How to use RDP with 2FA

How to access your Maths office PC running Windows, from an "outside" (home or overseas) Windows machine e.g. a laptop, with SSH (with 2FA) and RDP: work as if you were sitting in front of your office PC.

You need to (once only):

Each time you want to connect to your office PC, you need to: When done, log out of the office PC to close your RDP connection; then you can log out of enna also.

Contents

Find name of your office PC

Find out the network name of your office PC: usually something like pXYZ.pc (with XYZ your room number).

Prepare for 2FA on your account

Prepare for 2FA as per the instructions in the SSH HowTo.
You need Web-OTP or TOTP or skeys; no need for X-windows or other features that SSH offers.
(No need to follow the "messy" recommendations in a nutshell.)

Set up RDP service on the office PC

The office PC needs to be set up for RDP service: set to accept connections for your login. This setup needs to be done as an administrator: with your admin login if self-managed, or ask Paul to do for you.
Reminder for Paul: log in as network admin pszwt, not as local admin.

Click the StartMenu, right-click Computer, and then click Properties.
Click Remote settings (in the left-hand menu).
Maybe un-select Allow Remote Assistance.
Under Remote Desktop, choose Allow connections ... from any version ... (less secure).
Click Select Users.
Click Add, add the usual ROMEGROUP user.
Click OK, OK.
As suggested, check (remove or turn off or set to never) the sleep or hibernate settings in StartMenu ControlPanel SystemAndSecurity PowerOptions.

Set up SSH (putty) on the laptop

Up-to-date Windows10 has "native" ssh, and you might not need putty. But putty may be preferable since its configs can be saved and remembered, whereas with "native ssh" you would need to use "obscure" options, long and tedious to type, each time:   ssh -C -L 3390:pXYZ.pc:3389 MATHSNAME@maths.usyd.edu.au

The "standard" ssh client for Windows is putty, use latest version from
http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

To use putty, with WindowsExplorer (e.g. MyComputer) find putty.exe, double-click.

Run SSH (putty) on the laptop

To test things out while in the School but as if from outside, connect your laptop to UniSydney wireless.

Run putty: with WindowsExplorer (e.g. MyComputer) find putty.exe, double-click. Set options as above, or Load your saved session settings, and click Open.

Follow the prompts: type your normal enna login name to login as, then when prompted type the words from your paper skey sheet for the line number shown, or the authenticator code, then your normal enna password. You will be logged in to enna.

The very first time you connect, you will be prompted about the as-yet unknown authenticity fingerprint: say yes.

Leave that enna window logged in, running; you may minimize/iconize its window. Keep that session running, do not allow to time out, do not allow your computer to go to sleep/hibernate e.g. as most laptops do with the lid closed.

Connect with RDP client

With putty running, logged in to enna...

Start the Remote Desktop Connection client: go to StartMenu and search for that, click it.

In the Remote Desktop Connection client:

and you will get a desktop, just as if you were sitting in front of your office PC's screen; you can also copy files between the office PC and the laptop e.g. by simple drag-and-drop. You can minimize/iconize the RDP window, or make it un-maximized.

When you connect, you may need to wait 30 seconds for the "normal" (local screen) user to be logged out; or if that other user is you, then you will see the desktop (open windows etc) as you left it.

When done, you can just disconnect; but you will still be logged on. Probably you should log out: click the StartMenu and choose LogOff. (Do not use Alt-Ctrl-Del as that does things on the laptop, not the RDP connection.)

After disconnecting your RDP session, you may close the putty window (log out the enna session): type  exit  at the enna prompt, or just close the window (click the top-right [X]).

RDP session timeout

Many RDP services are set up with a short timeout: the RDP service or login will close or quit, if left idle for 10 minutes or so. If this annoys you, then read below on how to avoid (and have relaxing coffee breaks).

This should not affect Maths Win7 PCs, but would probably affect most other RDP services, including to MCS Win10 PCs.
(There may be settings to lengthen or remove RDP session timeout... but they may be inaccessible.)

Setup
Within your RDP session (so with a browser running within the RDP machine), go to the webpages
  www.maths.usyd.edu.au/u/psz/pc/keepalive.bat
  www.maths.usyd.edu.au/u/psz/pc/keepalivehelper.js
and save each on your Desktop (on the RDP machine), with their "original" names (keepalive.bat and keepalivehelper.js).

To use
When logged into RDP, run the keepalive.bat command: double-click   keepalive   on your Desktop.

There is no visible effect of having run that command. It works in the background, clicking and un-clicking the ScrollLock key every 5 minutes, so there is activity and no timeout.

Blurb, comments

RDP means Remote Desktop Protocol and is the name commonly used, though the official Microsoft name changed to Remote Desktop Connection since WinXP.

Windows machines may (at some later time?) develop an error, with the RDP client showing 

  Your computer could no connect to another console session on the
  remote computer because you already have a console session in progress.
If so, use 3391 instead of 3390 in both the putty settings (add that, can leave 3390 in place), and in typing localhost:3391 to the RDP client.

The remote "laptop" machine could be Linux or Mac: there are RDP clients for Linux (xfreerdp) and Mac (Microsoft Remote Desktop 10), and of course they have SSH; but we will not describe how to use such other machines.

Similar connection could be achieved with VNC. VNC would work for any office machines not just Windows PCs, and there are many free VNC software packages available. However that would need extra software on both the office PC and the laptop, and would not provide file copy.
Apple Screen Sharing is based on VNC and is recommended for Macs.

Further reading, random references

https://en.wikipedia.org/wiki/Remote_Desktop_Protocol
https://support.microsoft.com/en-au/help/17463/windows-7-connect-to-another-computer-remote-desktop-connection:
http://haacked.com/archive/2010/05/18/remote-desktop-file-copy.aspx/
https://support.microsoft.com/en-ca/help/313292/how-to-gain-access-to-local-files-in-a-remote-desktop-session-to-a-windows-xp-based-or-to-a-windows-server-2003-based-host-computer
https://technet.microsoft.com/en-us/windowsserver/dn463762
http://www.techrepublic.com/article/pro-tip-remote-desktop-on-mac-what-you-need-to-know/
https://msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx

Paul Szabo psz@maths.usyd.edu.au 14 Dec 23