Planning Secure Remote Administration Methods

Previous page
Table of content
Next page

Planning Secure Remote Administration Methods

One of the features that Microsoft has been slowly developing since Windows 2000 first appeared is that of built-in remote administrative capabilities. No longer do you have to purchase and install a costly third-party application to provide remote administrative access to your servers and workstations; Windows XP and Windows Server 2003 support it natively, as does the Windows 2000 Server line after you install Terminal Services in Remote Administration mode. Better yet, Windows XP and Windows Server 2003 also include Remote Desktop, which further takes advantage of the Remote Desktop Protocol (RDP) , allowing users to connect to a computer remotely as if they were actually using it locally.

In this section, we examine two key parts of the Terminal Services/Remote Desktop Protocol combination: Remote Assistance and Remote Desktop for Administration . Both are installed by default with an installation of Windows Server 2003; however, both must be manually enabled and configured prior to use.

Remote Assistance

Plan secure network administration methods.

  • Create a plan to offer Remote Assistance to client computers.

Remote Assistance, first introduced in Windows XP, provides a built-in mechanism allowing an "Expert" to lend assistance to a "Novice" whether by request or not. The Expert can be located on the same internal network or even somewhere else on the Internet. Remote Assistance allows the Expert to create a connection to the Novice's computer, view the desktop, communicate with the Novice, and even take remote control of the Novice's computer if the Novice allows. Remote Assistance can be performed only on computers running Windows XP or Windows Server 2003a good reason to consider that desktop upgrade to Windows XP. Before a computer is eligible to receive Remote Assistance, however, it must be enabled either locally or by Group Policy.

Assuming that Group Policy has not been configured from its default setting for Remote Assistance, you can enable it on the local computer by selecting the Allow Remote Assistance Invitations to Be Sent from This Computer option on the Remote tab of the System Properties applet (located in the Control Panel), as shown in Figure 7.1.

Figure 7.1. Remote Assistance must be enabled and configured before it can be used.

Clicking the Advanced button opens the Remote Assistance Settings dialog box, which allows you to further configure Remote Assistance settings. From this dialog box, you have the option to allow the computer to be remotely controlled during the Remote Assistance session; to do so, select the Allow This Computer to Be Controlled Remotely option. You can also configure the length of time that the Remote Assistance requests are valid.

EXAM TIP

Enabling Remote Assistance Be sure that you know and understand the two different ways that Remote Assistance can be enabled and configured.


Alternatively, you can configure Group Policy to control the Remote Assistance settings for your entire domain or by specific domains. The settings you need to configure are located in the Computer Configuration, Administrative Templates, System, Remote Assistance node, as shown in Figure 7.2. If settings are configured via Group Policy, the option to configure them locally using the System Properties applet is not available. Recall that Group Policy is applied in the following order: local, site, domain, Organizational Unit.

Figure 7.2. Remote Assistance can be configured using Group Policy.

The Solicited Remote Assistance setting shown in Figure 7.2 allows Remote Assistance requests to be sent from the computers that the Group Policy Object (GPO) is applied to. The Offer Remote Assistance setting shown in Figure 7.2 allows Remote Assistance to be offered without a prior request to computers that the GPO is applied to. The user (Novice) still has the option to allow or disallow the Remote Assistance offer.

Configuring Remote Assistance Policies

To configure Remote Assistance policies using Group Policyalways the preferred methodperform the steps outlined in Step by Step 7.1.

STEP BY STEP

7.1 Configuring Remote Assistance via Group Policy

  1. Locate the Group Policy Object for which you want to configure the Remote Assistance settings.

  2. Expand the following nodes: Computer Configuration, Administrative Templates, System, Remote Assistance.

  3. Double-click the Solicited Remote Assistance setting to open its Properties dialog box, as shown in Figure 7.3.

    Figure 7.3. The Solicited Remote Assistance setting allows the computer's users to request Remote Assistance.

  4. Select the Enabled radio button.

  5. For the Permit Remote Control of This Computer option, select Allow Helpers to Remotely Control the Computer to ensure that your Experts can fully offer Remote Assistance as needed. The Expert can take control only if the Novice allows it.

  6. For the Maximum Ticket Time option, configure a reasonable lifetime for the Remote Assistance request, such as one hour . This setting allows the Expert a window in which to respond to the request without creating an overly large security risk.

  7. For the Select the Method for Sending E-mail Invitations option, your selection depends on the messaging client in use on your network. The Mailto option configures the Remote Assistance request to be sent as an Internet link and works in virtually all situations. The SMAPI (Simple MAPI) option configures the request to be attached to the message.

  8. Click OK to close the Solicited Remote Assistance Properties dialog box.

  9. Double-click the Offer Remote Assistance setting to open its Properties dialog box, as shown in Figure 7.4.

    Figure 7.4. The Offer Remote Assistance setting allows Experts to offer unsolicited Remote Assistance to users.

  10. To allow Experts to offer unsolicited Remote Assistance to users, select the Enabled radio button.

  11. For the Permit Remote Control of This Computer option, select Allow Helpers to Remotely Control the Computer to ensure that your Experts can fully offer Remote Assistance as needed. The Expert can take control only if the Novice allows it.

  12. Click the Show button to open the Show Contents dialog box, as shown in Figure 7.5.

    Figure 7.5. You can allow users and groups to offer unsolicited Remote Assistance.

  13. To add users and/or groups, click the Add button. You can add only one object at a time, and you must use the following format: 

     
      <   Domain Name   >\<   User Name   >  or  <   Domain Name   >\<   Group Name   >

  14. After you are done adding users and/or groups, click OK to close the Show Contents dialog box.

  15. Click OK to close the Offer Remote Assistance Properties dialog box.


Sending and Managing Remote Assistance Requests

Users can request Remote Assistance in three basic ways: Windows Messenger, email (sends a URL), or file (creates a Remote Assistance request file). Note that Windows Messenger is not the same as Microsoft Messenger, although both use similar technologies. You can most easily send Remote Assistance requests by using the Help and Support Center, which you can access by clicking Start, Help and Support. On the main page, click the Remote Assistance link under the Support Tasks column. The Remote Assistance window is shown in Figure 7.6.

Figure 7.6. Remote Assistance requests can be easily sent and managed from within the Help and Support Center.

To send a Remote Assistance request, perform the steps outlined in Step by Step 7.2.

STEP BY STEP

7.2 Sending a Remote Assistance Request

  1. Open the Help and Support Center by clicking Start, Help and Support.

  2. Click the Remote Assistance link under the Support Tasks column.

  3. On the Remote Assistance window, shown in Figure 7.6, click the Invite Someone to Help You link.

  4. The most common way to ask for Remote Assistance is to use Windows Messenger because you can easily see who might be available to help you. Note that Windows Messenger is not installed in Windows Server 2003, and no Windows Server 2003 version exists at the time of this writing. You can download the Windows XP version (which works perfectly in Windows Server 2003) from microsoft.com/windows/messenger/download.asp.

  5. The Remote Assistance window changes, allowing you to pick how to contact the assistant (the Expert). As you can see, Windows Messenger, email, and file methods are available.

  6. Selecting a Windows Messenger user and clicking Invite This Person opens the Windows Messenger window on the Expert's computer with the Remote Assistance request, as shown in Figure 7.7. The Expert can then accept or decline the invitation , thus beginning the Remote Assistance session.

    Figure 7.7. The Expert receives the Remote Assistance request in his or her Windows Messenger window.

  7. Alternatively, you can opt to send an email request using a MAPI-compliant messaging application, such as Outlook or Outlook Express, by entering the Expert's first name and clicking Continue.

  8. On the next window, you can enter a password and duration for the request to remain valid. Click the Create E-mail Invitation button to proceed.

  9. A new email message opens. You need to enter the correct email address and add any other notes you want before sending the message. The Expert can initiate the Remote Assistance request by clicking the URL in the message and is then required to download and install an ActiveX applet from the Microsoft Web site as part of the process.

