Lesson 2: Windows 7 Remote Management CHAPTER 7 403 connect to that client remotely and resume the session over Remote Desktop. It is also possible for the user to disconnect from that session and resume it when they log back on directly. If another user is logged on when an incoming Remote Desktop session is initiated, she will receive a message indicating that another user wants to log on remotely, as shown in Figure 7-16. The logged-on user has the ability to deny the remote user access, even when the remote user has administrative privileges and the logged-on user does not. If a user is logged on remotely and another user attempts a local logon, the remote user will be prompted in the same way. A currently logged-on user, whether that logon is remote or local, is able to deny another user’s logon request. If a user is disconnected, her session remains in memory and she can reconnect at any time, similar to the way a user’s session remains in memory when you use the Switch User option from the Shutdown menu. FIGURE 7-16 The logged-on user can deny remote desktop connection. You can make Remote Desktop connections through NAT devices to hosts on the Internet. A technology available in Windows Server 2008 called Terminal Services Gateway allows users to make Remote Desktop connections from hosts that have Internet connectivity to hosts on an internal protected network. It is possible to make Remote Desktop connections over modem and VPN links. Remote Desktop connections can use both the IPv4 and IPv6 protocol and it is possible to make a Remote Desktop connection when a computer connects to the network using DirectAccess. Configuring Remote Desktop You can make remote desktop connections only to computers running the Professional, Enterprise, and Ultimate editions of Windows 7. Other editions of Windows 7 do not support incoming Remote Desktop connections, but all editions include the Remote Desktop client software. Remote Desktop is not enabled by default on computers running Windows 7. You can enable it on the Remote tab of the System Properties dialog box, which is shown in Figure 7-17. When you enable Remote Desktop you need to choose whether to allow connections from computers running any version of Remote Desktop or to restrict connections 4 0 4 CHAPTER 7 Windows Firewall and Remote Management to computers running Remote Desktop with Network Level Authentication. Only clients running Windows Vista and Windows 7 support Network Level Authentication by default. It is possible to configure computers running Windows XP with SP3 to support Network Level Authentication, but this feature is not enabled by default. If you need to connect to a client running Windows 7 from a client running Windows XP client that does not have SP3 applied, it is necessary to configure the option that allows connections from computers running any version of Remote Desktop. FIGURE 7-17 Enable Remote Desktop When you enable Remote Desktop, Windows Firewall automatically updates rules to allow Remote Desktop connections to be made to the computer. If you reset Windows Firewall to its default settings, you need to re-enable the Remote Desktop firewall rules manually. You can also re-enable these rules by disabling and then re-enabling Remote Desktop. If you want to allow a standard user to connect remotely using Remote Desktop, you must add her account to the local Remote Desktop Users group. Only members of the Administrators and Remote Desktop Users local groups are able to make connections to a client running Windows 7 using Remote Desktop. When you click the Select Users button on the Remote tab of the System Properties dialog box, it opens the Remote Desktop Users dialog box, as shown in Figure 7-18. Any user you add using this dialog box is added automatically to the Remote Desktop Users group and this list displays all current members of that group, no matter what method was used to add the user accounts. You will configure Remote Desktop in the practice at the end of this lesson. Lesson 2: Windows 7 Remote Management CHAPTER 7 405 FIGURE 7-18 Remote Desktop Users Remote Assistance Both Remote Assistance and Remote Desktop allow the user at the management computer to see the desktop and applications that are present on the remote computer. The difference between Windows Remote Assistance and Remote Desktop is that a user is logged on to the remote computer and initiates the remote assistance session, whereas a Remote Desktop session is initiated on the management computer. Remote Assistance is a support tool used by help-desk staff to allow them to view the screen of the person to whom they are providing assistance. Remote Assistance reduces the need for nontechnical users to accurately describe the problem that they are having with their computers because support personnel can see the desktop directly. Unlike the version of Remote Assistance that shipped with Windows XP, the version of Remote Assistance that is included with Windows 7 does not include a voice client. If you are going to talk to the person whom you are helping using Remote Assistance, you are going to have to use another method, such as the telephone. Remote Assistance can be used only with the permission of the person that is logged on to the remote computer. Remote Assistance invitations can be used for only a limited time, and once the Remote Assistance application is closed, it is not possible to connect to the remote computer through a Remote Assistance session. The person logged on to the remote computer can terminate the Remote Assistance session at any time. The default connection setting for Remote Assistance has the person providing assistance only able to view, but not interact, with the desktop on the remote computer. The person providing assistance can request control, as shown in Figure 7-19, which allows him to interact directly. This is useful if the person providing assistance needs to respond to a User Account Control prompt. The person receiving the assistance can return the session to view only by clicking the Stop Sharing button on the Windows Remote Assistance control. They can also block the person helping them from viewing their desktop temporarily by pausing the Remote Assistance session. 406 CHAPTER 7 Windows Firewall and Remote Management FIGURE 7-19 Permission to share control Like Remote Desktop, Remote Assistance connections can occur only when there is connectivity between the management computer and the remote computer. This means that you cannot resolve a network connectivity problem using Remote Assistance because that connectivity problem blocks a Remote Assistance connection. The Windows Remote Assistance rule is enabled in Windows Firewall when Windows Remote Assistance is enabled on a computer. You enable Windows Remote Assistance on the Remote Tab of the System Properties dialog box. Windows Remote Assistance is enabled by default on computers running Windows 7. The advanced Remote Assistance settings, which can be accessed by clicking the Advanced button on the Remote tab of the System Properties dialog box, allow you to configure a maximum time that an invitation can remain open and to limit Remote Assistance so that connections can only be made from computers that are running Windows Vista or later. This dialog box is shown in Figure 7-20. FIGURE 7-20 Advanced Remote Assistance settings When you start Windows Remote Assistance, you are presented with the option of configuring an invitation or responding to an invitation, as shown in Figure 7-21. When a user requesting assistance selects the Invite Someone You Trust To Help You option, she is Lesson 2: Windows 7 Remote Management CHAPTER 7 407 able to choose among three options: saving the invitation as a file, using e-mail to send the invitation, or using Easy Connect. It is possible to use the e-mail option only if a compatible e-mail program is installed on the client running Windows 7. It is important to remember that, unlike previous versions of Windows, Windows 7 does not ship with a built-in e-mail application so you cannot assume that one is automatically present. You can use the Easy Connect connection method only on a local network if the Peer Name Resolution Protocol is present on a local server running Windows Server 2008 or if you want to use Easy Connect to solicit assistance over the Internet (if your router supports this protocol). Easy Connect allows you to send an assistance request without having to forward an invitation. FIGURE 7-21 Asking for or offering remote assistance Not only must the person providing remote assistance receive an invitation, but she also needs to provide a password that can be given to her only by the person requesting assistance, as shown in Figure 7-22. For security reasons, this password should be provided using a different method to the one used to transmit the invitation file. If the user requesting remote assistance closes the Windows Remote Assistance dialog box, it is not possible for the remote user to make a connection, even if the invitation period has not expired. Once this dialog box is closed, Windows Remote Assistance needs to be restarted and a new remote assistance invitation issued because the previous one is no longer valid. FIGURE 7-22 Waiting for a connection 408 CHAPTER 7 Windows Firewall and Remote Management When the remotely connecting user makes the connection with the password forwarded to them, the person requesting assistance is given a warning that the remotely connecting user will be able to see whatever is on the desktop, as shown in Figure 7-23. Once the connection is accepted, the Windows Remote Assistance session starts. The session can be terminated by either party at any time. FIGURE 7-23 The allow assistance connection Quick Check 1. What setting do you need to configure to allow Remote Desktop connections from computers running Windows XP Professional SP2. 2. What protocol must be present on local computers running Windows Server 2008 if you are going to forward Windows Remote Assistance invitations using Easy Connect in a LAN environment? Quick Check Answers 1. You must configure Remote Desktop to allow connections from computers running any version of Remote Desktop, rather than only allowing connections from computers running Remote Desktop with Network Level Authentication. 2. The Peer Name Resolution Protocol feature must be installed on Windows Server 2008 for clients running Windows 7 on a LAN to be able to use Easy Connect. Windows Remote Management Service The Windows Remote Management service allows you to execute commands on a remote computer, either from the command prompt using WinRS or from Windows PowerShell. Before you can use WinRS or Windows PowerShell for remote management tasks, it is necessary to configure the target computer using the WinRM command. To configure the Lesson 2: Windows 7 Remote Management CHAPTER 7 409 target computer, you must run the command WinRM quickconfig from an elevated command prompt. Executing WinRM quickconfig does the following: n Starts the WinRM service n Configures the WinRM service startup type to delayed automatic start n Configures the LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users n Configures the WinRM listener on http://* to accept WS-Man requests n Configures the WinRM firewall exception If you are attempting to manage a computer remotely that is not a member of the same AD DS domain as the management computer, you may need to configure the management computer to trust the remote computer. This is necessary only when you do not use Hypertext Protocol Secure (HTTPS) or Kerberos to authenticate the remote computer’s identity. You need to configure this trust because of the bidirectional nature of remote management traffic and the fact that authentication credentials will be forwarded to the remote computer. You can configure this trust using the following command: winrm set winrm/config/client @{TrustedHosts=”remote computer name or IP address”} It is also possible to configure Windows Remote Management through Group Policy. The relevant policies are located in the Computer Configuration\Administrative Templates\ Windows Components\Windows Remote Management node and are split between WinRM Client and WinRM Service policies. These policies relate to authentication settings and TrustedHosts. Windows Remote Shell for Remote Management You can use WinRS to execute command-line utilities or scripts on a remote computer. To use WinRS, open a command prompt and prefix the command that you want to run on the remote computer with the WinRS –r:RemoteComputerName command. For example, to execute the Ipconfig command on a computer named Aberdeen, issue the command: WinRS –r:Aberdeen ipconfig If the computer is on the local network, you can use its NetBIOS name. If the computer is on a remote network, you may need to specify its fully qualified domain name (FQDN). It is also possible to specify credentials to be used on the remote computer. For example, to run the command net accounts, which displays information about a computer’s password policy on a computer named Aberdeen.contoso.internal using the Kim_Akers user account, issue the command WinRS –r:http://aberdeen.contoso.internal –u:Kim_Akers net accounts If you do not specify a password using the –p:password option, you are prompted to enter a password after you execute the command. You can configure WinRS options 4 1 0 CHAPTER 7 Windows Firewall and Remote Management through Group Policy in the Computer Configuration\Administrative Templates\Windows Components\Windows Remote Shell node. The policies are shown in Figure 7-24 and can be used to configure settings such as idle timeouts, maximum concurrent remote shells, and whether remote shell access is allowed. You will configure and use Windows Remote Shell in a practice exercise at the end of this lesson. FIGURE 7-24 WinRS policies Windows PowerShell Remote Management Windows PowerShell V2 supports remote management of computers. Windows PowerShell V2 is the version of Windows PowerShell that is included with Windows 7. If you want to use a computer running an earlier version of Windows to manage Windows 7 using Windows PowerShell, it is necessary to update to Windows PowerShell V2 or later. You can only use Windows PowerShell to manage a computer remotely if you have configured the Windows Remote Management service as outlined earlier in this lesson. The syntax of remote Windows PowerShell commands is straightforward: Icm hostname {powershell-command} You will use Windows PowerShell remotely in one of the practice exercises at the end of this lesson. More Info REMOTE WINDOWS POWERSHELL To learn more about using Windows PowerShell to manage other computers remotely, consult the following post on the Windows PowerShell Blog: http://blogs.msdn.com/ powershell/archive/2008/05/10/remoting-with-powershell-quickstart.aspx. eXaM tIP Remember what command you need to execute on a computer if you want to configure the Remote Management Service to allow remote management through Windows PowerShell or WinRS. Lesson 2: Windows 7 Remote Management CHAPTER 7 411 Practice Windows 7 Remote Management Options In this practice, you explore two different remote management technologies that you can use to configure and maintain computers running Windows 7. These technologies are complementary, and there will be situations where you choose to employ one over another. For example, you might use a remote Windows PowerShell session to gather information about a computer while a user is still logged on, or you might use a Remote Desktop session to update a device driver. exercise 1 Using Remote Desktop for Remote Management In this exercise, you configure a client running Windows 7 so that it is possible to make a connection to that client using Remote Desktop. You then connect to that client using Remote Desktop to verify the configuration is correct. 1. Ensure that computer Canberra is turned on. 2. Turn on computer Aberdeen and log on to it using the Kim_Akers user account. 3. Open an elevated command prompt. Verify that network connectivity exists between computer Canberra and computer Aberdeen by issuing the command ping Canberra, as shown in Figure 7-25. If you are unable to obtain connectivity, enter the following commands from an elevated command prompt on both hosts: n netsh advfirewall firewall add rule name=”ICMPv4” protocol=icmpv4:any,any dir=in action=allow n netsh advfirewall firewall add rule name=”ICMPv6” protocol=icmpv6:any,any dir=in action=allow FIGURE 7-25 Verifying connectivity 4. Open the Control Panel and click Add Or Remove User Accounts. Click Create A New Account. Enter the user account name Cassie_Hicks as a Standard user and click Create Account. 4 1 2 CHAPTER 7 Windows Firewall and Remote Management 5. On the Choose The Account You Would Like To Change page, click Cassie_Hicks. 6. On the Make Changes To Cassie_Hicks’s Account page, click Create A Password. Enter the password P@ssw0rd twice and then, in the Hint box, type the page number of this page. Click Create Password. Close the Change An Account dialog box. 7. Click Start, right-click Computer, and then choose Properties. In the Control Panel Home pane, click Remote Settings. 8. On the Remote tab of the System Properties dialog box, select Allow Connections Only From Computers Running Remote Desktop With Network Level Authentication (More Secure), as shown in Figure 7-26, and then click Select Users. FIGURE 7-26 Remote Desktop Properties 9. In the Remote Desktop Users dialog box, click Add. In the Select Users dialog box, enter the name Cassie_Hicks and then click OK. Click OK twice to close both the Remote Desktop Users dialog box and the System Properties dialog box. 10. Log off of Aberdeen while keeping the computer turned on. Log on to computer Canberra using the Kim_Akers user account. 11. Click Start. In the Search Programs And Files text box, type Remote Desktop Connection. Click the Remote Desktop Connection item. 12. In the Remote Desktop Connection dialog box, click Options. In the Computer text area, type Aberdeen and in the User Name area, type Cassie_Hicks, as shown in Figure 7-27. Click Connect. 13. In the Windows Security, Enter Your Credentials dialog box, enter the password P@ssw0rd for the Cassie_Hicks user account and click OK. . is included with Windows 7. If you want to use a computer running an earlier version of Windows to manage Windows 7 using Windows PowerShell, it is necessary to update to Windows PowerShell. as shown in Figure 7- 21. When a user requesting assistance selects the Invite Someone You Trust To Help You option, she is Lesson 2: Windows 7 Remote Management CHAPTER 7 4 07 able to choose. as shown in Figure 7- 23. Once the connection is accepted, the Windows Remote Assistance session starts. The session can be terminated by either party at any time. FIGURE 7- 23 The allow assistance