Metadata-Version: 2.4
Name: windows-remote-desktop-dashboard
Version: 0.3.0
Summary: Python web dashboard for reserving and launching Windows Remote Desktop machines.
Author: Remote Desktop Dashboard Contributors
Project-URL: Homepage, https://pypi.org/project/windows-remote-desktop-dashboard/
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Web Environment
Classifier: Framework :: FastAPI
Classifier: Intended Audience :: System Administrators
Classifier: Operating System :: Microsoft :: Windows
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: System :: Systems Administration
Requires-Python: >=3.10
Description-Content-Type: text/markdown
Requires-Dist: fastapi
Requires-Dist: uvicorn[standard]
Requires-Dist: jinja2
Requires-Dist: python-multipart

# Windows Remote Desktop Dashboard

Python-based browser dashboard for reserving shared Windows RDP machines and pushing per-IP firewall locks so only the reserver can connect.

## Install

```powershell
pip install windows-remote-desktop-dashboard
windows-remote-desktop-dashboard
```

Open http://127.0.0.1:8000 (the app binds to `0.0.0.0` so other laptops on your LAN can hit it via the host machine's IP).

## Development

```powershell
python -m venv .venv
.\.venv\Scripts\Activate.ps1
pip install -r requirements.txt
uvicorn app.main:app --reload --host 0.0.0.0 --port 8000
```

## Features

- Dark, screenshot-style dashboard with machine list, details pane, admin modal, and audit log.
- SQLite persistence under `%LOCALAPPDATA%\WindowsRemoteDesktopDashboard\data` by default on Windows.
- One active reservation per machine, auto-released on expiry.
- Direct local `mstsc.exe` launch with a downloadable `.rdp` fallback.
- Generated `.rdp` files default to clipboard, drives, USB, printers, smart cards, audio capture/playback, multi-monitor, dynamic resolution, keyboard hook, and font smoothing all enabled.
- RDP Login button automatically reserves the machine for the dashboard user, then launches `C:\Windows\System32\mstsc.exe`.
- **Windows firewall lockdown is ON by default**: when a machine is reserved, the target PC's port 3389 is restricted to the reserver's IP and an explicit Block-Other-RDP rule is pushed so native `mstsc.exe` from anyone else is dropped at the network layer.
- Verify lock button per machine that returns the actual rule state from the target host.
- Background `quser /server:<host>` session checks that never block the page.
- Admin PIN gate with single browser-session unlock and bulk delete/release/refresh controls.
- Admin modal split into Settings, Inventory, and Manage Machines tabs.
- Domain dropdown limited to `EU` and `AP`; any legacy `FU` rows are migrated to `EU` on startup.
- Aggressive cache busting for static assets (custom static handler that returns `Cache-Control: no-store` and a per-process `BUILD_ID` query string).

## Defaults That Match A Locked-Down Setup

| Setting | Default | Override env var |
| --- | --- | --- |
| Admin PIN | `admin` | `ADMIN_PIN` |
| Bind host | `0.0.0.0` | `RDD_HOST` |
| Browser launch host | `127.0.0.1` | `RDD_BROWSER_HOST` |
| Port | `8000` | `RDD_PORT` |
| Data dir | `%LOCALAPPDATA%\WindowsRemoteDesktopDashboard\data` | `RDD_DATA_DIR` |
| Default domain | `EU` | `RDP_DOMAIN` |
| Firewall lock | ON | `RDD_ENFORCE_WINDOWS_FIREWALL=0` to disable at startup |
| Background session refresh | ON | `RDD_AUTO_REFRESH_SESSIONS=0` to disable |
| Session refresh interval | 30s | `RDD_SESSION_REFRESH_SECONDS` |
| Firewall PowerShell timeout | 20s | `RDD_FIREWALL_TIMEOUT_SECONDS` |
| Auto-open browser | yes | `RDD_OPEN_BROWSER=0` to disable |

You can also toggle the firewall lock at runtime from Admin → Settings → `RDP lock ON/OFF`. The setting is persisted in SQLite.

## How The Native-RDP Block Works

When RDP lock is ON the dashboard runs the following on the target machine over WinRM, every time a reservation is created:

1. Tighten every inbound `Remote Desktop` rule's `RemoteAddress` filter to the reserver's client IP.
2. Add `RDD-Block-Other-RDP` (Block, TCP 3389, RemoteAddress=Any) so anything not matching the reserver IP is dropped.
3. Add `RDD-Block-Other-RDP-Allow` (Allow, TCP 3389, RemoteAddress=<reserver IP>) so the reserver still gets in.

When the reservation is revoked/released/deleted those two `RDD-*` rules are removed and the Remote Desktop rules are restored to `RemoteAddress=Any`.

Requirements for this to actually block native RDP:

- The dashboard server is Windows and runs as a user that can `Invoke-Command` on the target PCs (typically domain admin on the targets or WinRM with `Enable-PSRemoting`).
- WinRM (`winrm quickconfig`) is enabled on every target PC.
- Users open the dashboard with the server's LAN hostname/IP, **not** `localhost`, so the dashboard can read their real client IP and not `127.0.0.1`.

Use Admin → Manage Machines → **Verify lock** to check a specific target. If WinRM is misconfigured the dashboard will report the exact PowerShell error.
