XP Pro has a built-in Remote Desktop client called Remote Desktop Connection (mstsc.exe). To access the shortcut to the client, click Start, Programs, Accessories, Communications, Remote Desktop Connection. You can install the Remote Desktop Connection software on supported platforms other than XP from the XP Pro CD-ROM. The Remote Desktop Connection setup executable--msrdpcli.exe--is in the \Support\Tools folder on the XP Pro CD-ROM. Remote Desktop Connection configuration is straightforward and lets you tailor the client to suit your needs by selecting options related to performance, security, and resource redirection. (I discuss configuring the Remote Desktop security options in more detail a bit later.) To access the Remote Desktop options, click the Options button in the Remote Desktop Connection dialog box. You'll see five settings tabs, which Figure 1 shows.
After you've configured the Remote Desktop settings, click the General tab and, in the Connection settings section, click Save As to save the configuration settings. Remote Desktop saves the settings to an .rdp file that's associated with mstsc.exe. You can launch a session with your specified configuration by double-clicking the .rdp file. After you launch the client, you can log on to the host computer as if you were on a local system and operate the host as if you were at its console. You can use the session in full-screen mode, scale its window, or minimize it while you work on your local computer.
Microsoft provides a Web-enabled version of the Remote Desktop client called Remote Desktop Web Connection, which lets you connect to remote computers through a Web browser. The Web version of the client can simplify deployment of Remote Desktop for organizations with diverse client platforms and provides a simple solution for roaming users and users of extranet applications. For information about configuring Remote Desktop Web Connection on a Windows Server 2003 or XP Pro system, see the Microsoft documentation, "Installing Remote Desktop Web Connection," at http://www.microsoft.com/resources/documentation/windows/xp/all/reskit/en-us/default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/pree_rem_bgek.asp. You can download the Remote Desktop Web Connection ActiveX control and sample pages for hosting Terminal Services client connections from a Windows system running Microsoft Internet Information Server (IIS) 4.0 or later at http://www.microsoft.com/downloads/details.aspx?familyid=e2ff8fb5-97ff-47bc-bacc-92283b52b310&displaylang=en.
Security Measures
Given the ease with which Remote Desktop lets you access systems, you might wonder how you can tighten the security of remote connections. You can configure settings through local or domain Group Policy that provide a more secure Remote Desktop implementation by enabling these security practices:
- Require the maximum allowable encryption level.
- Require password authentication at logon.
- Disable file redirection.
- Disable printer redirection.
- Disable Clipboard sharing.
Current Remote Desktop clients, such as the one included in XP Pro, let you encrypt session data by using a 128-bit encryption scheme, but some legacy Windows clients don't support 128-bit encryption. To control the encryption level, open Group Policy Editor (GPE); navigate to Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Encryption and Security; and select Set client connection encryption level. You can choose one of two settings: Client Compatible, which forces the highest level of encryption that's compatible with your clients, or High Level, which disallows connections for devices that don't support 128-bit encryption. In GPE's Encryption and Security branch, you'll also find the setting to require password authentication at logon--Always prompt client for password upon connection. When it's enabled, this setting nullifies the use of saved passwords on the client side, which plugs an obvious security hole.
You can also disable file and printer redirection and Clipboard sharing through the Group Policy settings for Do not allow drive redirection (which disables file redirection), Do not allow client printer redirection, and Do not allow clipboard redirection. To do so, open GPE, and navigate to Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server data redirection. You'll see a window similar to the one that Figure 2 shows. Settings that you configure through Group Policy override any options that are configured in the Remote Desktop Connection dialog box.
A poorly documented Group Policy setting, Do not allow new client connections, lets you enable or disable Remote Desktop hosting capabilities on multiple computers. To find this setting, open GPE and navigate to Computer Configuration, Administrative Templates, Windows Components, Terminal Services. Although the setting's name seems to imply that it lets you enable or disable multiple concurrent client connections, setting the value to Disabled actually enables Remote Desktop. Conversely, setting the value to Enabled disables Remote Desktop on machines to which the setting is applied.
If You Allow Remote Desktop, Secure It
Remote Desktop can be a useful tool in the hands of knowledgeable users. It can also be a security threat if you don't take the proper security precautions. To ensure that Remote Desktop doesn't create security vulnerabilities, use Group Policy when you configure the feature to control what your users can and can't do through a remote connection. Additionally, ensure that systems that are configured to allow Remote Desktop are behind a firewall, and enforce strong passwords for user accounts that have Remote Desktop access.
End of Article
)
)
)
)
Register
fil@pobox.com October 26, 2004 (Article Rating: