Subscribe to Windows IT Pro
September 28, 2004 12:00 AM

Open Up Your Remote Connections

Don't be scared of Remote Desktop—you can make it secure
Ed Roth
Windows IT Pro
InstantDoc ID #43877
Rating: (6)

XP Pro has a built-in Remote Desktop client called Remote Desktop Connection (mstsc.exe). To access the shortcut to the client, click Start, Programs, Accessories, Communications, Remote Desktop Connection. You can install the Remote Desktop Connection software on supported platforms other than XP from the XP Pro CD-ROM. The Remote Desktop Connection setup executable--msrdpcli.exe--is in the \Support\Tools folder on the XP Pro CD-ROM. Remote Desktop Connection configuration is straightforward and lets you tailor the client to suit your needs by selecting options related to performance, security, and resource redirection. (I discuss configuring the Remote Desktop security options in more detail a bit later.) To access the Remote Desktop options, click the Options button in the Remote Desktop Connection dialog box. You'll see five settings tabs, which Figure 1 shows.

After you've configured the Remote Desktop settings, click the General tab and, in the Connection settings section, click Save As to save the configuration settings. Remote Desktop saves the settings to an .rdp file that's associated with mstsc.exe. You can launch a session with your specified configuration by double-clicking the .rdp file. After you launch the client, you can log on to the host computer as if you were on a local system and operate the host as if you were at its console. You can use the session in full-screen mode, scale its window, or minimize it while you work on your local computer.

Microsoft provides a Web-enabled version of the Remote Desktop client called Remote Desktop Web Connection, which lets you connect to remote computers through a Web browser. The Web version of the client can simplify deployment of Remote Desktop for organizations with diverse client platforms and provides a simple solution for roaming users and users of extranet applications. For information about configuring Remote Desktop Web Connection on a Windows Server 2003 or XP Pro system, see the Microsoft documentation, "Installing Remote Desktop Web Connection," at http://www.microsoft.com/resources/documentation/windows/xp/all/reskit/en-us/default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/pree_rem_bgek.asp. You can download the Remote Desktop Web Connection ActiveX control and sample pages for hosting Terminal Services client connections from a Windows system running Microsoft Internet Information Server (IIS) 4.0 or later at http://www.microsoft.com/downloads/details.aspx?familyid=e2ff8fb5-97ff-47bc-bacc-92283b52b310&displaylang=en.

Security Measures
Given the ease with which Remote Desktop lets you access systems, you might wonder how you can tighten the security of remote connections. You can configure settings through local or domain Group Policy that provide a more secure Remote Desktop implementation by enabling these security practices:

  • Require the maximum allowable encryption level.
  • Require password authentication at logon.
  • Disable file redirection.
  • Disable printer redirection.
  • Disable Clipboard sharing.

Current Remote Desktop clients, such as the one included in XP Pro, let you encrypt session data by using a 128-bit encryption scheme, but some legacy Windows clients don't support 128-bit encryption. To control the encryption level, open Group Policy Editor (GPE); navigate to Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Encryption and Security; and select Set client connection encryption level. You can choose one of two settings: Client Compatible, which forces the highest level of encryption that's compatible with your clients, or High Level, which disallows connections for devices that don't support 128-bit encryption. In GPE's Encryption and Security branch, you'll also find the setting to require password authentication at logon--Always prompt client for password upon connection. When it's enabled, this setting nullifies the use of saved passwords on the client side, which plugs an obvious security hole.

You can also disable file and printer redirection and Clipboard sharing through the Group Policy settings for Do not allow drive redirection (which disables file redirection), Do not allow client printer redirection, and Do not allow clipboard redirection. To do so, open GPE, and navigate to Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server data redirection. You'll see a window similar to the one that Figure 2 shows. Settings that you configure through Group Policy override any options that are configured in the Remote Desktop Connection dialog box.

A poorly documented Group Policy setting, Do not allow new client connections, lets you enable or disable Remote Desktop hosting capabilities on multiple computers. To find this setting, open GPE and navigate to Computer Configuration, Administrative Templates, Windows Components, Terminal Services. Although the setting's name seems to imply that it lets you enable or disable multiple concurrent client connections, setting the value to Disabled actually enables Remote Desktop. Conversely, setting the value to Enabled disables Remote Desktop on machines to which the setting is applied.

If You Allow Remote Desktop, Secure It
Remote Desktop can be a useful tool in the hands of knowledgeable users. It can also be a security threat if you don't take the proper security precautions. To ensure that Remote Desktop doesn't create security vulnerabilities, use Group Policy when you configure the feature to control what your users can and can't do through a remote connection. Additionally, ensure that systems that are configured to allow Remote Desktop are behind a firewall, and enforce strong passwords for user accounts that have Remote Desktop access.

Project Snapshot: How to
PROBLEM: Set up Remote Desktop and ensure that it's secure.
WHAT YOU NEED: Host PC that runs Windows XP Professional Edition, remote client that runs Windows XP/2000/Me/NT/9x
DIFFICULTY: 2.5 of 5
PROJECT STEPS:
1.Configure the Remote Desktop host.
2.Install Remote Desktop Connection on the client; save client configuration settings.
3.Secure Remote Desktop by using local or domain Group Policy settings.

Learning Path
WINDOWS IT PRO RESOURCES
For an introduction to Windows 2000 Server Terminal Services:
"Getting Started: Remote Administration," InstantDoc ID 39962

To disable Remote Desktop (for security purposes):
"Access Denied: Protecting Workstations from Remote Access,"
http://www.windowsitpro.com/articles/index.cfm?articleid=27379

MICROSOFT RESOURCES
For more information about Remote Desktop:
"Frequently Asked Questions About Remote Desktop"
http://www.microsoft.com/windowsxp/remotedesktop/faq.asp

To optimize Remote Desktop for your connection type:
"Tuning Windows XP Remote Desktop for Network Bandwidth"
http://www.microsoft.com/windowsxp/expertzone/columns/russel/august27.asp

To learn more about Remote Desktop Web Connection:
"Installing Remote Desktop Web Connection"
http://www.microsoft.com/resources/documentation/windows/xp/all/reskit/en-us/default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/pree_rem_bgek.asp

Remote Desktop Web Connection ActiveX control
http://www.microsoft.com/downloads/details.aspx?familyid=e2ff8fb5-97ff-47bc-bacc-92283b52b310&displaylang=en

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Anonymous User
    7 years ago
    Aug 03, 2005

    I got your magazine because a friend recommend me to read it. He lend me some of your numbers related to security. After reading your article I have found it here in your website. I think that the configuration and tips you give are good but not enough for companies willing to rely this software.
    Anyway I was wondering if it's possible to activate the remote desktop allowing external users using msdos commands and if it is possible how to avoid them or block them in case a hacker gets access to your computer shell.
    Sorry for my English, but it's my second language.

    Regards

  • Anonymous User
    7 years ago
    Jun 11, 2005

    how can unlock session remote desktop connection
    in windows xp pro
    when connection unlock my user form other system
    and remote to other system whit no unlock active user in remote system

  • Anonymous User
    7 years ago
    Mar 30, 2005

    Hi,

    I came across thissite while i was looking out for a solution to my problem on Remote desktop sharing. I'm able to connect Remote Machine operating on Windows XP through my server (Windows 2000 Server). But if i try to connect to another machine running on windows 2000 professional or server i am getting an error. It says that the remote desktop sharing would not have been enabled on the machine or there could be some network problem. I have been looking out for a solution since this morning and in almost every site i see i find a solution for machines based on windows xp. ie right click my computer -> properties -> Remote and then enabled allow remote access. But in windows 2000 based Operating Systems we do not have this. Does this mean that we cannot access Windows 2000 based systems with Remote Desktop connections. Has any of you come across such a problem. If so what corrective measures did u take.

    It would be greatful if any of you could give your suggestions. You may mail me at ragesh_ks@yahoo.co.in

    Regards

    Ragesh

  • Kris
    8 years ago
    Nov 19, 2004

    I must agree that there is a lot more out there before i would feel i have a secure Terminal services / remote desktop connections.

    At a minimum i would have expected a mention of changing the default port in key: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\"PORT > 3389"

    and the security policy
    computer configuration > windows settings>security settings > local policies > security options > "Interactive logon: do not display last user name"

    If you don't disable this any happy passer connecting to RDP will have half the entrance key to your system as your ar happely giving it to him.

    Remote desktop is a great feature but just enabeling security during communication just is not enough.

    cheerz,

    Tom Decaluwé

  • fil@pobox.com
    8 years ago
    Oct 26, 2004

    Summary indicated it covered security - there is no mention of how to secure behind the firewall, other than allowing direct access via a public IP. Expected much more.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.