  10. Your last option is to create a Remote Assistance file and either give the file to the Expert or place it in a location where the Expert can access it, such as on a file share. You can create the Remote Assistance file by clicking Send Invitation as a File (Advanced). You can configure the name of the Expert, the duration the request should remain valid, and a password as well when creating the saved file. Remote Assistance request saved files have the *.msrcincident file extension.


You can view and manage Remote Assistance requests by clicking the View Invitation Status Link ( x ) shown previously in Figure 7.6. The x represents the number of Remote Assistance requests you have to manage. Clicking this link changes the window to the one shown in Figure 7.8.

Figure 7.8. You can quickly and easily manage all your Remote Assistance requests.

For each Remote Assistance request, the following options are available:

  • Details Allows you to view details about the request, including to whom it was sent, when it was sent, when it will expire, what its current status is, and whether it is password protected.

  • Expire Allows you to force an open request to expire immediately, regardless of its configured duration.

  • Resend Allows you to resend an expired request. Resending expired requests allows you to easily send the same request again without needing to re-enter all the required details.

  • Delete Allows you to permanently delete the request.

Using Remote Assistance

Regardless of how the Remote Assistance request is sent, the results are all the same. After the Expert accepts the request, a direct connection is made between the Expert's computer and the Novice's computer. This allows the Expert to communicate directly with the Novice and to see the Novice's desktop in view-only mode, as shown in Figure 7.9.

Figure 7.9. The Expert is initially limited to having a view-only connection.

The following control buttons are available to the Expert:

  • Take Control Sends a request to the Novice to allow the Expert to take control of the Novice's computer.

  • Send a File Allows the Expert to transmit a file from the Expert's computer to the Novice's computer. This capability is useful for sending updates and such.

  • Start Talking Establishes an audio connection between the Expert and Novice similar to that offered in Windows Messenger or Net Meeting.

  • Settings Allows the Expert to configure the Remote Assistance settings for his or her computer.

  • Disconnect Terminates the Remote Assistance session and closes the direct connection between the two computers.

  • Help Displays Remote Assistance help.

The following control buttons are available to the Novice:

  • Stop Control Terminates the Expert's ability to remotely control the computer.

  • Send a File Allows the Novice to transmit a file from the Novice's computer to the Expert's computer.

  • Start Talking Establishes an audio connection between the Expert and Novice similar to that offered in Windows Messenger or Net Meeting.

  • Settings Allows the Novice to configure the Remote Assistance settings for his or her computer.

  • Disconnect Terminates the Remote Assistance session and closes the direct connection between the two computers.

  • Help Displays Remote Assistance help.

Remote Assistance Security Concerns

Remote Assistance, like all the Terminal Services and Remote Desktop Protocolbased applications, requires that TCP port 3389 be available to make a connection. This raises the question of whether you want to leave this port open on your external firewalls. Logic says no. By closing this port on your external firewalls, you can instantly prevent the largest security risk associated with Remote Assistance: compromise by unauthorized external entities. In most cases, there is no reason why any person physically located outside your protected, private internal network should be tasked with providing Remote Assistance. Should this situation arise, consider implementing leased WAN links directly between sites or using permanent VPN connections to give some extra measure of security.

EXAM TIP

Remote Desktop Protocol Don't forget that all RDP-based applications, including Remote Assistance and Remote Desktop, use TCP port 3389. This may be an important fact on your exam.


But what do you do about the Remote Assistance request itself? The email is sent by default as a standard email message and thus is subject to capture. The Remote Assistance files are simply XML files that are easily taken apart once captured. Email messages can be, and should be, digitally signed and encrypted. If you are using Exchange 2000 or later with Outlook 2000 or later on your network, the fix is easy. If you are not, consider acquiring a personal email certificate or using Pretty Good Privacy (PGP) or some other message encryption and signing utility. The Remote Assistance files should be protected by whatever means are available, including NTFS permissions, EFS encryption, or other third-party methods. Recall that Windows XP and Windows Server 2003 allow for multiple EFS users to have access to the same file.

