Cannot RDP to EC2 Instance due to Firewall

Cannot RDP to EC2 Instance due to Firewall

In the cloud, no one can hear you scream!

Unlocking an EC2 Instance

Have you ever accidentally locked yourself out of a Server by reverting to default settings on Windows Firewall?

I haven’t done it personally, but I’ve seen how much of an issue that it can be.

 

It’s easily done. When making changes in Windows Defender Firewall, you are given the quite reasonable option to revert changes by “Restore Defaults”. Unfortunately, selecting this will disable your current session and stop you from being able to use Remote Desktop (RDP) to connect to the Server.

 

Normally, I guess that this type of issue would result in a quick call to the Server team who can sort it out. It’s a bit different when your Server is an EC2 Instance. You may have an equivalent team in-house, or maybe you don’t – in which case, this post may just help.

 

All is not lost. There is a way to fix the issue, and it introduces a couple of nice features within AWS that you might not be aware of.

AWS Systems Manager

AWS Systems Manager allows you to manage AWS Resources, including EC2 Instances. It has the facility to run “Automation” scripts, covering a whole multitude of tasks, including such things as Patching, Disaster Recovery, and Support troubleshooting. These scripts have been written by someone with more knowledge of AWS. You just need to check to see that they do what you want (and no more!) before running them. Treat it like a script that you found on the Internet – only one on a Website from a familiar author.

 

Back to the issue of locking yourself out of the house – i.e. Switching off the ability to RDP onto your Server, how can an AWS System Manager Automation help with that?

 

There is an Automation document called “AWSSupport-TroubleshootRDP” which (among other things) that does just that! It resets a number of Windows Defender Firewall settings which enable access once more. In the following section, I will work through the process of setting up AWS System Manager and running the Automation.

 

Disclaimer

The “AWSSupport-TroubleshootRDP” Automation may do more than you need, and may leave Windows Defender in a less secure state than before. This may seem obvious because you’ll go from not being able to connect to being able to connect once more. There are other security settings that may be unlocked, so check the AWS document – it is possible to only run certain steps, so that may be more appropriate. It is YOUR responsibility to check this and agree with your local IT Security Team.

Example

I have performed these steps in an Account using AWS Free Tier (12 Months Free). You will need to review AWS pricing to check on charges for AWS Systems Manager and running Automations. At time of writing, the charges were extremely low with a free tier, but I cannot be held accountable if this changes.

https://aws.amazon.com/systems-manager/pricing/

 

AWS Systems Manager

In order for you to use AWS Systems Manager on an EC2 Instance, then it needs to be Configured, and configured in the correct Region.

 

Under “Change Management”, select “Automation”. This will take you to a “history” screen showing details of Automations that have run in the past.

 

Click “Execute automation”

Use the search box to search for the term “AWSSupport-TroubleshootRDP” and click the box. This will take you to the Documents page, describing what the Automation does. Click “Executeautomation”

Under “Input Parameters”, you can

InstanceID – Select the InstanceID of the Instance that you want it to apply to.

Action – Choose “FixAll” to run all sections of the Automation (read disclaimer above!)

Scroll to the bottom of the screen and hit “Execute”. You will be taken to a screen with a Status bar at the top reading “Execution has been initiated.”

The different steps will be performed, in my case then Step 3 and 4 fail but the important step in this case (Step# ) will be run and it will be possible to connect using RDP once more.

 

I hope that this helps in a few ways:

  • Getting you out of an immediate issue
  • Introducing AWS Systems Manager
  • Introducing AWS Automations

If you think that there would be some benefit in my recording this and other posts, and sharing it on YouTube then please let me know. You can drop me an email or Twitter message. Comments are disabled due to bots.

I have put instructions below for how you can re-create the issue and resolve it. If you are curious then work through it all, otherwise just perform the fix.

 

Thank you, Nigel.

 

Issue Setup

Don’t try this on your Production Environment! These Steps are simply given in case you want to replicate it in your Sandbox.

