If Remote Desktop Services are disabled on your Windows Elastic Compute Service (ECS) instance, Remote Desktop connections fail. This topic describes how to enable Remote Desktop Services through a VNC session so that you can connect to the instance over Remote Desktop Protocol (RDP).
Prerequisites
Before you begin, make sure that:
The Windows ECS instance is in the Running state
You can access the instance through Virtual Network Computing (VNC). For instructions, see Connect to an instance by using VNC
The security group associated with the instance allows inbound TCP traffic on port 3389
The instance has a public IP address or an Elastic IP Address (EIP) bound to it
Procedure
The following steps use Windows Server 2012 as an example. The steps may differ depending on your operating system version. For version-specific instructions, see the official Microsoft documentation.
Connect to the ECS instance through VNC.
Open the Run dialog box, enter
cmd, and click OK to open Command Prompt.Check whether port 3389 is listening:
netstat -aon | findstr "3389"If the command returns no output, port 3389 is not listening. Continue with the following steps to enable Remote Desktop Services and open the port.
Switch to PowerShell:
powershellRun the following commands to enable Remote Desktop Services:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name fDenyTSConnections -Value 0 -Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name UserAuthentication -Value 1 -Force netsh.exe advfirewall firewall add rule name="Open RDP Port 3389" dir=in action=allow protocol=TCP localport=3389These commands perform the following operations:
Command Registry path / Target Effect Set fDenyTSConnectionsto0HKLM:\SYSTEM\CurrentControlSet\Control\Terminal ServerAllows incoming Remote Desktop connections Set UserAuthenticationto1HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TcpEnables Network Level Authentication (NLA), which requires users to authenticate before a remote session is established Add firewall rule "Open RDP Port 3389" Windows Firewall (inbound, TCP, port 3389) Allows inbound RDP traffic through the firewall Expected output:
Verify the result
Connect to the Windows ECS instance from your local machine using Remote Desktop. For detailed steps, see Connect to a Windows instance by using a username and password.
If the connection succeeds, Remote Desktop Services are working correctly.
Troubleshooting
If you still cannot connect after enabling Remote Desktop Services, check the following in order:
Security group rules -- Verify that the security group allows inbound TCP traffic on port 3389. Add a rule if one does not exist.
Public IP address -- Confirm that the instance has a public IP address or an EIP bound to it.
Windows Firewall -- Run
netsh advfirewall firewall show rule name="Open RDP Port 3389"to confirm the firewall rule was created.Port 3389 listening -- Run
netstat -aon | findstr "3389"again to confirm the port is now listening.NLA compatibility -- If your local Remote Desktop client does not support NLA, disable it by setting
UserAuthenticationto0. Only do this in controlled environments.
For more troubleshooting steps, see What do I do if I cannot connect to a Windows instance?