWS Tools for PowerShell invokes the API, simply information technology does not start session-managing director-plugin.

Therefore, we need to do this ourself, but session-manager-plugin is (a) closed-source, (b) undocumented, and (c) supplied in binary executable format which tin't be easily examined. There wasn't any way I could examine the file itself to determine how to utilise it. In the end I resorted to running the equivalent awscli command in Linux under strace to run across how it invoked session-director-plugin. It takes six command line arguments, two of which are JSON documents containing many more parameters. I'll spare you lot the details, but you can encounter for yourself in the PowerShell source code.

Having got over this hurdle, we're gear up to get. We've got credentials, nosotros've got a port frontward fix, all we need to do is invoke cmdkey and mstsc again, only this time with an address of localhost and specifying our local port number for the port forward.

At present we've achieved our goal: with a single command, a Remote Desktop session will start, deeply tunnelled to an case even in a private subnet, and without having to manually supply credentials:

Commencement-EC2RemoteDesktopViaSessionManager i-12345678abcd

If you haven't already, go to https://github.com/cloudsoft/EC2Access, follow the installation instructions, and then easily connect to your Windows case with a simple PowerShell command.

Source: https://cloudsoft.io/blog/remote-access-to-windows-ec2-instances-the-easy-and-secure-way

Posted by: christensensayinten61.blogspot.com

Share this post