Installing and Configuring the Terminal Server Role Unlike the remote administration components in Windows 2003, the terminal server role requires separate installation by an administra
Trang 1■ The request can be saved to a file.
To create an invitation, open Help and Support from the Windows Start menu On the right side of the Help and Support Center utility, click Remote Assistance under the Support heading In the next screen, click the Invite someone to help you link.You will then be able to
select the method that you want to use in asking for assistance, as shown in Figure 27.1 A request using Windows Messenger requires that Windows Messenger be installed and configured A request using email requirest an email client be installed and configured, though most users already have an email client installed
Managing Open Invitations
Sometimes you might want to know the names of users with whom you have active RA invitations open.You might want to cancel an invitation because you’ve solved the problem or because you want someone else to help you Help and Support Center provides a number of options for man-aging open invitations
To manage your active invitations, follow these steps:
1 Open the Help and Support utility from the Windows Start menu.
2 On the right side of the Help and Support Center screen, click Remote Assistance
under the Support heading
3 On the following screen, click the View Invitation Status (X) link.The (X) will be
replaced on your screen by the number of invitations you have outstanding
4 The next screen will show you a list of the invitations that are outstanding.The list consists
of three columns: Sent To, Expiration Time, and Status.The Sent To column contains
the name of the person to whom you sent the Windows Message or e-mail If you saved
the request to a file, this column will display the word “Saved.”The Expiration Time column will show the date and time that the invitation will expire.The Status column
Figure 27.1 The “Pick how you want to contact your assistant” Screen in Remote
Assistance
Trang 2will show whether the invitation’s status is Open or Expired Now you can view or modify any of these invitations
Each invitation will have a radio button next to it, as shown in Figure 27.2.You can click a radio button to select one of the invitations, and then choose an action to perform using the but-tons under the list box
Remote Assistance Security Issues
RA is a valuable tool, but it also contains serious security risks that must be planned for and man-aged RA makes it easy for any user to ask virtually anyone using a Windows XP or Server 2003 computer to connect to his or her desktop.This person can be inside or a friend that is outside of your company Although an outside person may be qualified to assist the user, in doing so they will likely receive full control of a client in your network
This, of course, is unacceptable, because they could place malicious software on the system while in control of it, view sensitive company information that normally isn’t allowed outside of the organization, etc.The best way to prevent this is to use your company’s firewalls to prevent connec-tion to RA from outside the company’s network RA uses the same port that all Terminal Services components do: 3389 Simply blocking this port on your external firewalls prevents this type of unauthorized access and protects from malicious external port scanning
Several other key security concerns should be addressed in your company’s remote assistance policies E-mail and file-based invitations enable you to specify passwords An invitation without password protection can be used by anyone that receives it by accident or intercepts it illegitimately
Because of this, always mandate the use of these passwords
Your company may also want to protect traffic that contains RA requests E-mail is normally sent in unencrypted form on the network.This means that the URL that is sent in the e-mail invi-tation is available for easy interception while it is in transit on the network Likewise, a simple XML format is used for the invitation file A simple patter match could be used when monitoring the
net-Figure 27.2 The “View or change your invitation settings” Screen in Remote Assistance
Trang 3work to detect and automatically save this information to an unauthorized system while it is being sent across the network If the e-mail or file invitations do not have passwords, they can be used immediately when they are captured in this way Even if a password is specified, there is no limit to the number of times requests like these can be used for connection A brute force attack could be used to attempt to break the password and successfully establish a session For this reason, it is important that your remote assistance policy also specify a short expiration time for the invitation Once expired, no connections are possible with it A shorter time reduces the chances of success using a brute force attack And, if no password is specified, at least the open window for misuse of the invitation is shorter
You should also educate your users on when it is appropriate to accept RA requests As men-tioned previously, a request saved to a file is stored in a standard XML file.These can easily be mod-ified to perform malicious actions when run by a user on a local system.The e-mail request contains
a URL to click and can also be altered In this case it may take the user to a page that performs malicious actions on their local system, or requires the download and installation of an unauthorized ActiveX control that is designed to appear legitimate to the user Even an unsolicited request
received through Windows messaging has security worries
The best option is to maintain a tight policy that asks users to reject RA invitations in all but a few instances What is acceptable will relate specifically to your company Some organizations allow acceptance only from immediate co-workers and known help desk staff Others are more liberal and allow invitations to be accepted from any verifiable employee within the company.The most impor-tant rule is to not allow connections from outside of the organization
Installing and
Configuring the Terminal Server Role
Unlike the remote administration components in Windows 2003, the terminal server role requires separate installation by an administrator In addition, it requires the terminal server licensing compo-nent to be added to a Windows 2003 server on the network If the license server compocompo-nent is not added, or if it is added but valid client licenses are not installed on it, no remote connections to the terminal server will be allowed 120 days after the first client connects
Install the Terminal Server Role
The terminal server role can be installed from the Manage Your Server utility, which is opened from the Windows Start | Administrative Tools menu Open the utility and follow these steps:
