windows-remote-desktop-dashboard 0.3.0

Python web dashboard for reserving and launching Windows Remote Desktop machines.

Windows Remote Desktop Dashboard

Python-based browser dashboard for reserving shared Windows RDP machines and pushing per-IP firewall locks so only the reserver can connect.

Install

pip install windows-remote-desktop-dashboard
windows-remote-desktop-dashboard

Open http://127.0.0.1:8000 (the app binds to 0.0.0.0 so other laptops on your LAN can hit it via the host machine's IP).

Development

python -m venv .venv
.\.venv\Scripts\Activate.ps1
pip install -r requirements.txt
uvicorn app.main:app --reload --host 0.0.0.0 --port 8000

Features

• Dark, screenshot-style dashboard with machine list, details pane, admin modal, and audit log.
• SQLite persistence under %LOCALAPPDATA%\WindowsRemoteDesktopDashboard\data by default on Windows.
• One active reservation per machine, auto-released on expiry.
• Direct local mstsc.exe launch with a downloadable .rdp fallback.
• Generated .rdp files default to clipboard, drives, USB, printers, smart cards, audio capture/playback, multi-monitor, dynamic resolution, keyboard hook, and font smoothing all enabled.
• RDP Login button automatically reserves the machine for the dashboard user, then launches C:\Windows\System32\mstsc.exe.
• Windows firewall lockdown is ON by default: when a machine is reserved, the target PC's port 3389 is restricted to the reserver's IP and an explicit Block-Other-RDP rule is pushed so native mstsc.exe from anyone else is dropped at the network layer.
• Verify lock button per machine that returns the actual rule state from the target host.
• Background quser /server:<host> session checks that never block the page.
• Admin PIN gate with single browser-session unlock and bulk delete/release/refresh controls.
• Admin modal split into Settings, Inventory, and Manage Machines tabs.
• Domain dropdown limited to EU and AP; any legacy FU rows are migrated to EU on startup.
• Aggressive cache busting for static assets (custom static handler that returns Cache-Control: no-store and a per-process BUILD_ID query string).

Defaults That Match A Locked-Down Setup

Setting	Default	Override env var
Admin PIN	admin	ADMIN_PIN
Bind host	0.0.0.0	RDD_HOST
Browser launch host	127.0.0.1	RDD_BROWSER_HOST
Port	8000	RDD_PORT
Data dir	%LOCALAPPDATA%\WindowsRemoteDesktopDashboard\data	RDD_DATA_DIR
Default domain	EU	RDP_DOMAIN
Firewall lock	ON	RDD_ENFORCE_WINDOWS_FIREWALL=0 to disable at startup
Background session refresh	ON	RDD_AUTO_REFRESH_SESSIONS=0 to disable
Session refresh interval	30s	RDD_SESSION_REFRESH_SECONDS
Firewall PowerShell timeout	20s	RDD_FIREWALL_TIMEOUT_SECONDS
Auto-open browser	yes	RDD_OPEN_BROWSER=0 to disable

You can also toggle the firewall lock at runtime from Admin → Settings → RDP lock ON/OFF. The setting is persisted in SQLite.

How The Native-RDP Block Works

When RDP lock is ON the dashboard runs the following on the target machine over WinRM, every time a reservation is created:

1. Tighten every inbound Remote Desktop rule's RemoteAddress filter to the reserver's client IP.
2. Add RDD-Block-Other-RDP (Block, TCP 3389, RemoteAddress=Any) so anything not matching the reserver IP is dropped.
3. Add RDD-Block-Other-RDP-Allow (Allow, TCP 3389, RemoteAddress=) so the reserver still gets in.

When the reservation is revoked/released/deleted those two RDD-* rules are removed and the Remote Desktop rules are restored to RemoteAddress=Any.

Requirements for this to actually block native RDP:

• The dashboard server is Windows and runs as a user that can Invoke-Command on the target PCs (typically domain admin on the targets or WinRM with Enable-PSRemoting).
• WinRM (winrm quickconfig) is enabled on every target PC.
• Users open the dashboard with the server's LAN hostname/IP, not localhost, so the dashboard can read their real client IP and not 127.0.0.1.

Use Admin → Manage Machines → Verify lock to check a specific target. If WinRM is misconfigured the dashboard will report the exact PowerShell error.