Cannot RDP to EC2 Instance due to Firewall

Cannot RDP to EC2 Instance due to Firewall

In the cloud, no one can hear you scream!

Unlocking an EC2 Instance

Have you ever accidentally locked yourself out of a Server by reverting to default settings on Windows Firewall?

I haven’t done it personally, but I’ve seen how much of an issue that it can be.

 

It’s easily done. When making changes in Windows Defender Firewall, you are given the quite reasonable option to revert changes by “Restore Defaults”. Unfortunately, selecting this will disable your current session and stop you from being able to use Remote Desktop (RDP) to connect to the Server.

 

Normally, I guess that this type of issue would result in a quick call to the Server team who can sort it out. It’s a bit different when your Server is an EC2 Instance. You may have an equivalent team in-house, or maybe you don’t – in which case, this post may just help.

 

All is not lost. There is a way to fix the issue, and it introduces a couple of nice features within AWS that you might not be aware of.

AWS Systems Manager

AWS Systems Manager allows you to manage AWS Resources, including EC2 Instances. It has the facility to run “Automation” scripts, covering a whole multitude of tasks, including such things as Patching, Disaster Recovery, and Support troubleshooting. These scripts have been written by someone with more knowledge of AWS. You just need to check to see that they do what you want (and no more!) before running them. Treat it like a script that you found on the Internet – only one on a Website from a familiar author.

 

Back to the issue of locking yourself out of the house – i.e. Switching off the ability to RDP onto your Server, how can an AWS System Manager Automation help with that?

 

There is an Automation document called “AWSSupport-TroubleshootRDP” which (among other things) that does just that! It resets a number of Windows Defender Firewall settings which enable access once more. In the following section, I will work through the process of setting up AWS System Manager and running the Automation.

 

Disclaimer

The “AWSSupport-TroubleshootRDP” Automation may do more than you need, and may leave Windows Defender in a less secure state than before. This may seem obvious because you’ll go from not being able to connect to being able to connect once more. There are other security settings that may be unlocked, so check the AWS document – it is possible to only run certain steps, so that may be more appropriate. It is YOUR responsibility to check this and agree with your local IT Security Team.

Example

I have performed these steps in an Account using AWS Free Tier (12 Months Free). You will need to review AWS pricing to check on charges for AWS Systems Manager and running Automations. At time of writing, the charges were extremely low with a free tier, but I cannot be held accountable if this changes.

https://aws.amazon.com/systems-manager/pricing/

 

AWS Systems Manager

In order for you to use AWS Systems Manager on an EC2 Instance, then it needs to be Configured, and configured in the correct Region.

 

Under “Change Management”, select “Automation”. This will take you to a “history” screen showing details of Automations that have run in the past.

 

Click “Execute automation”

Use the search box to search for the term “AWSSupport-TroubleshootRDP” and click the box. This will take you to the Documents page, describing what the Automation does. Click “Executeautomation”

Under “Input Parameters”, you can

InstanceID – Select the InstanceID of the Instance that you want it to apply to.

Action – Choose “FixAll” to run all sections of the Automation (read disclaimer above!)

Scroll to the bottom of the screen and hit “Execute”. You will be taken to a screen with a Status bar at the top reading “Execution has been initiated.”

The different steps will be performed, in my case then Step 3 and 4 fail but the important step in this case (Step# ) will be run and it will be possible to connect using RDP once more.

 

I hope that this helps in a few ways:

  • Getting you out of an immediate issue
  • Introducing AWS Systems Manager
  • Introducing AWS Automations

If you think that there would be some benefit in my recording this and other posts, and sharing it on YouTube then please let me know. You can drop me an email or Twitter message. Comments are disabled due to bots.

I have put instructions below for how you can re-create the issue and resolve it. If you are curious then work through it all, otherwise just perform the fix.

 

Thank you, Nigel.

 

Issue Setup

Don’t try this on your Production Environment! These Steps are simply given in case you want to replicate it in your Sandbox.

 

Launch a new EC2 Instance

Choose an appropriate Name and

Instance AMI (Image) – Windows / Microsoft Windows Server 2022 Base in this case (make sure it’s “Free tier eligible”)

Instance type – again, pick something that’s “Free tier eligible”

Name 
win 2022base_test 
Application and OS Images (Amazon Machine Image) Info 
Add additional tags 
An AMI is a template that contains the software configuration (operating System, application server, and applications) required to 
launch your instance. Search or Browse for AMIS if you don't see what you are looking for below 
Q Search our full catalog including 10005 of application and OS images 
Recents 
Amazon 
Linux 
aws 
Quick Start 
macOS 
Ubuntu 
ubuntue 
Windows 
Microsoft 
Red Hat 
Red Hat 
Browse more AMIS 
Including AMIS from 
AWS, Marketplace and 
the Community 
Free tier eligible 
Amazon Machine Image (AMI) 
Microsoft Windows Server 2022 Base 
ami-Od86c69530dOa048e (64.bit (x86)) 
Virtualization: hvm ENA enabled: true Root device type: ebs 
Description 
Microsoft Windows Server 2022 Full Locale English AMI provided by Amazon 
Architecture 
64-bit (x86) 
Instance type Info 
Instance type 
t2.micro 
AMI ID 
ami-Od86c69530doa04ge 
Family: t2 1 vCPU I GiB Memory Current generation: true 
On-Demand Windows pricing: 0.0162 USD per Hour 
On-Demand SUSE pricing: 0.0116 USD per Hour 
On-Demand RHEL pricing: 0.0716 USD per Hour 
On-Demand Linux pricing: 0.0116 USD per Hour 
Verified provider 
Free tier eligible 
All generations 
Compare instance types

Select an existing Key pair name (or Create new key pair)

Hit “Launch instance” to make it.

 

Success 
Successfully initiated launch of instance (i-C 
Launch log

Now, let’s break it.

 

Click “Connect to your Instance” and use RDP Client to log in

Session Manager 
Instance ID 
RDP client 
EC2 serial console 
O i-Ob82eca39f2ad0502 (win2022base_test) 
Connection Type 
O Connect using RDP client 
Download a file to use with your RDP client and retrieve 
your password. 
Cor 
TO C 
Desl 
on t 
witl 
You can connect to your Windows instance using a remote desktop clier 
running the RDP shortcut file below: 
Download remote desktop file

Click “Download remote desktop file” and save the .rdp file.

Click “Get Password”, then click “Upload private key file” and select the “.pem” file that you use on this AWS login.

EC2 > Instances > i-Ob82eca39f2ad0502 > Get Windows password 
Get Windows password Info 
Use your private key to retrieve and decrypt the initial Windows administra 
Instance ID 
i.Ob82eca39f2ad0502 (win2022base_test) 
Key pair associated with this instance 
O AWS3+ 
Private key 
Either upload your private key file or copy and paste its contents into the field below. 
Upload private key file

 

Click “Decrypt password” and your password for this EC2 Instance will be displayed. Copy this password, then open the RDP file / paste password and log in.

Windows Security 
Enter your credentials 
These credentials will be used to connect to 
ompute-l.amazonawrs.com. 
Administrator 
DESKTOP-JPQCPA4\Administrator 
o 
Remember me 
More choices 
OK 
Cancel

The login process will continue and you will be logged in (as “Administrator”)

Remote Desktop Connection 
to; 
17 •I Icompute-l.amazonaws.com 
Configuring remote session 
Cancel

 

To be sure, log out and then connect using the RDP link again.

 

This time, we’ll break it

Open Windows Defender Firewall (click the Windows button, then type “defender”)

Best match 
Windows Defender Firewall 
Control panel

 

Windows Defender Firewall 
Control panel *stem and Security Wndows Defender Firewall 
Control Panel Home 
Allow an app or feature 
through Windows Defender 
Firewall 
Change notification settings 
Turn Windows Defender 
Firewall on or Off 
Restore defaults 
Advanced settings 
Troubleshoot my network 
Help protect your PC with Windows Defender Firewall 
Windows Defender Firewall can help prevent hackers or malicious software from gaining access to your PC 
through the Internet or a network. 
Private networks 
Guest or public networks 
Networks in public places such as airports or coffee shops 
Not connected 
Connected 
Windows Defender Firewall state: 
Incoming connections: 
Active public networks: 
Notification state: 
Block all connections to apps that are not on the list 
Of allowed apps 
Network 2 
Do not notify me when Windows Defender Firewall 
blocks a new app

Change something if you like, then just click “Restore Defaults”.

Restore defaults 
•T' Control Panel System and Security Windows Defender Firewall Restore defaults 
Restore default settings 
Restoring default settings Will remove all Windows Defender Firewall settings that you have configured for all 
network locations. This might cause some apps to stop working. 
Restore defaults

 

You will get a warning, but “Restore defaults” anyway. It’s interesting that it stops short of saying “you won’t be able to connect to this Computer again”

 

Oh Oh…

 

Reconnecting 
The connection has been lost, Attempting 
to reconnect to your ses90n 
Cmnection attempt 3 of 5

 

Now, when you try to RDP to your EC2 Instance, you won’t be able to:

• uoqoauuoo aloulal ôuqguul 
ôuqoouuoo 
uopauuoD d0Hsaa

 

Remote Desktop Connection 
Remote Desktop can't connect to the remote computer for one of these reasons: 
1) Remote access to the server is not enabled 
2) The remote computer is turned off 
3) The remote computer is not available on the network 
Make sure that the remote computer is turned on and connected to the nehvork and that 
remote access is enabled. 
See details

 

Resolving the Problem

Open “AWS Systems Manager” and click “Automation”

 

AWS Systems Manager 
Quick Setup 
Operations Management 
Explorer 
OpsCenter 
CloudWatch Dashboard 
Incident Manager 
v Application Management 
Application Manager 
AppConfig 
Parameter Store 
v Change Management 
Change Manager 
Automation 
x 
MANAGEMENT TOOLS 
AWS syst 
Gain Oper 
on AWS R 
Started with 
ms 
View operational data for groups 
that use those resources. 
How it works

 

Note: The first time around, AWS Systems Manager needs to be configured. I have already done this, so I was not able to take screenshots for this guide. Time willing, I will set up another account and complete the process.

Click on “Quick Setup” | Configuration options to add the new Instance to Systems Manager.