GUIDED PRACTICE EXERCISE 7.1

In this exercise, you configure the Group Policy options for Remote Assistance. This Guided Practice helps reinforce the preceding discussion. You want to allow your users to solicit Remote Assistance. You also want to allow the Expert user to take control of the Novice's computer. However, you do not want to allow for unsolicited Remote Assistance. You want all settings to be applied to your entire domain.

You should try completing this exercise on your own first. If you get stuck, or you would like to see one possible solution, follow these steps:

  1. Open the Active Directory Users and Computers console.

  2. Right-click the domain node and select Properties. Create a new Group Policy Object from the Group Policy tab.

  3. Expand the GPO to locate the Remote Assistance node by expanding these nodes: Computer Configuration, Administrative Templates, System.

  4. Open the Solicited Remote Assistance Properties dialog box and enable solicited Remote Assistance.

  5. Select the Allow Helpers to Remotely Control the Computer option to ensure that your Experts can fully offer Remote Assistance as needed. (The Expert can take control only if the Novice allows it.)

  6. Configure the Maximum Ticket Time option with a reasonable lifetime, such as one hour.

  7. In the Select the Method for Sending E-mail Invitations area, select the method that best suits the messaging client on your network. The Mailto option configures the Remote Assistance request to be sent as an Internet link and works in virtually all situations. The SMAPI (Simple MAPI) option configures the request to be attached to the message.

  8. Close the Solicited Remote Assistance Properties dialog box.

  9. Open the Offer Remote Assistance Properties dialog box and disable the ability to offer unsolicited Remote Assistance.

  10. Close the Offer Remote Assistance Properties dialog box.


Remote Desktop for Administration (RDA)

Plan secure network administration methods.

  • Plan for remote administration by using Terminal Services.

Remote Desktop for Administration, previously referred to as Remote Administration mode in Windows 2000, provides a built-in method to remotely administer and control servers. Provided you have the correct credentials, you can even remotely restart or shut down a server. Of course, you probably ought to warn any users who might be connected to it before doing such!

You can use Remote Desktop for Administration in one of two ways. The first and simplest (although less feature-rich) method is to use the Remote Desktop Connection utility, which you can find by clicking Start, Programs, Accessories, Communications, Remote Desktop Connection. After you click the Options button, the Remote Desktop Connection dialog box opens, as shown in Figure 7.10.

Figure 7.10. The Remote Desktop Connection utility allows you to quickly and easily create a connection to a remote computer.

By entering the computer's name or IP address and clicking Connect, you can make a Remote Desktop for Administration connection. You may be required to supply your network credentials to complete the connection and logon process. Figure 7.11 shows what the Remote Desktop connection looks like when not in full-screen mode.

Figure 7.11. The Remote Desktop for Administration window can be full screen or smaller if you like.

The second method for creating Remote Desktop for Administration connections is to use the new Remote Desktops console. This method offers two features that Windows administrators have been clamoring for since the introduction of Terminal Services:

  • Multiple connection profiles can be created . You can configure multiple connections in the Remote Desktops console and then switch through them quickly and easily, all within the confines of a single window. The multiple windows required when using the Remote Desktop Connection utility or the Terminal Services client are not required.

  • Connections are made directly to the console session . In the past, Terminal Services connections could not be made to the console session, preventing many administrators from using Terminal Services for remote administration or prompting the use of third-party applications such as PC Anywhere or VNC. Windows Server 2003, using the Remote Desktops console, now creates connections to the console session, allowing administrators to view messages and pop-ups that are not redirected to any other session. You can also use the /console switch on the Remote Desktop Client to create a console connection.

EXAM TIP

Connecting to the console The ability to connect to the console session using the Remote Desktop Client or the Remote Desktops console is an important new feature to remember. You should keep in mind what the console session allows you that other remote connections do notnamely the ability to receive messages and pop-ups that are displayed only on the console session.

Remote Desktop Web Connection utility It's important to note that the Windows 2000 Terminal Services Web Client is still around in Windows Server 2003although with a new name and many improvements. It is now known as Remote Desktop Web Connection utility.


The Remote Desktops console is shown in Figure 7.12, with a connection in progress.

Figure 7.12. The Remote Desktops console is the best way to manage multiple servers remotely.

RDA Security and Management Issues

Remote Desktop for Administration, like Terminal Services Administration mode before it, is fairly restrictive in who can use it and how it can be used:

  • Only administrators can create Remote Desktop for Administration connections by default; this is a good thing. You want the number of users with this power to be as small as possible to minimize the risk of an attacker gaining complete control over your network. Access control is handled through membership in the Remote and both Desktop Users group.

  • Only two Remote Desktop sessions can exist on a computer, and both active and disconnected (but still running) sessions count toward this number. This restriction exists so that the number of concurrent changes being made to a computer is minimized to prevent configuration errors and conflicts. However, this does present a potential for a Denial of Service (DoS) attack against a computeror at least the Remote Desktop portion. In addition to these two connections, one additional connection can exist to the server's console session.

Because administrators have the ability to create Remote Desktop connections by default, the use of these accounts should be minimized. Administrators should use their administrative accounts only when absolutely required and, even then, should make judicious use of the Run As command. This just makes for good network security sense and is part of the principle of least privilege . Using the principle of least privilege, a compromised user account has a smaller impact on the overall security of the network than if you were to blanket -assign to users permissions that they did not need. Ideally, all normal user operations should be carried out in the context of a User account. If additional privileges are required for a specific reason, the administrator can either log in to the network with a special account for the purpose of performing those actions or use the Run As command to perform those actions within the context of the account that has the additional privileges. You also should enforce strong security precautions and account lockout policies on all accounts that have the ability to connect using Remote Desktop; Chapter 8, "Planning, Implementing, and Maintaining Security Infrastructure," discusses this topic in more detail.

EXAM TIP

Limited connections Remember that you can establish only two regular Remote Desktop connections to a server. You can establish one additional session to a console. Additional sessions cannot be created as long as these limits have been met; this can lead to problems if administrators do not properly end their Remote Assistance sessions.


Although the Remote Desktop Connection utility offers the ability to create and save connection configurations on a local computer, this practice should be avoided if at all possible. Connection configurations are saved to a computer that contain all the Remote Desktop Connection settings in a plain-text file with the file extension of *.RDP. Although the password, if entered, is encoded, it is only a matter of time before an application is written that can quickly decode this information. Even if an attacker does not decode the password, all required information is available to establish the Remote Desktop connection and begin wreaking havoc on your network.

Questions that often arise with Remote Desktop are "What do we do about disconnected sessions?" and "How long should the timeout value be for these disconnected sessions?" There are no hard and fast answers for these questions. Consider the situation in which an administrator has made a Remote Desktop connection to a server and begun the process of applying a service pack. After starting the installation, the administrator disconnects from the server and begins working on another server. Would you really want to impose a timeout limit on this session or manually terminate the session? You must spend some time considering the requirements of your network and the ways you will meet them to avoid problems down the road.

Specific users can configure session timeout values as granular, so this is an option that you may want to configure. A special shared administrative account that has no timeout values configured on it can be used; when this account is used to create a Remote Desktop connection, all operations can proceed without danger of automatically timing out. This also allows individual administrators to make connections to the server as required to perform other tasks, provided that they log off the server when they are finished. Remember that shutting down or restarting a server from a Remote Desktop session results in that action occurring on the server if the user has the required permissions, so be careful when using the Shut Down Windows dialog box.


Previous page
Table of content
Next page
MCSE Windows Server 2003 Network Infrastructure (Exam 70-293)
MCSE 70-293 Exam Prep: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (2nd Edition)
ISBN: 0789736500
EAN: 2147483647
Year: 2003
Pages: 151
Authors: Will Schmied
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Image Processing with LabVIEW and IMAQ Vision
WebLogic: The Definitive Guide
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
The Oracle Hackers Handbook: Hacking and Defending Oracle
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy