When thin clients attack …


A recent project raised some questions about the level of documentation and knowledge provided by HP and Altiris for their thin client capabilities.

The background is a production shopfloor with 20 HP 5720 thin clients connecting to a Windows 2003 Terminal server. The application that is required on the thin clients is hosted on a windows 2000 server and access to this is via a mapped drive from the terminal server. As mentioned in a previous article – the configuration for each client is held in a subdirectory pointed to in the properties of the thin clients environment settings on the terminal server. thus the client logs in and runs a single application which if exited closes the terminal session.

This was all tested using the Windows Xp rdp client on Pcs and worked successfully – thats were the predicability ends.

The issue comes with getting the rdp session to hold the settings – address – username and password correctly on the client. Initially it looked like an issue with the client xpe (xP embedded OS) or perhaps firmware and both versions were upgraded.

In the end the solution was to manually amend the Administrator user copy of the default.rdp file stored on the client using a utility from this site

http://www.remkoweijnen.nl/blog/2007/10/18/how-rdp-passwords-are-encrypted/ where the direct link to the download is http://www.remkoweijnen.nl/blog/download/rdp.zip

First put the client into EWF cache mode disabled – so that the change you are about to make can be saved. Download the file and expand to a usb flash drive. Take the flash drive to the remote client and edit the default.rdp file. If you don’t have a default.rdp file – login using the thin clients rdp client and use the save option to generate a default.rdp file.

Add the following sections to the end of the default.rdpif they are not already in the file (the password may be the only one missing).

username:s:MyUserName
password:51:b:01000000D08C9DDF0115D1118C7A00C04FC297EB0100000052A9E191EA75A948B359790578C9371A0000000008000000700073007700000003660000A8000000100000000A1DCCD2E50775CA25EC3857164B34DC0000000004800000A000000010000000FCE1A645B9B61AA450946BB6F955058108020000D83591CA47562D6DDAA689F050AE145039EBE22E00D1D3AEAA98373C7B63C3E8E7149072DF989EA43EFCE20513AD3D27B11BE7F17066A688E1DCE828AF85460AAC327B38E90776DB962888E4393D19637578984B19A187AAD95F6D2726ADE7DD315FF56C15FF5B3031014EDDCC3C24D1B81779AFDB006EE575F5BEFB8D2D2138D9D9D642BBB251CC5ED7226968764856EC660A646BACE748A13D6002A9A537AA70710615650B9387EED66DE28BD57B304BBDD7B581B943DA628EB0289E30A8BA784B76F7885BECCAB4FEF7820E97EE3C6E036EEAF6EAA669288DF2FCACC9BEC045C907EBBDE87AFB8CC6B07A600BD63AC891B61D95C2265DD9FD5E635D61BFBF5EDC28311375066611C610FB533D64515B643C82F57D9B183B05C156D91BC0974D38E546022B139E82452E6F1EDF76E52F732C3904E5E433F8F3D488DB0698427DBB0791A9F207F8CB6654CB8410BAF4A59C4F9E821E589ABC1E6E6E1D432181B690408F6884FE1007895A4D26D4A5A2C7458EE747DA35D44AC9FB08AB5477EA3E7CCDB3E37EE20FAFD0D0CF9584E420598B7003B347943AC28048F45E0FD21AD08148FFADCE0E7877219259A7BE722FFAE845A429BA2CF0A71F2D19EA7495530FABDB5106E8D404A38A7E6394C38457640EA7398C5D55F0C4D342CC6A39C77E10A2A5145AEA40B14F5C7C3760334D83C9BE748383FADE231248537353817D51F7B44F61B406ABC61400000071C354139F458B02D978015F785B97F7F6B307380

The long string you see there needs to be replaced by the password hash you will generate using the rdp.exe utility mentioned above. Run it from the usb key plugged in to the thin client – whilst logged in as Administrator and you will be presented with a dialog box to enter the password you wish to get the hash for. This password will be the one this thin client will use to login to the rdp server. Copy and paste that hash into the default rdp file after the :b: – replace the dummy key mentioned above. Save the file – ensure that the username used is correct for the thin client to log in with. and double click on the rdp file to trigger an automatic login from the thin client to the rdp server. Once happy – re-enable the EWF write cache and reboot.