Enable users to connect to the remote computer running Windows XP Professional.
Set up your client computer.
Install Remote Desktop Connection software on your client computer.
Install Remote Desktop Web Connection (if your Windows-based client is not running Windows XP Professional).
Enabling Remote Desktop in Windows XP Professional
When you install Windows XP Professional, Remote Desktop is disabled by default. You need to enable Remote Desktop before you can use it to connect to the computer remotely.
To enable Remote Desktop
Log on to your Windows XP Professional based computer as an Administrator.
Click Start, right-click My Computer, and then click Properties.
In the System Properties sheet, click the Remote tab.
Select the Allow users to connect remotely to this computer check box.
Note
You must be logged on as an Administrator (or be a member of an Administrators group) to enable Remote Desktop.
Enabling Users to Connect to the Computer Running Windows XP Professional
To remotely access your Windows XP Professional based computer by means of Remote Desktop, you need to be a member of the Administrators group or of the Remote Desktop Users group. At your Windows XP Professional based computer, you can add users to the Remote Desktop Users group.
To add users to the Remote Desktop Users group
Log on to your Windows XP Professional based computer as an Administrator.
Click Start, right-click My Computer, and then click Properties.
In the System Properties sheet, click the Remote tab.
Click Select Remote Users.
In the Remote Desktop Users dialog box, click Add.
In the Select Users dialog box (shown in Figure 8-2), type the user name(s) you want to add, or click Advanced to search for objects.
Figure 8-2: Adding users to the Remote Desktop Users group
Click OK.
The names of the selected users appear in the Remote Desktop Users dialog box.
Installing Client Software
To set up your computer as a Remote Desktop client, you need to install Remote Desktop Connection (or Terminal Services Client). A web-based version of the client software, Remote Desktop Web Connection, may also be installed on the client computer. Also, your computer must be able to connect to the remote computer by means of a local area network (LAN), wide area network (WAN), dial-up, or Internet connection.
Note
Terminal Services clients use TCP port 3389 to communicate with the remote computer.
Table 8-1 lists Windows operating systems and the corresponding client software that is required for deploying Remote Desktop.
Table 8-1: Client Software Versions for Various Operating Systems
Install from the Windows XP Professional operating system CD.
Microsoft Windows 2000 Server
Terminal Services Client
(installed by default if Terminal Services is installed.)
Start/Programs/Terminal Services Client
Recommended: Install the latest version of Remote Desktop Connection from the Windows XP Professional operating system CD.
Windows 95 and Windows 98
Remote Desktop Connection
(installed by the user)
Install from the Windows XP Professional operating system CD.
Windows NT 4.0
Remote Desktop Connection
(installed by the user)
Install from the Windows XP Professional operating system CD.
Installing Remote Desktop Connection
For a client computer that is running Windows 95, Windows 98, Windows NT 4.0, or Windows 2000 Professional, you need to install Remote Desktop Connection from your Windows XP Professional operating system CD.
To install Remote Desktop Connection on computers running Windows 95, Windows 98, Windows NT 4.0, Windows 2000 Server or Windows 2000 Professional
Insert the Windows XP Professional operating system CD into your CD ROM drive.
From the Start page, click Perform Additional Tasks, and then click Set up Remote Desktop Connection.
In the Remote Desktop Connection-InstallShield Wizard, follow instructions until installation is complete.
Installing Remote Desktop Web Connection
Remote Desktop Web Connection is a Web application that consists of an ActiveX control, sample ASP pages, and HTML pages. When Remote Desktop Web Connection is deployed on a Web server, it allows users to connect to a Windows XP Professional based computer by using Internet Explorer, even if Remote Desktop Connection or Terminal Services Client software is not installed on the computer from which the user is connecting.
Remote Desktop Web Connection is an optional World Wide Web service component of Internet Information Services (IIS), which is included in Windows XP Professional. Remote Desktop Web Connection must be installed by using Add or Remove Programs. For more information about installing Remote Desktop Web Connection on a Web server, see Remote Desktop in Windows XP Professional Help and Support Center.
When you install Remote Desktop Web Connection, the files are copied by default to the %systemroot%\Web\Tsweb directory of your Web server. You can use the included sample (Default.htm and Connect.asp) pages, or modify them to meet the needs of your application.
Remote Desktop Web Connection requires that the client computer have a TCP/IP connection to the Internet or a network, and run Microsoft Internet Explorer version 4.0 or later.
Note
Terminal Services clients use TCP port 3389 to communicate with the remote computer.
When a user accesses a Web page on the IIS server that contains the embedded Remote Desktop Web Connection ActiveX Client control, this control is downloaded to the client computer, and is stored in the default location for downloaded controls in Internet Explorer. The default connection page appears on the client computer, asking the user for server (name or IP address of the remote computer) and user information. The Remote Desktop session opens in the Web page. Depending on the parameters passed and the settings of the remote computer, the Windows logon screen might appear.
Figure 8-3 illustrates the processes for downloading and using the Remote Desktop Web Connection client.
