Planning Secure Remote Administration MethodsOne of the features that Microsoft has been slowly developing since Windows 2000 first appeared is that of built-in remote administrative capabilities. No longer do you have to purchase and install a costly third-party application to provide remote administrative access to your servers and workstations; Windows XP and Windows Server 2003 support it natively, as does the Windows 2000 Server line after you install Terminal Services in Remote Administration mode. Better yet, Windows XP and Windows Server 2003 also include Remote Desktop, which further takes advantage of the Remote Desktop Protocol (RDP) , allowing users to connect to a computer remotely as if they were actually using it locally. In this section, we examine two key parts of the Terminal Services/Remote Desktop Protocol combination: Remote Assistance and Remote Desktop for Administration . Both are installed by default with an installation of Windows Server 2003; however, both must be manually enabled and configured prior to use. Remote Assistance
Remote Assistance, first introduced in Windows XP, provides a built-in mechanism allowing an "Expert" to lend assistance to a "Novice" whether by request or not. The Expert can be located on the same internal network or even somewhere else on the Internet. Remote Assistance allows the Expert to create a connection to the Novice's computer, view the desktop, communicate with the Novice, and even take remote control of the Novice's computer if the Novice allows. Remote Assistance can be performed only on computers running Windows XP or Windows Server 2003a good reason to consider that desktop upgrade to Windows XP. Before a computer is eligible to receive Remote Assistance, however, it must be enabled either locally or by Group Policy. Assuming that Group Policy has not been configured from its default setting for Remote Assistance, you can enable it on the local computer by selecting the Allow Remote Assistance Invitations to Be Sent from This Computer option on the Remote tab of the System Properties applet (located in the Control Panel), as shown in Figure 7.1. Figure 7.1. Remote Assistance must be enabled and configured before it can be used.
Clicking the Advanced button opens the Remote Assistance Settings dialog box, which allows you to further configure Remote Assistance settings. From this dialog box, you have the option to allow the computer to be remotely controlled during the Remote Assistance session; to do so, select the Allow This Computer to Be Controlled Remotely option. You can also configure the length of time that the Remote Assistance requests are valid. EXAM TIP Enabling Remote Assistance Be sure that you know and understand the two different ways that Remote Assistance can be enabled and configured. Alternatively, you can configure Group Policy to control the Remote Assistance settings for your entire domain or by specific domains. The settings you need to configure are located in the Computer Configuration, Administrative Templates, System, Remote Assistance node, as shown in Figure 7.2. If settings are configured via Group Policy, the option to configure them locally using the System Properties applet is not available. Recall that Group Policy is applied in the following order: local, site, domain, Organizational Unit. Figure 7.2. Remote Assistance can be configured using Group Policy.
The Solicited Remote Assistance setting shown in Figure 7.2 allows Remote Assistance requests to be sent from the computers that the Group Policy Object (GPO) is applied to. The Offer Remote Assistance setting shown in Figure 7.2 allows Remote Assistance to be offered without a prior request to computers that the GPO is applied to. The user (Novice) still has the option to allow or disallow the Remote Assistance offer. Configuring Remote Assistance PoliciesTo configure Remote Assistance policies using Group Policyalways the preferred methodperform the steps outlined in Step by Step 7.1.
Sending and Managing Remote Assistance RequestsUsers can request Remote Assistance in three basic ways: Windows Messenger, email (sends a URL), or file (creates a Remote Assistance request file). Note that Windows Messenger is not the same as Microsoft Messenger, although both use similar technologies. You can most easily send Remote Assistance requests by using the Help and Support Center, which you can access by clicking Start, Help and Support. On the main page, click the Remote Assistance link under the Support Tasks column. The Remote Assistance window is shown in Figure 7.6. Figure 7.6. Remote Assistance requests can be easily sent and managed from within the Help and Support Center.
To send a Remote Assistance request, perform the steps outlined in Step by Step 7.2.
You can view and manage Remote Assistance requests by clicking the View Invitation Status Link ( x ) shown previously in Figure 7.6. The x represents the number of Remote Assistance requests you have to manage. Clicking this link changes the window to the one shown in Figure 7.8. Figure 7.8. You can quickly and easily manage all your Remote Assistance requests.
For each Remote Assistance request, the following options are available:
Using Remote AssistanceRegardless of how the Remote Assistance request is sent, the results are all the same. After the Expert accepts the request, a direct connection is made between the Expert's computer and the Novice's computer. This allows the Expert to communicate directly with the Novice and to see the Novice's desktop in view-only mode, as shown in Figure 7.9. Figure 7.9. The Expert is initially limited to having a view-only connection.
The following control buttons are available to the Expert:
The following control buttons are available to the Novice:
Remote Assistance Security ConcernsRemote Assistance, like all the Terminal Services and Remote Desktop Protocolbased applications, requires that TCP port 3389 be available to make a connection. This raises the question of whether you want to leave this port open on your external firewalls. Logic says no. By closing this port on your external firewalls, you can instantly prevent the largest security risk associated with Remote Assistance: compromise by unauthorized external entities. In most cases, there is no reason why any person physically located outside your protected, private internal network should be tasked with providing Remote Assistance. Should this situation arise, consider implementing leased WAN links directly between sites or using permanent VPN connections to give some extra measure of security. EXAM TIP Remote Desktop Protocol Don't forget that all RDP-based applications, including Remote Assistance and Remote Desktop, use TCP port 3389. This may be an important fact on your exam. But what do you do about the Remote Assistance request itself? The email is sent by default as a standard email message and thus is subject to capture. The Remote Assistance files are simply XML files that are easily taken apart once captured. Email messages can be, and should be, digitally signed and encrypted. If you are using Exchange 2000 or later with Outlook 2000 or later on your network, the fix is easy. If you are not, consider acquiring a personal email certificate or using Pretty Good Privacy (PGP) or some other message encryption and signing utility. The Remote Assistance files should be protected by whatever means are available, including NTFS permissions, EFS encryption, or other third-party methods. Recall that Windows XP and Windows Server 2003 allow for multiple EFS users to have access to the same file.
Remote Desktop for Administration (RDA)
Remote Desktop for Administration, previously referred to as Remote Administration mode in Windows 2000, provides a built-in method to remotely administer and control servers. Provided you have the correct credentials, you can even remotely restart or shut down a server. Of course, you probably ought to warn any users who might be connected to it before doing such! You can use Remote Desktop for Administration in one of two ways. The first and simplest (although less feature-rich) method is to use the Remote Desktop Connection utility, which you can find by clicking Start, Programs, Accessories, Communications, Remote Desktop Connection. After you click the Options button, the Remote Desktop Connection dialog box opens, as shown in Figure 7.10. Figure 7.10. The Remote Desktop Connection utility allows you to quickly and easily create a connection to a remote computer.
By entering the computer's name or IP address and clicking Connect, you can make a Remote Desktop for Administration connection. You may be required to supply your network credentials to complete the connection and logon process. Figure 7.11 shows what the Remote Desktop connection looks like when not in full-screen mode. Figure 7.11. The Remote Desktop for Administration window can be full screen or smaller if you like.
The second method for creating Remote Desktop for Administration connections is to use the new Remote Desktops console. This method offers two features that Windows administrators have been clamoring for since the introduction of Terminal Services:
EXAM TIP Connecting to the console The ability to connect to the console session using the Remote Desktop Client or the Remote Desktops console is an important new feature to remember. You should keep in mind what the console session allows you that other remote connections do notnamely the ability to receive messages and pop-ups that are displayed only on the console session. Remote Desktop Web Connection utility It's important to note that the Windows 2000 Terminal Services Web Client is still around in Windows Server 2003although with a new name and many improvements. It is now known as Remote Desktop Web Connection utility. The Remote Desktops console is shown in Figure 7.12, with a connection in progress. Figure 7.12. The Remote Desktops console is the best way to manage multiple servers remotely.
RDA Security and Management IssuesRemote Desktop for Administration, like Terminal Services Administration mode before it, is fairly restrictive in who can use it and how it can be used:
Because administrators have the ability to create Remote Desktop connections by default, the use of these accounts should be minimized. Administrators should use their administrative accounts only when absolutely required and, even then, should make judicious use of the Run As command. This just makes for good network security sense and is part of the principle of least privilege . Using the principle of least privilege, a compromised user account has a smaller impact on the overall security of the network than if you were to blanket -assign to users permissions that they did not need. Ideally, all normal user operations should be carried out in the context of a User account. If additional privileges are required for a specific reason, the administrator can either log in to the network with a special account for the purpose of performing those actions or use the Run As command to perform those actions within the context of the account that has the additional privileges. You also should enforce strong security precautions and account lockout policies on all accounts that have the ability to connect using Remote Desktop; Chapter 8, "Planning, Implementing, and Maintaining Security Infrastructure," discusses this topic in more detail. EXAM TIP Limited connections Remember that you can establish only two regular Remote Desktop connections to a server. You can establish one additional session to a console. Additional sessions cannot be created as long as these limits have been met; this can lead to problems if administrators do not properly end their Remote Assistance sessions. Although the Remote Desktop Connection utility offers the ability to create and save connection configurations on a local computer, this practice should be avoided if at all possible. Connection configurations are saved to a computer that contain all the Remote Desktop Connection settings in a plain-text file with the file extension of *.RDP. Although the password, if entered, is encoded, it is only a matter of time before an application is written that can quickly decode this information. Even if an attacker does not decode the password, all required information is available to establish the Remote Desktop connection and begin wreaking havoc on your network. Questions that often arise with Remote Desktop are "What do we do about disconnected sessions?" and "How long should the timeout value be for these disconnected sessions?" There are no hard and fast answers for these questions. Consider the situation in which an administrator has made a Remote Desktop connection to a server and begun the process of applying a service pack. After starting the installation, the administrator disconnects from the server and begins working on another server. Would you really want to impose a timeout limit on this session or manually terminate the session? You must spend some time considering the requirements of your network and the ways you will meet them to avoid problems down the road. Specific users can configure session timeout values as granular, so this is an option that you may want to configure. A special shared administrative account that has no timeout values configured on it can be used; when this account is used to create a Remote Desktop connection, all operations can proceed without danger of automatically timing out. This also allows individual administrators to make connections to the server as required to perform other tasks, provided that they log off the server when they are finished. Remember that shutting down or restarting a server from a Remote Desktop session results in that action occurring on the server if the user has the required permissions, so be careful when using the Shut Down Windows dialog box. |