Providing phone support to a user who has limited computer skills not only frustrates both parties but also is much less efficient than being onsite with the user. In response to the cries of support staff and end users alike, Microsoft includes Remote Assistance, a remote control tool for troubleshooting and support, in Windows XP.

Remote Assistance uses Microsoft's proven Windows 2000 Server Terminal Services technology to provide what amounts to a Terminal Services session between a support professional's computer and an end user's computer. Through a Remote Assistance session, a support technician can see exactly what's happening on the user's screen and can even remotely control the user's computer. Despite some features that target home users, Remote Assistance is a usable, secure solution for corporate Help desks and support staff, especially when coupled with Group Policy in an Active Directory (AD) environment.

Remote Assistance has some similarities to XP's Remote Desktop feature, but you shouldn't confuse the two. Both features use Terminal Services technology, but Remote Desktop concentrates on increasing productivity by providing access to a session on a Windows system (e.g., accessing files and applications on your work computer from your home computer), whereas Remote Assistance lets a support person chat with a user and view and control the user's system with the intent of resolving a problem.

Establishing a Session

That Remote Assistance seems geared toward home users is most apparent when you look at the methods available for initiating a Remote Assistance session. The Remote Assistance links within XP's Help and Support Center provide three options for inviting help.

The first option, Use Windows Messenger, can be a good way for a home user to establish a support session with a friend, assuming that both parties have Windows Messenger accounts. However, this method relies on Windows Messenger for user authentication and doesn't let the user specify a password for the Remote Assistance session.

The second option, or use email, lets you send a request for assistance through your Simple Messaging API (MAPI)—compliant email client. Attached to the email message is a file that has the extension .MsRcIncident. This attachment, known as an invitation file, is an XML file that, when executed by the target user, launches Windows Help and Support, which in turn starts Remote Assistance to initiate the support session to the requester's computer.

The third option, Save invitation as a file (Advanced), lets users save the invitation file and transfer it to the target user through another method, such as an Internet-based mail application or removable media. Both the second and third options let you specify a password so that unintended recipients of the invitation don't have an open door to the end user's system.

The invitation file alone doesn't give the recipient (aka the helper) explicit permission to connect to and control the requesting user's system. The requesting user can always grant or deny the initial connection and, after the connection is made, allow or deny the helper's request to take control of the system.

Although the typical methods for requesting and providing assistance might suit the needs of small companies and home users, most corporate IT organizations will want to tighten the reins a bit. You can modify Remote Assistance settings on individual machines, but using Group Policy in an AD environment provides more control as well as easier administration. For further security, you can also configure your corporate firewall to minimize Remote Assistance—related security risks.

Configuring Remote Assistance

You can configure Remote Assistance through the System Properties dialog box's Remote tab. To let a user request help from someone, select the Allow Remote Assistance invitations to be sent from this computer check box on the user's workstation. Clicking Advanced presents the Remote Assistance Settings dialog box, which Figure 1 shows. If you clear the Allow this computer to be controlled remotely check box, you can restrict Remote Assistance sessions to view-only mode. To shorten the window of opportunity for unscrupulous invitation interceptors, you can limit the amount of time an invitation is active.

Group Policy also lets you specify users in your organization who can offer Remote Assistance without receiving an invitation. Group Policy's Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance setting lets you set the same options that you can set on the Remote tab of the System Properties dialog box. The wording and method of selecting view-only or remote control mode differ slightly from that on the Remote tab, but the results are identical.

The Computer Configuration\Administrative Templates\System\Remote Assistance\Offer Remote Assistance setting presents functionality that's available only through Group Policy. The Offer Remote Assistance setting lets you authorize users to initiate a session without having received an invitation. When setting the Offer Remote Assistance properties, which Figure 2 shows, you should specify Allow helpers to remotely control the computer unless you want to allow view-only mode. You also need to specify who within your organization can initiate Remote Assistance offers. To specify those users, first click Show, then use the Domain\User or Domain\Group syntax to add entries to the list of helpers. You won't get a chance to verify that the information you entered is accurate, so double-check each name before you add it to the helpers list.

Offering Remote Assistance

After support professionals are added to the helpers list on designated computers, they can initiate a Remote Assistance session provided that both their system and the end user's system are running XP and that both the support professional and the end user are members of the same domain or of domains that have a trust relationship. The typical method of offering a Remote Assistance session is as follows:

  1. Click Start, Help and Support.
  2. Click the Tools link, then select the Offer Remote Assistance tool in the left-hand pane.
  3. In the right-hand pane, click Connect, select the name of the user you want to assist from the drop-down list, then click Start Remote Assistance.

The session will proceed just as if it were initiated by a user invitation.

If you expect to offer Remote Assistance frequently, you might want to use a more streamlined method of creating the offer. Create a shortcut that has as its target the URL hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/unsolicited/unsolicitedrcui.htm. Clicking this shortcut launches the Help and Support Center and displays the pane that lets you specify the machine to connect to. You can distribute this shortcut to support professionals in your organization.

Firewalls and Remote Assistance

Because Terminal Services technology uses RDP for communication between systems, port 3389 must be open on your firewall. You can provide an extra measure of security by blocking outbound traffic on port 3389 so that users won't be able to use Remote Assistance to communicate with systems outside the firewall.

Using Network Address Translation (NAT) with Remote Assistance is a complex topic that's outside the scope of this article. For information about the behavior of Remote Assistance in various firewall and NAT environments, see the Microsoft article "Supported Connection Scenarios for Remote Assistance."

Working Around Limitations

If you're using Remote Assistance in a corporate scenario, you'd ideally like to limit or disable users' ability to solicit Remote Assistance help from unauthorized people. Unfortunately, disabling Solicited Remote Assistance also disables the ability to accept offered Remote Assistance. Until Microsoft addresses this inconsistency, the only way to work around this problem is through user training. After you create an infrastructure through which your support professionals can initiate Remote Assistance, train end users to use that infrastructure rather than sending invitations for Assistance. If you must rely on the invitation model, require your users to use strong passwords with reasonable expiration times on invitations and establish a consistent method for everyone in your organization to use for invitation delivery.