1 Click the Add or remove a role link.This will display the Configure Your Server Wizardwith its first page displayed
2 Read the recommendations and click the Next button.
3 A Configure Your Server Wizard dialog box will pop up, informing you that the
underlying network settings are being detected When detection is complete, you will see
the Configuration Options screen in the wizard.
4 Select the radio button next to Custom configuration and click the Next button.
Trang 45 On the Server Role screen, click Terminal server to highlight the role in the list (it should say No under the Configured column if the terminal server role has not already been installed) Click the Next button.
6 The Summary of Selections screen should read Install Terminal Server Ensure that
it does, and then click Next.
7 At this point, another Configure Your Server pop-up dialog box will appear to inform
you that the server will reboot automatically as part of the installation process Click the
OK button in this dialog box
8 The wizard will switch to the Applying Selections screen, launch the Windows Component Wizard, finish the installation based on your selections, and reboot
9 When the reboot has completed, log on as an administrator When your logon is
com-pleted, the Configure Your Server Wizard will appear to let you know that your server
is now a terminal server Click the Finish button.
10 The Manage Your Server utility will reappear in the background A help window also
opens when you log on with the terminal server help topic displayed
Install Terminal Server Licensing
After you have installed the Terminal Server role on one of your servers, it’s time to install terminal server licensing If you fail to do so, all terminal server connections will be rejected 120 days after the first client logs on Microsoft recommends that you install terminal server licensing on a server that does not host the terminal server role So, it will take at least two Windows 2003 servers to properly implement a terminal server environment
The terminal server licensing component is not available from the Configure Your Server Wizard and must be added using Add or Remove Programs from Control Panel in the Windows Start menu.To install it, follow these steps:
1 In the Add or Remove Programs utility, click the Add/Remove Windows Components button on the left side of the screen A Windows Setup pop-up dialog box will briefly appear, followed by the Windows Components Wizard.
2 In the Components: list, scroll down to select the check box next to Terminal Server Licensing and click the Next button.
3 On the Terminal Server Licensing Setup page of the wizard, select the way you will
use this license server on your network
4 You can also specify where you would like to place the license database.The default
loca-tion, C:\WINDOWS\System32\LServer is displayed in the Install license server database at this location: text box When you have made your selections, click the
Nextbutton
5 The wizard will switch to the Configuring Components screen and will begin the
installation Unlike the terminal server role installation, the license component requires the Windows 2003 installation CD If it is not in the CD-ROM drive, you will be prompted for it
Trang 56 The final screen in the wizard is entitled Completing the Windows Component Wizard Review the information it contains and click the Finish button.
7 When the wizard disappears, if you do not wish to add additional components, close the
Add or Remove Programsutility
It is important to note that you can also install the Terminal Server role and most other
Windows components from the Add or Remove Programs utility in Control Panel.
After you have installed the licensing component, you must complete the licensing process by adding client licenses Refer to Microsoft’s Web site for additional details on how to complete this process While it is also covered in Windows 2003’s help materials, this can be a complex process and it is best to ensure that you have the latest information and fixes from Microsoft
Using Terminal Services Client Tools
There are three primary tools you can use to connect from a client system to Terminal Services These tools include:
■ The Remote Desktop Connection (RDC) utility
■ The Remote Desktops MMC snap-in
■ The Remote Desktop Web Connection utility Each is designed to fill a very specific role, and it is important for you to be familiar with the capa-bilities and uses of each In the following sections, we examine how to install and use these utilities
Installing and Using the
Remote Desktop Connection (RDC) Utility
The Remote Desktop Connection (RDC) utility (formerly the Terminal Services Client Connection
Manager) is the standard client for connecting to Terminal Services, via RDA on a server or Terminal
Services on a terminal server It can be used for remote administration or full terminal server client use It enables a user to connect to a single server running Terminal Services using the RDP pro-tocol over TCP/IP.The utility is installed with the operating system in Windows XP and Server
2003 It is accessed via the Start | Programs | Accessories | Communications menu in those
operating systems.The RDC utility can also be installed and used on a number of older Windows operating systems, including Windows 2000, NT, ME, 98, and 95
The older Terminal Services Client Connection Manager can still be used to connect to a ter-minal server from a Windows 3.11 computer with the 32-bit TCP/IP stack installed.There is also a 16-bit version of the Windows 2000 TS client for Windows for Workgroups 3.11 and a Macintosh client If you need to connect MS-DOS, Linux, or other client operating systems, you will need third-party RDP or ICA client software.The Remote Desktop Connection utility is backward compatible and capable of communicating with Terminal Services in Windows XP, Windows 2000, and Windows NT 4.0,Terminal Server Edition
Trang 6Installing the Remote Desktop Connection Utility
If you want to use the Remote Desktop Connection utility on systems older than Windows XP, you’ll need to install it first.This means you’ll need the installation files.You can get them from the Microsoft Web site, or if you have installed Windows Server 2003, you can share the client setup folder located at %SystemRoot%\system32\clients\tsclient After you share this folder, computers on the network can connect to the share and run the Setup.exe utility in the Win32 folder If you want
to deploy the client using Group Policy, Microsoft also includes an MSI installation file, Msrdpcli.msi, in this directory
Perform the following steps to install the RDC client:
1 When you double-click the Setup.exe file, the installation wizard will launch Read the initial welcome screen, and then click the Next button.
2 Review the license agreement, and then click the radio button next to I accept the terms of the license agreement , followed by the Next button.
3 On the Customer Information screen, enter your name for licensing purposes in the User Name: text box, and your company for licensing purposes in the Organization: text
box
4 In the Install this application for: section, select the radio button next to Anyone who uses this computer (all users) if you want the utility to be available on the Windows Start menu for every user that logs on to the system Select the radio button
next to Only for me (-) if you want the utility to appear only in your Windows Start menu When you’ve finished making your selection, click the Next button.
5 On the next screen, click the Install button to proceed with the installation or the Back
button to review your choices.The application will remove any previously installed similar applications, and then complete its own installation
6 Click the Finish button to close the wizard.
Launching and Using the Remote Desktop Connection Utility
After the application is installed, open the Windows Start menu and click Remote Desktop Connection in the Programs | Accessories | Communications menu.This will open the
utility, with most of its configuration options hidden.To proceed with the connection at this point, simply type the name or IP address of the terminal server, Windows Server 2003 computer, or
Windows XP Professional computer to which you want to connect in the Computer: drop-down
box, or select it from the drop-down list if you have previously established a session to it By default, the name or IP address of the last computer to which you connected will be displayed Finally, click
on the Connect button.