 

Launch a new EC2 Instance

Choose an appropriate Name and

Instance AMI (Image) – Windows / Microsoft Windows Server 2022 Base in this case (make sure it’s “Free tier eligible”)

Instance type – again, pick something that’s “Free tier eligible”

Name win 2022base_test Application and OS Images (Amazon Machine Image) Info Add additional tags An AMI is a template that contains the software configuration (operating System, application server, and applications) required to launch your instance. Search or Browse for AMIS if you don't see what you are looking for below Q Search our full catalog including 10005 of application and OS images Recents Amazon Linux aws Quick Start macOS Ubuntu ubuntue Windows Microsoft Red Hat Red Hat Browse more AMIS Including AMIS from AWS, Marketplace and the Community Free tier eligible Amazon Machine Image (AMI) Microsoft Windows Server 2022 Base ami-Od86c69530dOa048e (64.bit (x86)) Virtualization: hvm ENA enabled: true Root device type: ebs Description Microsoft Windows Server 2022 Full Locale English AMI provided by Amazon Architecture 64-bit (x86) Instance type Info Instance type t2.micro AMI ID ami-Od86c69530doa04ge Family: t2 1 vCPU I GiB Memory Current generation: true On-Demand Windows pricing: 0.0162 USD per Hour On-Demand SUSE pricing: 0.0116 USD per Hour On-Demand RHEL pricing: 0.0716 USD per Hour On-Demand Linux pricing: 0.0116 USD per Hour Verified provider Free tier eligible All generations Compare instance types

Select an existing Key pair name (or Create new key pair)

Hit “Launch instance” to make it.

 

Success Successfully initiated launch of instance (i-C Launch log

Now, let’s break it.

 

Click “Connect to your Instance” and use RDP Client to log in

Session Manager Instance ID RDP client EC2 serial console O i-Ob82eca39f2ad0502 (win2022base_test) Connection Type O Connect using RDP client Download a file to use with your RDP client and retrieve your password. Cor TO C Desl on t witl You can connect to your Windows instance using a remote desktop clier running the RDP shortcut file below: Download remote desktop file

Click “Download remote desktop file” and save the .rdp file.

Click “Get Password”, then click “Upload private key file” and select the “.pem” file that you use on this AWS login.

EC2 > Instances > i-Ob82eca39f2ad0502 > Get Windows password Get Windows password Info Use your private key to retrieve and decrypt the initial Windows administra Instance ID i.Ob82eca39f2ad0502 (win2022base_test) Key pair associated with this instance O AWS3+ Private key Either upload your private key file or copy and paste its contents into the field below. Upload private key file

 

Click “Decrypt password” and your password for this EC2 Instance will be displayed. Copy this password, then open the RDP file / paste password and log in.

Windows Security Enter your credentials These credentials will be used to connect to ompute-l.amazonawrs.com. Administrator DESKTOP-JPQCPA4\Administrator o Remember me More choices OK Cancel

The login process will continue and you will be logged in (as “Administrator”)

Remote Desktop Connection to; 17 •I Icompute-l.amazonaws.com Configuring remote session Cancel

 

To be sure, log out and then connect using the RDP link again.

 

This time, we’ll break it

Open Windows Defender Firewall (click the Windows button, then type “defender”)

Best match Windows Defender Firewall Control panel

 

Windows Defender Firewall Control panel *stem and Security Wndows Defender Firewall Control Panel Home Allow an app or feature through Windows Defender Firewall Change notification settings Turn Windows Defender Firewall on or Off Restore defaults Advanced settings Troubleshoot my network Help protect your PC with Windows Defender Firewall Windows Defender Firewall can help prevent hackers or malicious software from gaining access to your PC through the Internet or a network. Private networks Guest or public networks Networks in public places such as airports or coffee shops Not connected Connected Windows Defender Firewall state: Incoming connections: Active public networks: Notification state: Block all connections to apps that are not on the list Of allowed apps Network 2 Do not notify me when Windows Defender Firewall blocks a new app

Change something if you like, then just click “Restore Defaults”.

