Using Remote Desktop Access
Windows NT Server 4.0 introduced the Terminal Services capability that allows Windows Server to host multiple virtual terminal sessions, accessed by remote clients able to run on downlevel (earlier) versions of the Windows operating system. Applications running within each virtual terminal session operate on the server system; the mouse and keyboard of the client system provides input to the server while the video output is routed back to the client.
Starting with Windows Server 2000, Terminal Services was implemented in two versions: application mode could be configured to allow multiple client systems to access a virtual terminal running under a licensed Terminal Services session, whereas a limited-access version of the Terminal Services connectivity could be used by up to two concurrent users for the purposes of remote administration. This administrative mode did not require a Terminal Services Licensing server to function, and was loaded within the Add/Remove Programs wizard after server setup.
In Windows XP, Microsoft introduced a client-accessible version called the Remote Desktop. This is a single-user modified version of the Terminal Services capability, enabling a user to connect to an existing console session on a remote Windows XP system.
Windows Server 2003 introduces a more refined version of the Remote Desktop capability, merging enhancements from the Windows XP Remote Desktop Protocol (version 5.1) into the multiple-terminal capability of the full Terminal Services server. The new implementation of the Remote Desktop Protocol (version 5.2) adds a number of new options, such as
Color depthThe ability to control the color depth of the video output to optimize operation based on available bandwidth
Audio redirectionThe ability to bring audio output from the RDP session on the server to the client system
Console connectionThe ability to connect to the current console session, rather than a Terminal Services virtual session
Local resource accessThe ability of an RDP user to access local client-system resources, such as printers and drives from within the Remote Desktop session, as shown in Figure 3.20
Figure 3.20 An example of local drives from the client system (TANTALUS) being made accessible to an existing Remote Desktop connection.
Microsoft makes use of several components running on the Terminal Services host server to manage remote access, including
Remote Desktop for AdministrationThis replaces Terminal Services running in Remote Administration mode. It's installed by default on all Windows Server 2003 products, although connections cannot be established until Remote Access has been enabled.
Terminal ServerThis service provides virtual terminal access for Windows-based and nonWindows-based clients using the Remote Desktop Protocol (RDP). This mode is not available on Windows Server 2003, Web Edition.
Terminal Server Session DirectoryThis service enables a client to reconnect to a disconnected session running within a Terminal Services server farm. In previous versions of Microsoft Terminal Services, clients who experienced a loss of connectivity with a server farm would most often connect to an entirely new TS session when reconnecting, losing access to pending work from the previously established session and in some configurations, tying up a new connection license.
Terminal Services connections are accomplished using the standard RDP port (3389) and are created using an encrypted session to avoid passing clear text information across an unsecured network. This improves security of all proper communications, while also creating a potential reduction in security due to the encrypted console connectivity.
Someone seeking unauthorized access can create Remote Desktop/Terminal Serverencrypted connections and use brute-force hacking techniques over the encrypted connection, preventing intrusion detection services (IDSs) from noticing the attack. If you're going to use these services, it's important to enact strong password and account lockout policies to maintain security and prevent this type of attack from being successful.
Microsoft has also included many new remote access options within the MMC snap-in utilities, as well as many policy settings. One security policy setting you might have noticed in Chapter 2 is Allow Login to Terminal Services Only, which restricts users to Remote Desktop connections only, rather than the Log on Locally permission that was mandated in Windows Server 2000 implementations.
Remote Desktop Connections
Clients can connect to a Microsoft Windows Server 2003 Terminal Server or Remote Desktop for Administration connection using the Remote Desktop client, shown in Figure 3.21, which is familiar to anyone who has used the interface between Windows XP systems.
Figure 3.21 The Remote Desktop client in its basic form.
By expanding the Options button on the RDC, it's possible to configure the connection's settings and then save the RDC settings as a shortcut that can be easily used by clients to open the preconfigured session, as shown in Figure 3.22.
Figure 3.22 A Remote Desktop session to MyServer displaying the Terminal Services Configuration MMC snap-in showing this connection.
In addition to the single-console RDC (mstsc.exe), Windows Server 2003 also includes the multi-connection Remote Desktops MMC snap-in utility (refer to Figure 3.1), as well as an ActiveX Web-based connection utility that can be used to open a Terminal Services connection using Internet Explorer, as shown in Figure 3.23.
The Remote Desktop Web Connection component is not installed by default, but can be added through the Add/Remove Programs Wizard, where it is a subcomponent of the IIS installation option. After it's installed, the client can be accessed at http://<ServerName>/TSWeb/.
Microsoft has also provided an add-in to the Active Directory Users and Computers MMC snap-in that extends the Remote Control functionality to this administration utility, as shown in Figure 3.24. This additional component can be downloaded at the following Web site: http://www.microsoft.com/downloads/details.aspx?FamilyID=0a91d2e7-7594-4abb-8239-7a7eca6a6cb1&DisplayLang=en.
Figure 3.23 A Remote Desktop session to MyServer using the Remote Desktop Web Connection ActiveX component.
Figure 3.24 The Remote Control option added to the Active Directory Users and Computers MMC snap-in.
Allowing Remote Connections
Before any remote terminal sessions can be created, it's first necessary to allow users to connect remotely to your computer, which is accomplished on the Remote tab of a server's System Properties dialog box, as shown in Figure 3.25.
Figure 3.25 The Remote tab of the System Properties dialog box.
User accounts must be granted the proper permissions to connect via Remote Access, which can be accomplished by inheritance from membership in the Remote Desktop Users group. Additional Terminal Server settings can be configured within the Active Directory Users and Computers MMC snap-in for a user or group, through the RDP's advanced options (see Figure 3.26), through Group Policy settings (see Figure 3.27), and within the Terminal Server Configuration MMC snap-in (see Figure 3.28).
Data encryption options for each connection can be configured at the client as well as at the host server, with the server's settings winning in case of conflict. The FIPS Compliant option provides connection encryption using the Federal Information Processing Standard (FIPS).
Figure 3.26 Remote Desktop client environment options.
Figure 3.27 Terminal Services GPO settings node within the Group Policy Object Editor.
Configuring Terminal Services
When Terminal Services will be used in Application mode, it is necessary to install the Terminal Services Configuration utility (see Figure 3.29) from within the Add/Remove Programs Wizard. The Terminal Services Licensing service (see Figure 3.30) can also be installed here if this server will be used to provide licensing for servers running the Terminal Services service within your enterprise, forest, or domain.
Figure 3.28 Terminal Server configuration within the Terminal Server Configuration MMC snap-in.
Figure 3.29 The Terminal Services Configuration MMC snap-in.
Figure 3.30 The Terminal Services Licensing MMC snap-in.
After installation of the Terminal Services Configuration MMC snap-in, you can configure the properties of each connection available on a host server running the Terminal Server service. To utilize the licensing capability of a Terminal Services Licensing server, the server must first be activated within the Terminal Services Licensing MMC snap-in by right-clicking the target server and selecting Activate Server. Activation can be accomplished automatically, via HTTP connection, or by telephone.
Connections that are not associated with Terminal Server licenses, such as those used for remote administration, will be displayed within the Temporary Licensing node of the Terminal Server Licensing MMC snap-in. When licenses are added, the type and quantity of each set of licenses must be provided (see Figure 3.31) along with the appropriate licensing key.
Figure 3.31 The Terminal Server CAL Installation Wizard showing the installation of 50 licenses for Windows Server 2003 per-user licensing.
When Terminal Server Licensing problems arise, it is possible to easily diagnose the current license allocation within this MMC snap-in as well.