Figure 8-3: Downloading and using Remote Desktop Web Connection client
Note
Although the IIS server must download the ActiveX control to the client computer, the IIS server does not connect to the Windows XP Professional-based remote computer at any time when you use Remote Desktop Web Connection. The client computer must connect to the remote computer over a TCP/IP connection.
Establishing a Remote Desktop Session
After installing the appropriate client software on the client computer, you can connect to the remote computer. The following discussion includes tips for using Remote Desktop components, keyboard shortcuts you can use during a Remote Desktop session, information about security enhancement using encryption levels, and configuring of Remote Desktop using group policies.
You can establish a session with the Windows XP Professional based computer by using one of the following:
Remote Desktop Connection
Remote Desktop Web Connection
Using Remote Desktop Connection
To create a new connection by using Remote Desktop Connection
Click Start, point to Programs, point to Accessories, and then point to Communications.
Click Remote Desktop Connection.
In the Remote Desktop Connection dialog box, in the Computer box, type the name or IP address of a computer running Windows XP Professional for which you have Remote Desktop permissions.
Click Connect.
In the Log On to Windows dialog box, type your user name, password, and domain (if required), and then click OK.
In Remote Desktop Connection, you can pre-configure your Remote Desktop sessions.
If you want all of your Remote Desktop sessions to respond exactly the same each time you establish a session, click the Options button, pre-configure the desired settings and click Save As under Connection Settings as seen in Figure 8.4. Enter filename and click Save. Each time you want to open that session, click Open, and then double-click filename.
If your video adapter does not support higher resolutions, you can set the display size of the Remote Desktop session to fit your display configuration. On the Display tab, move the Remote desktop size slider. Select the resolution that best fits your needs, and then click Connect.
If you need to print information or check disk status from your Remote Desktop session, you can have the remote computer automatically connect to your computer s disk drives or printers. On the Local Resources tab, in Local devices, click Disk drives or Printers, and then click and Connect.
Figure 8-4 illustrates the client logon interface and Table 8-2 lists the features for the interface.
Figure 8-4: Remote Desktop Connection interface
Note
Configurations on the client logon interface are local policy settings; they can be overridden by Group Policy settings.
Table 8-2: Features Available on the Remote Desktop Connection Logon Interface
Tab
Settings to Configure
Notes
General
Enter or change logon and connection settings
Enter remote computer name, network user name, and network domain.
Selecting I ll provide my password at connection time allows you to enter the password at connection time and stores it on the local computer. You must also enter your network password to access the session.
Saving connection settings allows you to use a configuration throughout an enterprise.
Display
Change Remote desktop size (resolution) and colors
Selectable session resolution and color depth allow you to adjust for specific needs.
Local Resources
Control sound, keyboard, and local devices
Enabling sounds at the client computer enhances the session.
Applying Windows key combinations within the Remote Desktop session enhances the session.
Allowing the session to control local devices automatically boosts productivity.
Programs
Start a program and change an icon
Setting the session to start a specific program upon connection can improve efficiency (available only for terminal server sessions).
Experience
Set bitmap caching and compression
Allowing certain features in this tab will provide a richer visual experience at higher bandwidths.
Using Remote Desktop Web Connection
In order to use Remote Desktop Web Connection, you need to ensure that it is installed and running on the Web server. Your client computer must also have an active network connection and Internet Explorer version 4.0 or later installed.
To connect to a remote computer by using Remote Desktop Web Connection
On your client computer, open Internet Explorer.
In the Address box, type the Uniform Resource Locator (URL) for the home directory of the Web server hosting Remote Desktop Web Connection. The URL is http:// followed by the Windows Networking name of your server, followed by the path of the directory containing the Remote Desktop Web Connection files (default = /Tsweb/. Note the forward slash marks). For example, if your Web site is registered with the DNS server as Admin1 , in the Address box you type: http://admin1//tsweb/, and then pressENTER.
From the Remote Desktop Web Connection page, in the Server box, type the name of the remote computer to which you want to connect.
You can specify the screen size and logon information for your connection.
Click Connect.
Keyboard Shortcuts in a Remote Desktop Session
You can apply Windows key combinations to your Remote Desktop sessions, or you can use the following Remote Desktop keyboard shortcuts (shown in Table 8.3) to perform many of the same functions.
Table 8-3: Keyboard Shortcuts in a Remote Desktop Session
Windows Key Combinations for Client Computer
Equivalent Keys for Remote Desktop Session
Description
ALT+TAB
ALT+PAGE UP
Switches between programs from left to right.
ALT+SHIFT+TAB
ALT+PAGE DOWN
Switches between programs from right to left.
ALT+ESC
ALT+INSERT
Cycles through the programs in the order they were started.
CTRL+ESC
Switches the client between a window and full screen.
CTRL+ESC
ALT+HOME
Displays the Start menu.
ALT+DELETE
Displays the Windows menu.
PRINT SCREEN
CTRL+ALT+MINU S ( ) symbol on the numeric keypad
Places a snapshot of the active window in the Remote Desktop session on the clipboard.
CTRL+ALT+DEL
CTRL+ALT+END
Displays the Task Manager or Windows Security dialog box. (Only use CTRL+ALT+END to issue this command. CTRL+ALT+DEL is always interpreted by the client computer.)
ALT+PRINT SCREEN
CTRL+ALT+PLUS (+) symbol on the numeric keypad
Places a snapshot of the entire Remote Desktop session window on the clipboard.
Security and Encryption in Remote Desktop
You can enhance the security of a Remote Desktop session by using any or all of these methods:
Setting encryption levels to secure data communications between client and remote computer host.
Enabling password authentication of users at logon time.
Disabling clipboard sharing for Web-based clients.
Disabling printer redirection for Web-based clients.
Disabling file redirection for Web-based clients.
These five security-enhancing methods, discussed in the following sections, use Group Policy settings. For more information about using Group Policy with Remote Desktop, see Using Group Policy with Remote Desktop later in this chapter.
Setting Encryption Levels
Data encryption can protect your data by encrypting it on the communications link between the client and the Windows XP Professional based computer. Encryption protects against the risk of unauthorized interception of transmitted data. By default, Remote Desktop sessions are encrypted at the highest level of security available (128-bit). However, some older versions of Terminal Services client software do not support this high level of encryption. If your network contains such legacy clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.
There are two levels of encryption available.
High. The High level encrypts data sent from client to remote computer and from remote computer to client, by using strong 128-bit encryption. Use this level only if you are sure that your client computer supports 128-bit encryption (for example, if it is running Windows XP Professional). Clients that do not support this level of encryption will not be able to connect.
Client Compatible. The Client Compatible level encrypts data sent between the client and the remote computer at the maximum key strength supported by the client. Use this level if your client computer does not support 128-bit encryption.
You can set the encryption level of the connection between the client and the remote computer by enabling the Set client connection encryption level Properties Terminal Services Group Policy setting.
Enabling Password Authentication at Logon Time
In order to enhance security of a Remote Desktop session over the Internet, you might want to prevent automatic password passing. To do this, you can enable the Always prompt client for password Terminal Services Group Policy setting. When this setting is enabled, you must supply your password in the Windows Logon dialog box whenever you start a Remote Desktop session.
Disabling Clipboard Redirection
For enhanced security, you might choose to disable Remote Desktop clipboard redirection for clients that connect via the Remote Desktop Web Client. You can disable clipboard redirection by using the Do not allow clipboard redirection Terminal Services Group Policy.
Disabling Printer Redirection
For enhanced security, you might choose to disable the printer redirection feature for clients that connect via the Remote Desktop Web Connection Client Control. You can disable printer redirection by using the Do not allow printer redirection Terminal Services Group Policy.
Disabling File Redirection
For enhanced security, you might choose to disable the file redirection feature for clients that connect via the Remote Desktop Web Connection Client Control. You can disable file redirection using the Do not allow drive redirection Terminal Services Group Policy.
Using Group Policy with Remote Desktop
In Windows XP Professional, you can use Group Policy to configure Remote Desktop connection settings, set user policy, and manage Remote Desktop sessions. You can enable Group Policy for users of a computer, for individual computers, or for groups of computers belonging to an organizational unit of a domain. To set policy for users of a particular computer, you must be an Administrator for that computer or have equivalent rights. To set policies for an organizational unit in a domain, you must be an Administrator for that domain or have equivalent rights.
Enabling Group Policy on an Individual Computer
To set Terminal Services policies settings for a particular computer or for users of that computer, open the Group Policy snap-in to edit the Local Group Policy snap-in.
The Terminal Services group policies are not configured by default. You can configure each Group Policy to be either disabled or enabled.
To access Terminal Services Group Policy
From the Start menu, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, click Group Policy, click Add, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the console pane, double-click Computer Configuration, click Administrative Templates, click Windows Components and then click Terminal Services.
Terminal Services Group Policies are organized individually and in folders. Table 8-4 lists Terminal Services folders, group policies, and functions.
Table 8-4: Group Policy Settings That Affect Remote Desktop
Folder
Group Policy
Function
Terminal Services
Allow Screen Saver
Allows display of a screen saver in a Remote Desktop session.
Set maximum color depth
Sets a limit on the color depth of any connection to a terminal server or Remote Desktop.
Client/Server data redirection
Do not allow clipboard redirection
Disables sharing of clipboard contents.
Do not allow audio redirection
Prevents users from playing the remote computer audio at the local computer during a Remote Desktop session.
Do not allow drive redirection
Disables mapping of client drives in Remote Desktop sessions.
Do not allow COM port redirection
Disables redirection of data from the remote computer to client COM ports during the Remote Desktop session.
Do not allow client printer redirection
Disables mapping of client printers in Remote Desktop sessions.
Do not allow LPT port redirection
Disables redirection of data from the remote computer to client LPT ports during the Remote Desktop session.
Map client printers
Directs Terminal Services to map client printers and display them in the user s printer list during Remote Desktop sessions.
Set default client printer to be default printer in a session
Directs Terminal Services to automatically specify the client printer as the default printer in the Remote Desktop session.
Encryption and Security
Always prompt client for password upon connection
Directs Terminal Services to always prompt users for passwords at logon.
Set client connection encryption level
Directs Terminal Services to enforce the specified encryption level for all data sent between the client and the remote computer during Terminal Services connections.