Restore defaults •T' Control Panel System and Security Windows Defender Firewall Restore defaults Restore default settings Restoring default settings Will remove all Windows Defender Firewall settings that you have configured for all network locations. This might cause some apps to stop working. Restore defaults

 

You will get a warning, but “Restore defaults” anyway. It’s interesting that it stops short of saying “you won’t be able to connect to this Computer again”

 

Oh Oh…

 

Reconnecting The connection has been lost, Attempting to reconnect to your ses90n Cmnection attempt 3 of 5

 

Now, when you try to RDP to your EC2 Instance, you won’t be able to:

• uoqoauuoo aloulal ôuqguul ôuqoouuoo uopauuoD d0Hsaa

 

Remote Desktop Connection Remote Desktop can't connect to the remote computer for one of these reasons: 1) Remote access to the server is not enabled 2) The remote computer is turned off 3) The remote computer is not available on the network Make sure that the remote computer is turned on and connected to the nehvork and that remote access is enabled. See details

 

Resolving the Problem

Open “AWS Systems Manager” and click “Automation”

 

AWS Systems Manager Quick Setup Operations Management Explorer OpsCenter CloudWatch Dashboard Incident Manager v Application Management Application Manager AppConfig Parameter Store v Change Management Change Manager Automation x MANAGEMENT TOOLS AWS syst Gain Oper on AWS R Started with ms View operational data for groups that use those resources. How it works

 

Note: The first time around, AWS Systems Manager needs to be configured. I have already done this, so I was not able to take screenshots for this guide. Time willing, I will set up another account and complete the process.

Click on “Quick Setup” | Configuration options to add the new Instance to Systems Manager.

Systems Manager > Quick Setup > Create configuration Customize Host Management configuration options Configuration options Quick Setup configures the following Systems Manager components based on best practices. Select the check boxes for actions you want to schedule. Learn more Systems Manager Update Systems Manager (SSM) Agent every two weeks. Collect inventory from your instances every 30 minutes. Scan instances for missing patches daily. Amazon CloudWatch Install and configure the CloudWatch agent. Update the CloudWatch agent once every 30 days. If you run this configuration, Systems Manager Explorer is enabled. Learn more about the metrics included in the CloudWatch agent's basic configuration and Amazon CloudWatch pricing Targets Targets determine where this configuration is deployed. Choose between deploying to the current Region or a custom set of Regions. O Current Region Deploy configuration to the current Region. Choose how you want to target instances O All instances Deploy your configuration to all instances in the target account and Regions. o o Choose Regions Choose the Regions you want to deploy this configuration to. o Tag The key-value pair for the tag you want to target. Specifying a tag selects all instances with that tag. Resource group Specify a resource group. Only instances in that group will be configured. o Manual Manually specify the instances you want to configure.

 

Select Targets

 

The Automation page contains details of previously run Automations. Click on the “Execute automation” button.

AWS Systems Manager > Automation Executions Integrations Automation executions Execution ID b31d71d1-3a7f-49ce-9c98- o 47241c6c2dOd ec5ff27d-8498-40c4-89fa- o Preferences Document name AWSSupport- ManageRDPSettings AWSSupport- C View details Cancel execution End time Act Show Status @ Success @ Success Start time Thu, 01 Jun 2023 17:10:53 GMT Thu, 01 Jun 2023 Thu, 01 Jun 2023 17:10:59 GMT Thu, 01 Jun 2023 Execute automation tomations Execute arn:aws:iam::921911418328:root

 

On the “Automation document” page, enter the Search term “AWS-Support-TroubleshootRDP” and then click it’s box.

AWS Systems Manager > Automation Choose document Owned by Amazon Owned by me Execute Shared with me Favorites - new Al Document categories AWS Documentation AWS user guides, tutorials Remediation Remediating common issues Patching Patching workflows Security Enforcing security best practices Instance management Tasks for EC2, Eas Automation document Q Search by keyword or filter by tag or attribute Search: AWSSupport-TroubleshootRDP X o AWSSupport- TroubleshootRDP Owner Amazon Platform types Windows, Linux

 

Here you can check details of exactly what the Automation will do. Click “Execute” in the top right corner.

 

The next screen gives options for how the Automation should be run.

AWS Systems Manager > Automation > Execute Execute automation document O Simple execution Execute on targets. Document details o Rate control Execute safely on r concurrency and el

 

Under “Input Parameters”, choose the Instance that you want to perform the Automation on. If there are no Instances listed, click on the dropdown and select “Show all Instances”, then check the box to the side of the required Instance.

Input parameters Instance Id (Required) The ID of the instance to troubleshoot the ROP settings of. O Show interactive instance picker Show all instances Name win2022base_test x Instance ID Instance Type t2.micro State running Availability zone us-east-la IAM Instance Profile Name Platform windows

 

Action (Optional) (Custom] Use the values from Firewall, RDPServiceStartupType, RDPServiceAction, RDPPortAction, NLASettingAction and RemoteConnections to manage the settings. (CheckAIIl Read the values Of the settings Without changing them. (FixAIIl Restore RDP default settings, and disable the Windows Firewall. FixAll CheckAll FixAll Custom

No, you can review all of the steps to be run. In this example, just select “FixAll” and then scroll to the bottom and Click “Execute”.

 

sno!AOJd la•ue)

 

If this part fails, then it may be that you have not chosen to Manage this Instance

@ Execution has been initiated. AWS Systems Manager > Automation > Execution ID: 2996fa07-e531-4efd-b600-8047afcc16fO Execution detail: AWSSupport-TroubleshootRDP Execution description Outputs Execution status # Succeeded 6 # TimedOut Start time Mon, 05 Jun 2023 17:30:21 GMT Mon, 05 Jun 2023 GMT Mon, 05 Jun 2023 GMT Mon, 05 Jun 2023 17:30:23 GMT Mon, 05 Jun 2023 GMT Mon, 05 Jun 2023 GMT Mon, 05 Jun 2023 GMT Mon, 05 Jun 2023 GMT Cancel execution End time Acti01 Overall status @ Success # Failed 2 Executed steps Step ID (20) 76f98bf8-fdcf-40ab-9667- 92042266cebc e3cc60d4-8d81-43c7-9ecb 1 oa0%44120a 759d791c-66cb-4eae-bb7c- 293f31a6cc28 7c19aceO-66c3-4d45-b63b- 7273c6c9f02b Step # 2 3 4 387cb07f-bd82-4f10-ad90- 5 70134ee531ad 4ad2fa5f-12ee-47ad-937f- df283ef40efa f785695e-ea7b-4c72-8229- 785aa13a8c36 5940b9d4-cfd4-467-a48e- 102885d2abe7 87792c7b-81 6 7 8 All executed steps 8 # Cancelled Step name assertlnstancelsWindows assertlnstancelsManagedlnstance assertActionlsCustom assertActionlsCheckAll assertActionlsFixAll disableFirewallProfiles restoreDefaultRDPServiceSettings restoreDefaultRDPSettings Action aws:assertAwsResourceProperty aws:assertAwsResourceProperty aws:assertAwsResourceProperty aws:assertAwsResourceProperty aws:assertAwsResourceProperty aws:runCommand aws:executeAutomation aws:executeAutomation Status @ Success @ Success @ Failed @ Failed @ Success @ Success @ Success @ Success Mon, 05 Jun 2023 17:30:21 GMT Mon, 05 Jun 2023 GMT Mon, 05 Jun 2023 GMT Mon, 05 Jun 2023 17:30:23 GMT Mon, 05 Jun 2023 GMT Mon, 05 Jun 2023 GMT Mon, 05 Jun 2023 GMT Mon, 05 Jun 2023 GMT

 

Moment of Truth

Open the .RDP file again and you’ll get the Password prompt again

Windows Security Enter your credentials These credentials will be used to connect to ec2-34-227-117-17.compute-1.amazonaws.com. Administrator h assword DESKTOP-JPQCPA4\Administrator o Remember me More choices OK Cancel

 

You’re able to log in again. Windows Defender Firewall may still be on the screen, if not then open it again to check the status / what’s left open and amend accordingly.

Window's Defender Firewall Control panel System and Security Windows Defender Firewall c Search Control Panel x p Control Panel Home Allow an app or feature through Windows Defender Firewall Change notification settings Turn Windows Defender Firewall on or off Restore defaults Advanced settings Troubleshoot my network Help protect your PC with Windows Defender Firewall Windows Defender Firewall can help prevent hackers or malicious software from gaining access to your PC through the Internet or a network. Update your Firewall settings Windows Defender Firewall is not using the recommended settings to protect your computer. What are the recommended settings? Private networks Guest or public networks Networks in public places such as airports or coffee shops G LJse recomrnended settings Not connected Connected Windows Defender Firewall state: Off

Leave a Reply

Your email address will not be published.

Follow on Feedly

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close