If you're like many of your overburdened desktop administration and support peers, you've probably kept some of Windows XP's user-centric features on the distant edge of the radar screen while you focus on more important concerns. Remote Desktop is one such feature that's a low priority for many IT shops--for several reasons. Perhaps foremost, the notion of letting users connect to their desktop computers from home or other locations conjures up images of worst-case security scenarios.
If you work for an organization that doesn't permit such connectivity, you can enjoy the benefits of being able to cite company policy when you deny users' requests to connect from a remote location. The rest of us, however, will have to accommodate the ever-present fringe users whose demands flow down through upper management and force us to implement features that scare us. In this article, I'll try to allay your fears about remote connectivity by explaining what makes Remote Desktop tick and how you configure its security features. You might even find a silver lining in Remote Desktop's capabilities for remote support of user systems.
What Remote Desktop Is
Remote Desktop is essentially a single-user Terminal Services session that uses RDP to communicate with a host that runs Windows XP Professional Edition. Applications that a Remote Desktop user accesses run on the host system; only keyboard and mouse input and video output are transmitted between the host and client systems. The limited amount of transmitted data lets Remote Desktop use bandwidth efficiently and lets a session occur in a variety of connection scenarios, such as a dial-up or slow WAN link. The Remote Desktop client software--Remote Desktop Connection--runs on various Windows platforms, including XP, Windows 2000, Windows Me, Windows NT, and Windows 9x.
You can use any supported Terminal Services client to connect to a remote XP Pro host, then run productivity applications or perform support operations from the client as if you were sitting at the host system. During a Remote Desktop session, you can redirect client resources--such as file system objects, printers, ports, audio devices, and the Clipboard--as needed. For example, for a Remote Desktop connection from Computer A (your office computer) to Computer B (your home computer), assuming that redirection is enabled for all possible local resources, Computer A can access Computer B's Clipboard, disk drives, ports, and printers from within the Remote Desktop session. You can also hear on Computer B's speakers sounds that emanate from Computer A. I discuss how to enable and disable redirection of objects a bit later.
A Few Limitations
Remote Desktop has some powerful capabilities, but you need to be aware of its limitations before you dive in. First, Remote Desktop allows only one user session at a time. Thus, when you establish a Remote Desktop connection to a PC, the PC's console is locked and no one can work locally at that computer. If a local user presses Ctrl+Alt+Del to unlock the PC, your Remote Desktop session is disconnected. To establish a Remote Desktop session to a computer to which a user is currently logged on, you must either log on with that user's account or with an account that belongs to the local Administrator group on the remote host. If you use the latter account, you'll see a message notifying you that the user who is currently logged on will be logged off.
One other user-sessionrelated gotcha is that, depending on how logoff options are configured on the remote host system's Start menu, a logoff option might not be available to the Remote Desktop user. Selecting the Disconnect option from the Start menu on the host system leaves the current session open in a locked state, which isn't desirable if you're using an administrative account to perform maintenance on an end user's system. To end the session, you need to type
logoff
at a command prompt or click Start, Run and enter the Logoff command.
Establishing a Remote Desktop connection from a system that isn't on a corporate network, such as a home system, to one that's on the network requires a secure VPN connection between the two systems. If you want to allow Remote Desktop connections to external systems from those inside your corporate firewall, you'll most likely need an appropriately configured proxy server--such as Microsoft Internet Security and Acceleration Server (ISA) Server 2000--through which the system within the network can communicate with the external system.
Setting Up Remote Desktop
To use Remote Desktop in its most basic form, you must first allow access from the host system, then connect to that system from a client computer on which a supported Terminal Services client is installed. To configure the host, open the System Properties window by running the command
sysdm.cpl
at a command prompt or by right-clicking the My Computer icon and choosing Properties. Click the Remote tab and enable the Allow users to connect remotely to this computer check box. Click Select Remote Users to specify which accounts you want to let establish a Remote Desktop session to this computer. Use the syntax domainname\username to enter domain accounts. Selecting users at this point effectively adds them to the local Remote Desktop Users group; alternatively, you could add user accounts individually to the group. By default, any account that's a member of a computer's local Administrators group will have Remote Desktop access to that system after the Allow users to connect remotely to this computer check box is selected.