Cannot RDP to EC2 Instance due to Firewall
In the cloud, no one can hear you scream!
Have you ever accidentally locked yourself out of a Server by reverting to default settings on Windows Firewall?
I haven’t done it personally, but I’ve seen how much of an issue that it can be.
It’s easily done. When making changes in Windows Defender Firewall, you are given the quite reasonable option to revert changes by “Restore Defaults”. Unfortunately, selecting this will disable your current session and stop you from being able to use Remote Desktop (RDP) to connect to the Server.
Normally, I guess that this type of issue would result in a quick call to the Server team who can sort it out. It’s a bit different when your Server is an EC2 Instance. You may have an equivalent team in-house, or maybe you don’t – in which case, this post may just help.
All is not lost. There is a way to fix the issue, and it introduces a couple of nice features within AWS that you might not be aware of.
AWS Systems Manager
AWS Systems Manager allows you to manage AWS Resources, including EC2 Instances. It has the facility to run “Automation” scripts, covering a whole multitude of tasks, including such things as Patching, Disaster Recovery, and Support troubleshooting. These scripts have been written by someone with more knowledge of AWS. You just need to check to see that they do what you want (and no more!) before running them. Treat it like a script that you found on the Internet – only one on a Website from a familiar author.
Back to the issue of locking yourself out of the house – i.e. Switching off the ability to RDP onto your Server, how can an AWS System Manager Automation help with that?
There is an Automation document called “AWSSupport-TroubleshootRDP” which (among other things) that does just that! It resets a number of Windows Defender Firewall settings which enable access once more. In the following section, I will work through the process of setting up AWS System Manager and running the Automation.
Disclaimer
The “AWSSupport-TroubleshootRDP” Automation may do more than you need, and may leave Windows Defender in a less secure state than before. This may seem obvious because you’ll go from not being able to connect to being able to connect once more. There are other security settings that may be unlocked, so check the AWS document – it is possible to only run certain steps, so that may be more appropriate. It is YOUR responsibility to check this and agree with your local IT Security Team.
Example
I have performed these steps in an Account using AWS Free Tier (12 Months Free). You will need to review AWS pricing to check on charges for AWS Systems Manager and running Automations. At time of writing, the charges were extremely low with a free tier, but I cannot be held accountable if this changes.
https://aws.amazon.com/systems-manager/pricing/
AWS Systems Manager
In order for you to use AWS Systems Manager on an EC2 Instance, then it needs to be Configured, and configured in the correct Region.
Under “Change Management”, select “Automation”. This will take you to a “history” screen showing details of Automations that have run in the past.
Click “Execute automation”
Use the search box to search for the term “AWSSupport-TroubleshootRDP” and click the box. This will take you to the Documents page, describing what the Automation does. Click “Executeautomation”
Under “Input Parameters”, you can
InstanceID – Select the InstanceID of the Instance that you want it to apply to.
Action – Choose “FixAll” to run all sections of the Automation (read disclaimer above!)
Scroll to the bottom of the screen and hit “Execute”. You will be taken to a screen with a Status bar at the top reading “Execution has been initiated.”
The different steps will be performed, in my case then Step 3 and 4 fail but the important step in this case (Step# ) will be run and it will be possible to connect using RDP once more.
I hope that this helps in a few ways:
- Getting you out of an immediate issue
- Introducing AWS Systems Manager
- Introducing AWS Automations
If you think that there would be some benefit in my recording this and other posts, and sharing it on YouTube then please let me know. You can drop me an email or Twitter message. Comments are disabled due to bots.
I have put instructions below for how you can re-create the issue and resolve it. If you are curious then work through it all, otherwise just perform the fix.
Thank you, Nigel.
Issue Setup
Don’t try this on your Production Environment! These Steps are simply given in case you want to replicate it in your Sandbox.
Launch a new EC2 Instance
Choose an appropriate Name and
Instance AMI (Image) – Windows / Microsoft Windows Server 2022 Base in this case (make sure it’s “Free tier eligible”)
Instance type – again, pick something that’s “Free tier eligible”
Select an existing Key pair name (or Create new key pair)
Hit “Launch instance” to make it.
Now, let’s break it.
Click “Connect to your Instance” and use RDP Client to log in
Click “Download remote desktop file” and save the .rdp file.
Click “Get Password”, then click “Upload private key file” and select the “.pem” file that you use on this AWS login.
Click “Decrypt password” and your password for this EC2 Instance will be displayed. Copy this password, then open the RDP file / paste password and log in.
The login process will continue and you will be logged in (as “Administrator”)
To be sure, log out and then connect using the RDP link again.
This time, we’ll break it
Open Windows Defender Firewall (click the Windows button, then type “defender”)
Change something if you like, then just click “Restore Defaults”.
You will get a warning, but “Restore defaults” anyway. It’s interesting that it stops short of saying “you won’t be able to connect to this Computer again”
Oh Oh…
Now, when you try to RDP to your EC2 Instance, you won’t be able to:
Resolving the Problem
Open “AWS Systems Manager” and click “Automation”
Note: The first time around, AWS Systems Manager needs to be configured. I have already done this, so I was not able to take screenshots for this guide. Time willing, I will set up another account and complete the process.
Click on “Quick Setup” | Configuration options to add the new Instance to Systems Manager.