A Remote Desktop window will open If the user name and password with which you are logged on to your current system are valid for connection to Terminal Services on the server, you will be automatically logged on and a session will appear If not, you will be prompted to enter a
Trang 7valid user name and password When you are connected, the remote desktop will appear in a
window on your system by default.You can move your cursor over it, click, and use any item in the remote desktop just as you would if you were using your local system.You can also copy and paste between the remote and local computers, using the standard methods of doing this
Connecting is a simple process; however, terminating your session requires a bit more explana-tion.There are two methods that you can use to end your session:
■ Logging off
■ Disconnecting
To log off, simply click the Windows Start menu on the remote desktop, and then click the Log Offbutton When you do this, it will completely log you out of the remote system in much the same way as if you logged out on your local system Registry entries are properly written, pro-grams are elegantly closed, etc.The session is completely removed from the Terminal Services com-puter, freeing up any system resources that were being used by your session Make sure that you
select Log Off, rather than Shut Down If you select Shut Down, and you are logged onto the
remote session with rights that enable your account to shut down the server, it will power down or reboot the server.This will affect everyone who is currently using the server
The second method of terminating your session is to use the process known as disconnection When you disconnect from Terminal Services, your session remains on the server and is not
removed It continues to consume resources, although the video stream coming to your local com-puter and input stream going from your local comcom-puter to the Terminal Services system are termi-nated When you launch the RDC utility again and connect to the same computer running
Terminal Services, your session will still be there, exactly as you left it, and you can take up where you left off.This can be helpful in cases where you are running an application that requires lengthy processing.You do not have to remain connected for the application to run and you can check back
in later and obtain the result
In general, it is best to properly log off and free up the resources being used by a session you no longer need As we’ll see a bit later, an administrator can cause a disconnected session to be reset if you don’t return to it for a specified period of time If you’ve left unsaved documents or other files open in your session, resetting will cause you to lose all work.Thus, it is usually safest to save your work and disconnect.You can disconnect from your session by clicking the close button (the X) in the top right corner of the Remote Desktop window
You can also log off or disconnect using the Windows Security dialog box.This can be accessed
by opening the Windows Start menu and selecting Windows Security, or by using the CTRL + ALT + END key combination from within the session (this has the same effect as CTRL + ALT +
DEL on the local machine) Once in the dialog, you can log off by clicking the Log Off… button,
or by selecting Log Off from the drop-down box that appears if you click the Shut Down… button.This same drop-down box also contains the option to Disconnect.
Configuring the Remote Desktop Connection Utility
In the previous section, we simply launched the Remote Desktop Connection utility and estab-lished a connection When you initially launch the utility, most of its configuration information is
Trang 8hidden.To display it before you use it to establish a connection, click the Options button.This will
reveal a series of tabs and many additional settings that have be configured Let’s take a look at each
in the following sections
The General Tab
The General tab contains the Computer: drop-down box, which contains names and IP addresses
of computers to which you have previously connected, along with an option to browse the network
for computers not listed It also contains User name:, Password:, and Domain: text boxes.
Remember, by default the credentials with which you are logged on locally are used to establish your remote session If you always want to ensure that a specific set of credentials is used to log on
to Terminal Services, you can type the account information into these text boxes
You might be using an earlier Windows operating system that does not require you to log on
These boxes can be used in this instance if you want to avoid being prompted for a user name and password when you connect with the utility
This tab also enables you to save your connection settings.You might have several different sys-tems to which you connect using Terminal Services If so, it is helpful to not have to configure the
utility each time you open it When you click the Save As… button, a Save As dialog box opens,
asking you where you’d like to save the file that contains your configuration information.You can save the file with an RDP extension and can double-click it later to establish a terminal session.You
can also use the Open… button on this tab to specify that the settings from a previously saved
RDP file be loaded into the utility
The Display Tab
The display tab controls how the remote desktop appears on your client computer.The top portion
of the screen contains a slider that controls the size of the remote desktop that will be displayed on your screen.The slider has four possible positions: 640x480, 800x600, 1024x768, and Full Screen
The default is 800x600
The next portion of this tab controls the color depth (in bits) of the remote desktop when it is displayed on your local computer.The drop-down list box contains the following options: 256 colors, High Color (15 bit), High Color (16 bit), and True Color (24 bit) Higher color depths require more resources Note that the settings on the server itself may override your selection
Finally, the bottom of the tab contains a check box entitled Display the connection bar when in full screen mode When selected, this setting places a small bar, shown in Figure 27.3, at the top of a full screen remote desktop, which makes it easier to size, minimize or maximize (to full screen), or close the Remote Desktop window
Figure 27.3 The Full Screen Connection Bar
Trang 9The Local Resources Tab
The Local Resources tab enables you to control whether or not client resources are accessible in your remote session Remember that when you are working in a session, you are actually working
on the remote computer.This means that when you open Windows Explorer, the disk drives you see are the ones that are physically located on the Terminal Services computer, not the ones installed
on your local computer Selections on the Local Resources tab can be used to make your local drives, client-attached printers, and similar client-side resources available for use within your remote desktop session
The first setting on the tab deals with whether audio will be used in the session.The default
setting, Bring to this Computer, enables you to transfer any sounds played in the session from the
Terminal Services computer to the client Audio transfer can be bandwidth intensive in a thin client
environment, so Microsoft also gives you the opportunity to not transfer this audio.The Leave at Remote Computersetting plays the audio in the session on the Terminal Services computer but
does not transfer the audio to the client.The Do not play setting prevents audio in the session
altogether
The next setting on the Local Resources tab relates to whether keyboard shortcut combinations are used by the local operating system or the Remote Desktop window.There are three possible set-tings for keyboard shortcut combinations:
■ In full screen mode only In this mode (which is the default), when you use a shortcut combination, the system applies it to the local operating system, unless there is a full screen Remote Desktop window open
■ On the local computer.This setting applies all shortcut combinations to the local oper-ating system
■ On the remote computer.This setting applies all shortcut combinations to the Remote Desktop window
It is important to note that you cannot redirect the CTRL + ALT + DEL keyboard
combina-tion.This combination works only on the local operating system An equivalent that can be used in
the Remote Desktop window (mentioned earlier in the chapter) is CTRL + ALT + END.
The final section of the tab contains a series of check boxes that can be selected to determine which devices from the client system are automatically made available to the user within the remote desktop session By default, the following are selected: Disk drives, Printers, and Smart cards (if installed) An additional one, Serial ports, is not selected by default When Disk drives, Serial ports,
or Smart cards are selected, you may see a Remote Desktop Connection Security Warning box pop
up when you begin the connection process.This happens because opening up devices that enable input or may relate to the underlying security of your local machine can be risky.You should con-sider carefully whether these settings are actually needed, and configure the utility appropriately
The Programs Tab
By default, when you connect to a Terminal Services session, you will receive a Windows 2003 desktop.The selections on this tab enable you to receive only a specified application instead If Terminal Services is being used to provide only a single application for each user, this setting can
Trang 10increase security by ensuring that users do not receive a full desktop upon connection.This will prevent them from performing tasks on the server other than running the specified application If
the check box next to Start the following program on connection is selected, only that
appli-cation will be available in the session
Selecting the box enables the Program path and file name: text box If the path to the
application is already contained in one of the Windows path variables on the Terminal Services computer, you can just type the name of the application’s executable file in this box If not, you
must include the full path and file name of the executable.The check box also enables the Start in the following folder: text box If the application requires the specification of a working directory, enter it here.This is often the same directory in which the application itself is installed
After the connection is made with a specified program starting, the traditional methods of ending your session (discussed earlier) will not always be possible Most programs have an Exit com-mand on a menu, embedded in a button or contained in a link When you have specified an initial program, the Exit command is the equivalent of logging out.To disconnect, simply close the Remote Desktop Connection utility
The Experience Tab
The Experience tab enables you to customize several performance features that control the overall
feel of your session All of these settings except Bitmap Caching can generate substantial amounts
of additional bandwidth and should be used sparingly in low bandwidth environments.The check boxes on this page include the following:
■ Desktop background Enables the background image of the desktop (wallpaper) in the remote session to be transferred to and displayed on the client
■ Show contents of window while dragging Rapidly refreshes a window so that its contents are visible as the user moves it around the screen in his or her Remote Desktop window
■ Menu and window animation Enables some sophisticated effects, such as the Windows Start menu fading in and out, to be displayed in the Remote Desktop window on the client computer
■ Themes Enables any themes used in the remote session to be enabled and transferred to the Remote Desktop window on the client
■ Bitmap Caching Enables bitmaps to be stored locally on the client system and called up from cache, rather than being transmitted multiple times across the network Examples of bitmaps include desktop icons and icons on application toolbars.This setting improves per-formance, but not all thin client systems have a hard drive or other storage mechanism in which to store the bitmaps
At the top of this tabbed page, there is a dropdown box that contains several predefined combi-nations of these settings that Microsoft has optimized for different levels of available bandwidth
Table 27.1 shows which bandwidth level corresponds to which settings: