Don't be scared of Remote Desktop—you can make it secure
If you're like many of your overburdened desktop administration and support peers, you've probably kept some of Windows XP's user-centric features on the distant edge of the radar screen while you focus on more important concerns. Remote Desktop is one such feature that's a low priority for many IT shops--for several reasons. Perhaps foremost, the notion of letting users connect to their desktop computers from home or other locations conjures up images of worst-case security scenarios.
If you work for an organization that doesn't permit such connectivity, you can enjoy the benefits of being able to cite company policy when you deny users' requests to connect from a remote location. The rest of us, however, will have to accommodate the ever-present fringe users whose demands flow down through upper management and force us to implement features that scare us. In this article, I'll try to allay your fears about remote connectivity by explaining what makes Remote Desktop tick and how you configure its security features. You might even find a silver lining in Remote Desktop's capabilities for remote support of user systems.
What Remote Desktop Is
Remote Desktop is essentially a single-user Terminal Services session that uses RDP to communicate with a host that runs Windows XP Professional Edition. Applications that a Remote Desktop user accesses run on the host system; only keyboard and mouse input and video output are transmitted between the host and client systems. The limited amount of transmitted data lets Remote Desktop use bandwidth efficiently and lets a session occur in a variety of connection scenarios, such as a dial-up or slow WAN link. The Remote Desktop client software--Remote Desktop Connection--runs on various Windows platforms, including XP, Windows 2000, Windows Me, Windows NT, and Windows 9x.
You can use any supported Terminal Services client to connect to a remote XP Pro host, then run productivity applications or perform support operations from the client as if you were sitting at the host system. During a Remote Desktop session, you can redirect client resources--such as file system objects, printers, ports, audio devices, and the Clipboard--as needed. For example, for a Remote Desktop connection from Computer A (your office computer) to Computer B (your home computer), assuming that redirection is enabled for all possible local resources, Computer A can access Computer B's Clipboard, disk drives, ports, and printers from within the Remote Desktop session. You can also hear on Computer B's speakers sounds that emanate from Computer A. I discuss how to enable and disable redirection of objects a bit later.
A Few Limitations
Remote Desktop has some powerful capabilities, but you need to be aware of its limitations before you dive in. First, Remote Desktop allows only one user session at a time. Thus, when you establish a Remote Desktop connection to a PC, the PC's console is locked and no one can work locally at that computer. If a local user presses Ctrl+Alt+Del to unlock the PC, your Remote Desktop session is disconnected. To establish a Remote Desktop session to a computer to which a user is currently logged on, you must either log on with that user's account or with an account that belongs to the local Administrator group on the remote host. If you use the latter account, you'll see a message notifying you that the user who is currently logged on will be logged off.
One other user-sessionrelated gotcha is that, depending on how logoff options are configured on the remote host system's Start menu, a logoff option might not be available to the Remote Desktop user. Selecting the Disconnect option from the Start menu on the host system leaves the current session open in a locked state, which isn't desirable if you're using an administrative account to perform maintenance on an end user's system. To end the session, you need to type
at a command prompt or click Start, Run and enter the Logoff command.
Establishing a Remote Desktop connection from a system that isn't on a corporate network, such as a home system, to one that's on the network requires a secure VPN connection between the two systems. If you want to allow Remote Desktop connections to external systems from those inside your corporate firewall, you'll most likely need an appropriately configured proxy server--such as Microsoft Internet Security and Acceleration Server (ISA) Server 2000--through which the system within the network can communicate with the external system.
Setting Up Remote Desktop
To use Remote Desktop in its most basic form, you must first allow access from the host system, then connect to that system from a client computer on which a supported Terminal Services client is installed. To configure the host, open the System Properties window by running the command
at a command prompt or by right-clicking the My Computer icon and choosing Properties. Click the Remote tab and enable the Allow users to connect remotely to this computer check box. Click Select Remote Users to specify which accounts you want to let establish a Remote Desktop session to this computer. Use the syntax domainname\username to enter domain accounts. Selecting users at this point effectively adds them to the local Remote Desktop Users group; alternatively, you could add user accounts individually to the group. By default, any account that's a member of a computer's local Administrators group will have Remote Desktop access to that system after the Allow users to connect remotely to this computer check box is selected.
XP Pro has a built-in Remote Desktop client called Remote Desktop Connection (mstsc.exe). To access the shortcut to the client, click Start, Programs, Accessories, Communications, Remote Desktop Connection. You can install the Remote Desktop Connection software on supported platforms other than XP from the XP Pro CD-ROM. The Remote Desktop Connection setup executable--msrdpcli.exe--is in the \Support\Tools folder on the XP Pro CD-ROM. Remote Desktop Connection configuration is straightforward and lets you tailor the client to suit your needs by selecting options related to performance, security, and resource redirection. (I discuss configuring the Remote Desktop security options in more detail a bit later.) To access the Remote Desktop options, click the Options button in the Remote Desktop Connection dialog box. You'll see five settings tabs, which Figure 1 shows.
After you've configured the Remote Desktop settings, click the General tab and, in the Connection settings section, click Save As to save the configuration settings. Remote Desktop saves the settings to an .rdp file that's associated with mstsc.exe. You can launch a session with your specified configuration by double-clicking the .rdp file. After you launch the client, you can log on to the host computer as if you were on a local system and operate the host as if you were at its console. You can use the session in full-screen mode, scale its window, or minimize it while you work on your local computer.
Microsoft provides a Web-enabled version of the Remote Desktop client called Remote Desktop Web Connection, which lets you connect to remote computers through a Web browser. The Web version of the client can simplify deployment of Remote Desktop for organizations with diverse client platforms and provides a simple solution for roaming users and users of extranet applications. For information about configuring Remote Desktop Web Connection on a Windows Server 2003 or XP Pro system, see the Microsoft documentation, "Installing Remote Desktop Web Connection," at http://www.microsoft.com/resources/documentation/windows/xp/all/reskit/en-us/default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/pree_rem_bgek.asp. You can download the Remote Desktop Web Connection ActiveX control and sample pages for hosting Terminal Services client connections from a Windows system running Microsoft Internet Information Server (IIS) 4.0 or later at http://www.microsoft.com/downloads/details.aspx?familyid=e2ff8fb5-97ff-47bc-bacc-92283b52b310&displaylang=en.
Given the ease with which Remote Desktop lets you access systems, you might wonder how you can tighten the security of remote connections. You can configure settings through local or domain Group Policy that provide a more secure Remote Desktop implementation by enabling these security practices:
- Require the maximum allowable encryption level.
- Require password authentication at logon.
- Disable file redirection.
- Disable printer redirection.
- Disable Clipboard sharing.
Current Remote Desktop clients, such as the one included in XP Pro, let you encrypt session data by using a 128-bit encryption scheme, but some legacy Windows clients don't support 128-bit encryption. To control the encryption level, open Group Policy Editor (GPE); navigate to Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Encryption and Security; and select Set client connection encryption level. You can choose one of two settings: Client Compatible, which forces the highest level of encryption that's compatible with your clients, or High Level, which disallows connections for devices that don't support 128-bit encryption. In GPE's Encryption and Security branch, you'll also find the setting to require password authentication at logon--Always prompt client for password upon connection. When it's enabled, this setting nullifies the use of saved passwords on the client side, which plugs an obvious security hole.
You can also disable file and printer redirection and Clipboard sharing through the Group Policy settings for Do not allow drive redirection (which disables file redirection), Do not allow client printer redirection, and Do not allow clipboard redirection. To do so, open GPE, and navigate to Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server data redirection. You'll see a window similar to the one that Figure 2 shows. Settings that you configure through Group Policy override any options that are configured in the Remote Desktop Connection dialog box.
A poorly documented Group Policy setting, Do not allow new client connections, lets you enable or disable Remote Desktop hosting capabilities on multiple computers. To find this setting, open GPE and navigate to Computer Configuration, Administrative Templates, Windows Components, Terminal Services. Although the setting's name seems to imply that it lets you enable or disable multiple concurrent client connections, setting the value to Disabled actually enables Remote Desktop. Conversely, setting the value to Enabled disables Remote Desktop on machines to which the setting is applied.
If You Allow Remote Desktop, Secure It
Remote Desktop can be a useful tool in the hands of knowledgeable users. It can also be a security threat if you don't take the proper security precautions. To ensure that Remote Desktop doesn't create security vulnerabilities, use Group Policy when you configure the feature to control what your users can and can't do through a remote connection. Additionally, ensure that systems that are configured to allow Remote Desktop are behind a firewall, and enforce strong passwords for user accounts that have Remote Desktop access.
|Project Snapshot: How to|
| PROBLEM: Set up Remote Desktop and ensure that it's secure.|
WHAT YOU NEED: Host PC that runs Windows XP Professional Edition, remote client that runs Windows XP/2000/Me/NT/9x
DIFFICULTY: 2.5 of 5
1.Configure the Remote Desktop host.
2.Install Remote Desktop Connection on the client; save client configuration settings.
3.Secure Remote Desktop by using local or domain Group Policy settings.
| WINDOWS IT PRO RESOURCES|
For an introduction to Windows 2000 Server Terminal Services:
"Getting Started: Remote Administration," InstantDoc ID 39962
To disable Remote Desktop (for security purposes):
"Access Denied: Protecting Workstations from Remote Access,"
For more information about Remote Desktop:
"Frequently Asked Questions About Remote Desktop"
To optimize Remote Desktop for your connection type:
"Tuning Windows XP Remote Desktop for Network Bandwidth"
To learn more about Remote Desktop Web Connection:
"Installing Remote Desktop Web Connection"
Remote Desktop Web Connection ActiveX control