This tutorial describes how to set up an xRDP server to connect to Ubuntu Linux with the lightweight graphical Xforce UI using the RDP protocol. This can be very handy when you need to connect to Linux operating systems with graphical interface from Windows using Remote Desktop.
What is xRDP?
xRDP is Microsoft’s free and open-source implementation of RDP (Remote Desktop Protocol) which allows non-Microsoft Windows operating systems (such as Linux and BSD) to provide a fully functional RDP-compatible remote desktop.
Installation and Setup
Connect to your ubuntu server via SSH and perform a system update:
sudo apt-get update
sudo apt-get upgrade -y
Install and enable the xRDP utility:
sudo apt-get install xrdp
sudo systemctl enable xrdp
sudo systemctl restart xrdp
Install the xfce environment:
sudo apt-get install xfce4 xfce4-terminal
Open RDP port to be able to connect remotely:
sudo ufw allow 3389/tcp
Reboot the xRDP server for the changes to take effect:
sudo /etc/init.d/xrdp restart
Connecting to an Ubuntu Server via RDP
If you don’t know the IP address of the Ubuntu server, you can check it by entering the command:
In our test case it is 10.0.0.2. To connect open the Windows Remote Desktop Connection (mstsc.exe). Enter the IP address of the server and click Connect:
A security warning will appear. Click Yes:
In the opened window, select Xorg as the session, enter the username and password for the user and click OK:
This will connect to the xforce desktop.
If it shows a black screen when connecting to xrdp you need to go into the /etc/xrdp folder, and make changes to the startwm.sh file.
sudo nano /etc/xrdp/startwm.sh
We need to add:
Before the line:
test -x /etc/X11/Xsession && exec /etc/X11/Xsession
After making the changes you have to restart the XRDP service:
sudo systemctl restart xrdp
Now you can run mstsc.exe again and connect to our ubuntu server.
In this article we will take a look at the features of Remote Desktop Protocol (RDP) connection auditing and log analysis in Windows. Typically, it is useful when investigating various incidents on Windows servers when a system administrator is required to provide information about what users logged on to the server, when he logged on and off, and from which device (name or IP address) the RDP user was connecting.
Remote Desktop Connection Events
Like other events, the Windows RDP connection logs are stored in the event logs. The Windows logs contain a lot of information, but it can be difficult to find the right event quickly. When a user remotely connects to a Windows server, many events are generated in the Windows logs. We will take a look at the following:
Network Connection Events
Network Connection connects user’s RDP client with the Windows server. That logs EventID – 1149 (Remote Desktop Services: User authentication succeeded). The presence of this event does not indicate successful user authentication. This log can be found at Applications and Services Logs ⇒ Microsoft ⇒ Windows ⇒ Terminal-Services-RemoteConnectionManager ⇒ Operational. You can filter this log by right clicking on Operational log ⇒ Selecting “Filter Current Log” and type in EventID 1149.
The result is a list with the history of all network RDP connections to this server. As you can see, the log file contains the username, domain (When Network Level Authentication (NLA) authentication is used), and IP address of the computer from which the RDP connection is made.
User authentication can be successful or unsuccessful on the server. Navigate to Windows logs ⇒ Security. We are interested in logs with EventID – 4624 (An account was successfully logged on) or 4625 (An account failed to log on). Pay attention to the LogonType value in the event. LogonType – 10 or 3 indicates a new logon to the system. If LogonType is 7, it indicates re-connection to an existing RDP session.
The username of the connecting account is written in the Account Name field, his computer name is written in Workstation Name, and the IP address in Source Network Address.
Take a look at TargetLogonID field, which is a unique user session identifier that can be used to track further activity of this user. However, if a user disconnects from the RDP session and reconnects to the session again, the user will be issued a new TargetLogonID (although the RDP session remains the same).
You can get a list of successful authentication events over RDP (EventID 4624) using the following PowerShell command:
RDP logon is the event that appears after successful user authentication. Log entry with EventID – 21 (Remote Desktop Services: Session logon succeeded). This log can be found in Applications and Services Logs ⇒ Microsoft ⇒ Windows ⇒ TerminalServices-LocalSessionManager ⇒ Operational. As you can see here you can see the RDP Session ID for the user.
“Remote Desktop Services: Shell start received” details in EventID 21 means that the Explorer shell has been successfully launched in the RDP session.
Session Disconnect and Reconnect Events
Session Disconnect/Reconnect events have different codes depending on what caused the user to end the session, for example disable by inactivity, selecting “Disconnect” in Start menu, RDP session drop by another user or administrator, etc. These events can be found in Applications and Services Logs ⇒ Microsoft ⇒ Windows ⇒ TerminalServices-LocalSessionManager ⇒ Operational. Let’s take a look at the RDP events that may be of interest:
EventID – 24 (Remote Desktop Services: Session has been disconnected) – the user has disconnected from the RDP session.
EventID – 25 (Remote Desktop Services: Session reconnection succeeded) – The user has reconnected to his existing RDP session on the server.
EventID – 39 (Session A has been disconnected by session B) – user disconnected from his RDP session by selecting the appropriate menu item (not just closed the RDP client window by clicking on “x” in the top right corner). If the session IDs are different, then the user has been disconnected by another user or administrator.
EventID – 40 (Session A has been disconnected, reason code B). Here you should look at the reason code for the disconnection in the event. For example:
Reason code 0 (No additional information is available) – usually indicates that the user just closed the RDP client window.
Reason code 5 (The client’s connection was replaced by another connection) – the user re-connected to his old session.
Reason code 11 (User activity has the disconnect) – the user clicked the Disconnect button on the menu.
EventID – 4778 in Windows log ⇒ Security (A session was reconnected to a Window Station). The user re-connected to an RDP session (the user is given a new LogonID).
EventID 4799 in Windows Logon ⇒ Security (A session was reconnected to a Window Station). Disconnection from an RDP session.
Logoff logs track the user disconnection from the system. In the Applications and Services Logs ⇒ Microsoft ⇒ Windows ⇒ TerminalServices-LocalSessionManager ⇒ Operational logs we can find EventID 23. In this case in Security log we need to search for EventID 4634 (An account was logged off).
Event 9009 (The Desktop Window Manager has exited with code (x)) in the System log shows that the user initiated the end of the RDP session and the user’s window and graphical shell were terminated. Below is a small PowerShell that uploads the history of all RDP connections for the current day from the Remote Desktop Service server. The table below shows the connection time, client IP address, and RDP username (you can include other logon types in the report if necessary).
Sometimes it is needed to export RDP logs into Excel table, in this case you can upload any Windows log to a text file and afterwards import it into Excel. You can export the log from the Event Viewer console or from the command line: