Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


October 2004

Open Up Your Remote Connections

Don't be scared of Remote Desktop—you can make it secure
From the October 2004 Edition
of Windows IT Pro
Ed Roth
Solutions +
InstantDoc #43877
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

If you're like many of your overburdened desktop administration and support peers, you've probably kept some of Windows XP's user-centric features on the distant edge of the radar screen while you focus on more important concerns. Remote Desktop is one such feature that's a low priority for many IT shops--for several reasons. Perhaps foremost, the notion of letting users connect to their desktop computers from home or other locations conjures up images of worst-case security scenarios.

If you work for an organization that doesn't permit such connectivity, you can enjoy the benefits of being able to cite company policy when you deny users' requests to connect from a remote location. The rest of us, however, will have to accommodate the ever-present fringe users whose demands flow down through upper management and force us to implement features that scare us. In this article, I'll try to allay your fears about remote connectivity by explaining what makes Remote Desktop tick and how you configure its security features. You might even find a silver lining in Remote Desktop's capabilities for remote support of user systems.

What Remote Desktop Is
Remote Desktop is essentially a single-user Terminal Services session that uses RDP to communicate with a host that runs Windows XP Professional Edition. Applications that a Remote Desktop user accesses run on the host system; only keyboard and mouse input and video output are transmitted between the host and client systems. The limited amount of transmitted data lets Remote Desktop use bandwidth efficiently and lets a session occur in a variety of connection scenarios, such as a dial-up or slow WAN link. The Remote Desktop client software--Remote Desktop Connection--runs on various Windows platforms, including XP, Windows 2000, Windows Me, Windows NT, and Windows 9x.

You can use any supported Terminal Services client to connect to a remote XP Pro host, then run productivity applications or perform support operations from the client as if you were sitting at the host system. During a Remote Desktop session, you can redirect client resources--such as file system objects, printers, ports, audio devices, and the Clipboard--as needed. For example, for a Remote Desktop connection from Computer A (your office computer) to Computer B (your home computer), assuming that redirection is enabled for all possible local resources, Computer A can access Computer B's Clipboard, disk drives, ports, and printers from within the Remote Desktop session. You can also hear on Computer B's speakers sounds that emanate from Computer A. I discuss how to enable and disable redirection of objects a bit later.

A Few Limitations
Remote Desktop has some powerful capabilities, but you need to be aware of its limitations before you dive in. First, Remote Desktop allows only one user session at a time. Thus, when you establish a Remote Desktop connection to a PC, the PC's console is locked and no one can work locally at that computer. If a local user presses Ctrl+Alt+Del to unlock the PC, your Remote Desktop session is disconnected. To establish a Remote Desktop session to a computer to which a user is currently logged on, you must either log on with that user's account or with an account that belongs to the local Administrator group on the remote host. If you use the latter account, you'll see a message notifying you that the user who is currently logged on will be logged off.

One other user-session­related gotcha is that, depending on how logoff options are configured on the remote host system's Start menu, a logoff option might not be available to the Remote Desktop user. Selecting the Disconnect option from the Start menu on the host system leaves the current session open in a locked state, which isn't desirable if you're using an administrative account to perform maintenance on an end user's system. To end the session, you need to type

logoff

at a command prompt or click Start, Run and enter the Logoff command.

Establishing a Remote Desktop connection from a system that isn't on a corporate network, such as a home system, to one that's on the network requires a secure VPN connection between the two systems. If you want to allow Remote Desktop connections to external systems from those inside your corporate firewall, you'll most likely need an appropriately configured proxy server--such as Microsoft Internet Security and Acceleration Server (ISA) Server 2000--through which the system within the network can communicate with the external system.

Setting Up Remote Desktop
To use Remote Desktop in its most basic form, you must first allow access from the host system, then connect to that system from a client computer on which a supported Terminal Services client is installed. To configure the host, open the System Properties window by running the command

sysdm.cpl

at a command prompt or by right-clicking the My Computer icon and choosing Properties. Click the Remote tab and enable the Allow users to connect remotely to this computer check box. Click Select Remote Users to specify which accounts you want to let establish a Remote Desktop session to this computer. Use the syntax domainname\username to enter domain accounts. Selecting users at this point effectively adds them to the local Remote Desktop Users group; alternatively, you could add user accounts individually to the group. By default, any account that's a member of a computer's local Administrators group will have Remote Desktop access to that system after the Allow users to connect remotely to this computer check box is selected.

   Previous  [1]  2  Next 


Reader Comments
Summary indicated it covered security - there is no mention of how to secure behind the firewall, other than allowing direct access via a public IP. Expected much more.

fil@pobox.com October 26, 2004 (Article Rating: )

I must agree that there is a lot more out there before i would feel i have a secure Terminal services / remote desktop connections.

At a minimum i would have expected a mention of changing the default port in key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\"PORT > 3389"

and the security policy
computer configuration > windows settings>security settings > local policies > security options > "Interactive logon: do not display last user name"

If you don't disable this any happy passer connecting to RDP will have half the entrance key to your system as your ar happely giving it to him.

Remote desktop is a great feature but just enabeling security during communication just is not enough.

cheerz,

Tom Decaluwé


brantano November 19, 2004 (Article Rating: )

Hi,

I came across thissite while i was looking out for a solution to my problem on Remote desktop sharing. I'm able to connect Remote Machine operating on Windows XP through my server (Windows 2000 Server). But if i try to connect to another machine running on windows 2000 professional or server i am getting an error. It says that the remote desktop sharing would not have been enabled on the machine or there could be some network problem. I have been looking out for a solution since this morning and in almost every site i see i find a solution for machines based on windows xp. ie right click my computer -> properties -> Remote and then enabled allow remote access. But in windows 2000 based Operating Systems we do not have this. Does this mean that we cannot access Windows 2000 based systems with Remote Desktop connections. Has any of you come across such a problem. If so what corrective measures did u take.

It would be greatful if any of you could give your suggestions. You may mail me at ragesh_ks@yahoo.co.in

Regards

Ragesh

Anonymous User March 30, 2005 (Article Rating: )

how can unlock session remote desktop connection
in windows xp pro
when connection unlock my user form other system
and remote to other system whit no unlock active user in remote system

Anonymous User June 11, 2005 (Article Rating: )

I got your magazine because a friend recommend me to read it. He lend me some of your numbers related to security. After reading your article I have found it here in your website. I think that the configuration and tips you give are good but not enough for companies willing to rely this software.
Anyway I was wondering if it's possible to activate the remote desktop allowing external users using msdos commands and if it is possible how to avoid them or block them in case a hacker gets access to your computer shell.
Sorry for my English, but it's my second language.

Regards

Anonymous User August 03, 2005 (Article Rating: )

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path For an introduction to Windows 2000 Server Terminal Services:
"“Getting Started: Remote Administration”"


To disable Remote Desktop (for security purposes):
"“Access Denied: Protecting Workstations from Remote Access”"


For more information about Remote Desktop:
"“Frequently Asked Questions About Remote Desktop”"


To learn more about Remote Desktop Web Connection:
"“Installing Remote Desktop Web Connection”"

"Remote Desktop Web Connection ActiveX control"


To optimize Remote Desktop for your connection type:
"“Tuning Windows XP Remote Desktop for Network Bandwidth”"
Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 24, 2008

An often irreverent look at some of the week's other news, including a Vista Capable dismissal request, Zune price reductions, Morrow musings, Novell and Microsoft sitting in a tree ... two years later, Yahoo!, IE 6 on Windows Mobile, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events Top 10 Email Security Challenges and Solutions

Introduction to Identity Lifecycle Manager "2"

SQL Server Security: How to Secure, Monitor & Audit Your Databases

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Free Download –VS 2008 Training
Experts Ken Getz & Robert Green plus labs, code, courseware

Is Your Approach to VMware Server Recovery Outdated?
Is your data protected from server failure? Download this white paper to find the best way to back up, recover, and restore your VMware ESX Server 3.x.

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Register for SolarWinds VM Monitor
Get X-Ray Vision into Your ESX Servers with SolarWinds FREE VM Monitor

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

How healthy is your Exchange Server? Find out Now!
Automatic Exchange Server Maintenance helps prevent disasters and improves performance. Download a FREE Exchange Server analysis tool.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing