How to RDC via local adapter instead of wireless network?

remote-desktop ethernet windows-7 wired-networking

Solution 1:

Troubleshooting RDP Access

Note: In this case to be thorough with testing, I suggest disabling both the Wi-Fi adapters beforehand. You may also want to test all these options thoroughly and be sure to only use what's needed to allow the access if you can pinpoint the specific settings so I'll give a "general" breakdown to assist.

  1. Assign a valid IP Address... The 169.254.X.X subnet range is an indicator that the NIC tried to get an IP address via DCHP but couldn't get one and thus it assigned an Automatic Private IP Addressing (APIPA). This just means you should configure static IP addresses between the two machine's LAN port on the same subnet so perhaps 192.168.2.10 on one and then 192.168.2.11 on the other and just give them a subnet mask of 255.255.255.0 and leave both the default gateways blank—not confirm both can ping each other and get a response of success.

  2. Enabled Remote Desktop Access... To ensure Remote Desktop access is enabled on the machines you wish to RDC into, you want to run this command from administrator elevated command prompt.

    • reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

  3. Confirm if Windows Firewall is blocking... To test to ensure the Windows Firewall is not blocking the TCP port 3389 traffic, you can disable the firewall on both Windows machines using an administrator elevated command prompt with the command listed below and the test to see if you can connect. If so, the culprit is the Windows Firewall.

    • Disable Windows Firewall Command: advfirewall set allprofiles state off
    • Re-Enable Windows Firewall Command: advfirewall set allprofiles state on

  4. Open Windows Firewall for RDC access... If it is determined that the Windows Firewall is blocking the traffic, you can add a new Windows Firewall rule from an administrator elevated command prompt on both machines with the below syntax to tell it to accept TCP port 3389 connections from machines on the 192.168.2.0/24 subnet in the domain, private and public network profiles. I named the rule below __Allow Inbound RDP so if you go to wf.msc and then look in the Inbound Rules, you can see the settings this sets there.

    • netsh advfirewall firewall add rule name="__Allow Inbound RDP" dir=in action=allow protocol=TCP localport=3389 remoteip=192.168.2.0/24 enable=yes profile=domain,private,public

    Additionally, to go along with the above #4 custom Windows Firewall rule, consider checking the default Inbound rule named Remote Desktop (TCP-In) rule from the same wf.msc and check the Scope tab and consider adding the 192.168.2.0/24 subnet range, and from the Range tab, consider checking all the Profiles there but play with the settings and test to see which options work for you that are the most restrictive if you can.

Additional Issues

If you connect to the RDP session of a machine and get an error or quick pop up indicating You cannot proceed because authentication is require, then you can run the below command in an administrator elevated command prompt to change the SecurityLayer setting in the registry. In some cases the pop up is quick and hard to see so it may be worth setting this if you get a quick pop up but cannot see the error detail and the connection is not established.

  • reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f

Security Considerations

It sounds like you only have these machines connected to a local crossover cable from LAN-to-LAN port so if that's the case and you do not allow TCP port 3389 to be directed from your WAN Internet connection of your router to either of these machines IP addresses on Wi-Fi or LAN, then you likely don't have much to worry about assuming you don't have these connected to a large network with lots of people that access it. So if you trust the devices connected to your local network via the Wi-Fi or Ethernet, then don't worry if you don't have this opened from the network.

If you do have these machines connected to a large network that many people access and there would be a concern with someone running brute force attacks internally to gain the RDC access guessing at the password, then there are a few things to consider.

  1. Be sure the local accounts on the laptop that are allowed Remote Desktop access have super long and complex passwords such as "Th1s 1s my r3mot3 m@ch1n3!!" so as long as it around 14 characters or longer you can make it cryptic yet a phrase that's easy to remember as in the example I wrote there.
    • If there are any built-in account or other local account, be sure those are disabled or change the password on them to be super long and cryptic and if possible, disallow those accounts RDP access entirely.

  2. You also want to be sure the local accounts are set to lock out after 3-5 authentication failures for the account that failed to authenticate. Read over the Windows 7 – How to set up a Password and Account Lockout Policy for more detail on some of this.

  3. Lastly, it may be best also to only enable the Windows Firewall rule that allows this access from the machine(s) when you need to use the RDC access. This way the machine(s) is/are only vulnerable during the period you wish to use the protocol for access.

Further Resources

  • Network devices getting an IP address in the 169.254.x.x range?
  • Top 10: Windows Firewall Netsh Commands
  • Firewall Rule Properties Page: Scope Tab
  • Understanding Firewall Profiles
  • SecurityLayer

Related

GPG Key import error on yum / dnf / fedup upgrade
Routing VPN traffic through another VPN
What Format is this File (starting with "!R! SEM 9;EXIT;") and how to display it onscreen
Create multiple archives from a directory without the directory root name being added to the archive
Time value that should be 24:00 displays as 0:00
Is RAIDZ1 worse than no fault tolerance for an array of 4TB drives?
How to install Linux subsystem for Windows
findstr 2 arguments and 2 events
How can I use VSCode to open a file/folder on a remote Linux machine in macOS?
Tunneling from Windows 10 to Jupyter running on AWS
On macOS why "ps" always shows session id as "0"
Writing a systemd script that starts 2 applications in linux