Using Remote Desktop Access

Windows NT Server 4.0 introduced the Terminal Services capability that allows Windows Server to host multiple virtual terminal sessions, accessed by remote clients able to run on downlevel (earlier) versions of the Windows operating system. Applications running within each virtual terminal session operate on the server system; the mouse and keyboard of the client system provides input to the server while the video output is routed back to the client.

Starting with Windows Server 2000, Terminal Services was implemented in two versions: application mode could be configured to allow multiple client systems to access a virtual terminal running under a licensed Terminal Services session, whereas a limited-access version of the Terminal Services connectivity could be used by up to two concurrent users for the purposes of remote administration. This administrative mode did not require a Terminal Services Licensing server to function, and was loaded within the Add/Remove Programs wizard after server setup.

In Windows XP, Microsoft introduced a client-accessible version called the Remote Desktop. This is a single-user modified version of the Terminal Services capability, enabling a user to connect to an existing console session on a remote Windows XP system.

Windows Server 2003 introduces a more refined version of the Remote Desktop capability, merging enhancements from the Windows XP Remote Desktop Protocol (version 5.1) into the multiple-terminal capability of the full Terminal Services server. The new implementation of the Remote Desktop Protocol (version 5.2) adds a number of new options, such as

• Color depth ” The ability to control the color depth of the video output to optimize operation based on available bandwidth

• Audio redirection ” The ability to bring audio output from the RDP session on the server to the client system

• Console connection ” The ability to connect to the current console session, rather than a Terminal Services virtual session

• Local resource access ” The ability of an RDP user to access local client-system resources, such as printers and drives from within the Remote Desktop session, as shown in Figure 3.20

  Figure 3.20. An example of local drives from the client system (TANTALUS) being made accessible to an existing Remote Desktop connection.

  

Terminal Services

Microsoft makes use of several components running on the Terminal Services host server to manage remote access, including

• Remote Desktop for Administration ” This replaces Terminal Services running in Remote Administration mode. It's installed by default on all Windows Server 2003 products, although connections cannot be established until Remote Access has been enabled.

• Terminal Server ” This service provides virtual terminal access for Windows-based and non “Windows-based clients using the Remote Desktop Protocol (RDP). This mode is not available on Windows Server 2003, Web Edition.

• Terminal Server Session Directory ” This service enables a client to reconnect to a disconnected session running within a Terminal Services server farm. In previous versions of Microsoft Terminal Services, clients who experienced a loss of connectivity with a server farm would most often connect to an entirely new TS session when reconnecting, losing access to pending work from the previously established session and in some configurations, tying up a new connection license.

Terminal Services connections are accomplished using the standard RDP port (3389) and are created using an encrypted session to avoid passing clear text information across an unsecured network. This improves security of all proper communications, while also creating a potential reduction in security due to the encrypted console connectivity. Someone seeking unauthorized access can create Remote Desktop/Terminal Server “encrypted connections and use brute-force hacking techniques over the encrypted connection, preventing intrusion detection services (IDSs) from noticing the attack. If you're going to use these services, it's important to enact strong password and account lockout policies to maintain security and prevent this type of attack from being successful.

Microsoft has also included many new remote access options within the MMC snap-in utilities, as well as many policy settings. One security policy setting you might have noticed in Chapter 2 is Allow Login to Terminal Services Only, which restricts users to Remote Desktop connections only, rather than the Log on Locally permission that was mandated in Windows Server 2000 implementations .

Remote Desktop Connections

Clients can connect to a Microsoft Windows Server 2003 Terminal Server or Remote Desktop for Administration connection using the Remote Desktop client, shown in Figure 3.21, which is familiar to anyone who has used the interface between Windows XP systems.

By expanding the Options button on the RDC, it's possible to configure the connection's settings and then save the RDC settings as a shortcut that can be easily used by clients to open the preconfigured session, as shown in Figure 3.22.

In addition to the single-console RDC ( mstsc.exe ), Windows Server 2003 also includes the multi-connection Remote Desktops MMC snap-in utility (refer to Figure 3.1), as well as an ActiveX Web-based connection utility that can be used to open a Terminal Services connection using Internet Explorer, as shown in Figure 3.23.

The Remote Desktop Web Connection component is not installed by default, but can be added through the Add/Remove Programs Wizard, where it is a subcomponent of the IIS installation option. After it's installed, the client can be accessed at http:// <ServerName> /TSWeb/ .

Microsoft has also provided an add-in to the Active Directory Users and Computers MMC snap-in that extends the Remote Control functionality to this administration utility, as shown in Figure 3.24. This additional component can be downloaded at the following Web site: http://www.microsoft.com/downloads/details.aspx?FamilyID=0a91d2e7-7594-4abb-8239-7a7eca6a6cb1&DisplayLang=en.

Allowing Remote Connections

Before any remote terminal sessions can be created, it's first necessary to allow users to connect remotely to your computer, which is accomplished on the Remote tab of a server's System Properties dialog box, as shown in Figure 3.25.

User accounts must be granted the proper permissions to connect via Remote Access, which can be accomplished by inheritance from membership in the Remote Desktop Users group. Additional Terminal Server settings can be configured within the Active Directory Users and Computers MMC snap-in for a user or group, through the RDP's advanced options (see Figure 3.26), through Group Policy settings (see Figure 3.27), and within the Terminal Server Configuration MMC snap-in (see Figure 3.28).

Data encryption options for each connection can be configured at the client as well as at the host server, with the server's settings winning in case of conflict. The FIPS Compliant option provides connection encryption using the Federal Information Processing Standard (FIPS).

Configuring Terminal Services

When Terminal Services will be used in Application mode, it is necessary to install the Terminal Services Configuration utility (see Figure 3.29) from within the Add/Remove Programs Wizard. The Terminal Services Licensing service (see Figure 3.30) can also be installed here if this server will be used to provide licensing for servers running the Terminal Services service within your enterprise, forest, or domain.

After installation of the Terminal Services Configuration MMC snap-in, you can configure the properties of each connection available on a host server running the Terminal Server service. To utilize the licensing capability of a Terminal Services Licensing server, the server must first be activated within the Terminal Services Licensing MMC snap-in by right-clicking the target server and selecting Activate Server. Activation can be accomplished automatically, via HTTP connection, or by telephone.

Connections that are not associated with Terminal Server licenses, such as those used for remote administration, will be displayed within the Temporary Licensing node of the Terminal Server Licensing MMC snap-in. When licenses are added, the type and quantity of each set of licenses must be provided (see Figure 3.31) along with the appropriate licensing key.

When Terminal Server Licensing problems arise, it is possible to easily diagnose the current license allocation within this MMC snap-in as well.