■ The request can be saved to a file. To create an invitation, open Help and Support from the Windows Start menu. On the right side of the Help and Support Center utility, click Remote Assistance under the Support heading. In the next screen, click the Invite someone to help you link.You will then be able to select the method that you want to use in asking for assistance, as shown in Figure 27.1. A request using Windows Messenger requires that Windows Messenger be installed and configured. A request using email requirest an email client be installed and configured, though most users already have an email client installed. Managing Open Invitations Sometimes you might want to know the names of users with whom you have active RA invitations open.You might want to cancel an invitation because you’ve solved the problem or because you want someone else to help you. Help and Support Center provides a number of options for man- aging open invitations. To manage your active invitations, follow these steps: 1 Open the Help and Support utility from the Windows Start menu. 2 On the right side of the Help and Support Center screen, click Remote Assistance under the Support heading. 3 On the following screen, click the View Invitation Status (X) link.The (X) will be replaced on your screen by the number of invitations you have outstanding. 4 The next screen will show you a list of the invitations that are outstanding.The list consists of three columns: Sent To, Expiration Time, and Status.The Sent To column contains the name of the person to whom you sent the Windows Message or e-mail. If you saved the request to a file, this column will display the word “Saved.”The Expiration Time column will show the date and time that the invitation will expire.The Status column 936 Chapter 27 • Managing and Troubleshooting Terminal Services Figure 27.1 The “Pick how you want to contact your assistant” Screen in Remote Assistance 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 936 will show whether the invitation’s status is Open or Expired. Now you can view or modify any of these invitations. Each invitation will have a radio button next to it, as shown in Figure 27.2.You can click a radio button to select one of the invitations, and then choose an action to perform using the but- tons under the list box. Remote Assistance Security Issues RA is a valuable tool, but it also contains serious security risks that must be planned for and man- aged. RA makes it easy for any user to ask virtually anyone using a Windows XP or Server 2003 computer to connect to his or her desktop.This person can be inside or a friend that is outside of your company. Although an outside person may be qualified to assist the user, in doing so they will likely receive full control of a client in your network. This, of course, is unacceptable, because they could place malicious software on the system while in control of it, view sensitive company information that normally isn’t allowed outside of the organization, etc.The best way to prevent this is to use your company’s firewalls to prevent connec- tion to RA from outside the company’s network. RA uses the same port that all Terminal Services components do: 3389. Simply blocking this port on your external firewalls prevents this type of unauthorized access and protects from malicious external port scanning. Several other key security concerns should be addressed in your company’s remote assistance policies. E-mail and file-based invitations enable you to specify passwords. An invitation without password protection can be used by anyone that receives it by accident or intercepts it illegitimately. Because of this, always mandate the use of these passwords. Your company may also want to protect traffic that contains RA requests. E-mail is normally sent in unencrypted form on the network.This means that the URL that is sent in the e-mail invi- tation is available for easy interception while it is in transit on the network. Likewise, a simple XML format is used for the invitation file. A simple patter match could be used when monitoring the net- Managing and Troubleshooting Terminal Services • Chapter 27 937 Figure 27.2 The “View or change your invitation settings” Screen in Remote Assistance 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 937 work to detect and automatically save this information to an unauthorized system while it is being sent across the network. If the e-mail or file invitations do not have passwords, they can be used immediately when they are captured in this way. Even if a password is specified, there is no limit to the number of times requests like these can be used for connection.A brute force attack could be used to attempt to break the password and successfully establish a session. For this reason, it is important that your remote assistance policy also specify a short expiration time for the invitation. Once expired, no connections are possible with it. A shorter time reduces the chances of success using a brute force attack.And, if no password is specified, at least the open window for misuse of the invitation is shorter. You should also educate your users on when it is appropriate to accept RA requests. As men- tioned previously, a request saved to a file is stored in a standard XML file.These can easily be mod- ified to perform malicious actions when run by a user on a local system.The e-mail request contains a URL to click and can also be altered. In this case it may take the user to a page that performs malicious actions on their local system, or requires the download and installation of an unauthorized ActiveX control that is designed to appear legitimate to the user. Even an unsolicited request received through Windows messaging has security worries. The best option is to maintain a tight policy that asks users to reject RA invitations in all but a few instances. What is acceptable will relate specifically to your company. Some organizations allow acceptance only from immediate co-workers and known help desk staff. Others are more liberal and allow invitations to be accepted from any verifiable employee within the company.The most impor- tant rule is to not allow connections from outside of the organization. Installing and Configuring the Terminal Server Role Unlike the remote administration components in Windows 2003, the terminal server role requires separate installation by an administrator. In addition, it requires the terminal server licensing compo- nent to be added to a Windows 2003 server on the network. If the license server component is not added, or if it is added but valid client licenses are not installed on it, no remote connections to the terminal server will be allowed 120 days after the first client connects. Install the Terminal Server Role The terminal server role can be installed from the Manage Your Server utility, which is opened from the Windows Start | Administrative Tools menu. Open the utility and follow these steps: 1. Click the Add or remove a role link.This will display the Configure Your Server Wizard with its first page displayed. 2. Read the recommendations and click the Next button. 3. A Configure Your Server Wizard dialog box will pop up, informing you that the underlying network settings are being detected. When detection is complete, you will see the Configuration Options screen in the wizard. 4. Select the radio button next to Custom configuration and click the Next button. 938 Chapter 27 • Managing and Troubleshooting Terminal Services 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 938 5. On the Server Role screen, click Terminal server to highlight the role in the list (it should say No under the Configured column if the terminal server role has not already been installed). Click the Next button. 6. The Summary of Selections screen should read Install Terminal Server. Ensure that it does, and then click Next. 7. At this point, another Configure Your Server pop-up dialog box will appear to inform you that the server will reboot automatically as part of the installation process. Click the OK button in this dialog box. 8. The wizard will switch to the Applying Selections screen, launch the Windows Component Wizard, finish the installation based on your selections, and reboot. 9. When the reboot has completed, log on as an administrator. When your logon is com- pleted, the Configure Your Server Wizard will appear to let you know that your server is now a terminal server. Click the Finish button. 10. The Manage Your Server utility will reappear in the background. A help window also opens when you log on with the terminal server help topic displayed. Install Terminal Server Licensing After you have installed the Terminal Server role on one of your servers, it’s time to install terminal server licensing. If you fail to do so, all terminal server connections will be rejected 120 days after the first client logs on. Microsoft recommends that you install terminal server licensing on a server that does not host the terminal server role. So, it will take at least two Windows 2003 servers to properly implement a terminal server environment. The terminal server licensing component is not available from the Configure Your Server Wizard and must be added using Add or Remove Programs from Control Panel in the Windows Start menu.To install it, follow these steps: 1. In the Add or Remove Programs utility, click the Add/Remove Windows Components button on the left side of the screen. A Windows Setup pop-up dialog box will briefly appear, followed by the Windows Components Wizard. 2. In the Components: list, scroll down to select the check box next to Terminal Server Licensing and click the Next button. 3. On the Terminal Server Licensing Setup page of the wizard, select the way you will use this license server on your network. 4. You can also specify where you would like to place the license database.The default loca- tion, C:\WINDOWS\System32\LServer is displayed in the Install license server database at this location: text box. When you have made your selections, click the Next button. 5. The wizard will switch to the Configuring Components screen and will begin the installation. Unlike the terminal server role installation, the license component requires the Windows 2003 installation CD. If it is not in the CD-ROM drive, you will be prompted for it. Managing and Troubleshooting Terminal Services • Chapter 27 939 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 939 6. The final screen in the wizard is entitled Completing the Windows Component Wizard. Review the information it contains and click the Finish button. 7. When the wizard disappears, if you do not wish to add additional components, close the Add or Remove Programs utility. It is important to note that you can also install the Terminal Server role and most other Windows components from the Add or Remove Programs utility in Control Panel. After you have installed the licensing component, you must complete the licensing process by adding client licenses. Refer to Microsoft’s Web site for additional details on how to complete this process. While it is also covered in Windows 2003’s help materials, this can be a complex process and it is best to ensure that you have the latest information and fixes from Microsoft. Using Terminal Services Client Tools There are three primary tools you can use to connect from a client system to Terminal Services. These tools include: ■ The Remote Desktop Connection (RDC) utility ■ The Remote Desktops MMC snap-in ■ The Remote Desktop Web Connection utility Each is designed to fill a very specific role, and it is important for you to be familiar with the capa- bilities and uses of each. In the following sections, we examine how to install and use these utilities. Installing and Using the Remote Desktop Connection (RDC) Utility The Remote Desktop Connection (RDC) utility (formerly the Terminal Services Client Connection Manager) is the standard client for connecting to Terminal Services, via RDA on a server or Terminal Services on a terminal server. It can be used for remote administration or full terminal server client use. It enables a user to connect to a single server running Terminal Services using the RDP pro- tocol over TCP/IP.The utility is installed with the operating system in Windows XP and Server 2003. It is accessed via the Start | Programs | Accessories | Communications menu in those operating systems.The RDC utility can also be installed and used on a number of older Windows operating systems, including Windows 2000, NT, ME, 98, and 95. The older Terminal Services Client Connection Manager can still be used to connect to a ter- minal server from a Windows 3.11 computer with the 32-bit TCP/IP stack installed.There is also a 16-bit version of the Windows 2000 TS client for Windows for Workgroups 3.11 and a Macintosh client. If you need to connect MS-DOS, Linux, or other client operating systems, you will need third-party RDP or ICA client software.The Remote Desktop Connection utility is backward compatible and capable of communicating with Terminal Services in Windows XP, Windows 2000, and Windows NT 4.0,Terminal Server Edition. 940 Chapter 27 • Managing and Troubleshooting Terminal Services 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 940 Installing the Remote Desktop Connection Utility If you want to use the Remote Desktop Connection utility on systems older than Windows XP, you’ll need to install it first.This means you’ll need the installation files.You can get them from the Microsoft Web site, or if you have installed Windows Server 2003, you can share the client setup folder located at %SystemRoot%\system32\clients\tsclient. After you share this folder, computers on the network can connect to the share and run the Setup.exe utility in the Win32 folder. If you want to deploy the client using Group Policy, Microsoft also includes an MSI installation file, Msrdpcli.msi, in this directory. Perform the following steps to install the RDC client: 1. When you double-click the Setup.exe file, the installation wizard will launch. Read the initial welcome screen, and then click the Next button. 2. Review the license agreement, and then click the radio button next to I accept the terms of the license agreement, followed by the Next button. 3. On the Customer Information screen, enter your name for licensing purposes in the User Name: text box, and your company for licensing purposes in the Organization: text box. 4. In the Install this application for: section, select the radio button next to Anyone who uses this computer (all users) if you want the utility to be available on the Windows Start menu for every user that logs on to the system. Select the radio button next to Only for me (-) if you want the utility to appear only in your Windows Start menu. When you’ve finished making your selection, click the Next button. 5. On the next screen, click the Install button to proceed with the installation or the Back button to review your choices.The application will remove any previously installed similar applications, and then complete its own installation. 6. Click the Finish button to close the wizard. Launching and Using the Remote Desktop Connection Utility After the application is installed, open the Windows Start menu and click Remote Desktop Connection in the Programs | Accessories | Communications menu.This will open the utility, with most of its configuration options hidden.To proceed with the connection at this point, simply type the name or IP address of the terminal server, Windows Server 2003 computer, or Windows XP Professional computer to which you want to connect in the Computer: drop-down box, or select it from the drop-down list if you have previously established a session to it. By default, the name or IP address of the last computer to which you connected will be displayed. Finally, click on the Connect button. A Remote Desktop window will open. If the user name and password with which you are logged on to your current system are valid for connection to Terminal Services on the server, you will be automatically logged on and a session will appear. If not, you will be prompted to enter a Managing and Troubleshooting Terminal Services • Chapter 27 941 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 941 valid user name and password. When you are connected, the remote desktop will appear in a window on your system by default.You can move your cursor over it, click, and use any item in the remote desktop just as you would if you were using your local system.You can also copy and paste between the remote and local computers, using the standard methods of doing this. Connecting is a simple process; however, terminating your session requires a bit more explana- tion.There are two methods that you can use to end your session: ■ Logging off ■ Disconnecting To log off, simply click the Windows Start menu on the remote desktop, and then click the Log Off button. When you do this, it will completely log you out of the remote system in much the same way as if you logged out on your local system. Registry entries are properly written, pro- grams are elegantly closed, etc.The session is completely removed from the Terminal Services com- puter, freeing up any system resources that were being used by your session. Make sure that you select Log Off, rather than Shut Down. If you select Shut Down, and you are logged onto the remote session with rights that enable your account to shut down the server, it will power down or reboot the server.This will affect everyone who is currently using the server. The second method of terminating your session is to use the process known as disconnection. When you disconnect from Terminal Services, your session remains on the server and is not removed. It continues to consume resources, although the video stream coming to your local com- puter and input stream going from your local computer to the Terminal Services system are termi- nated. When you launch the RDC utility again and connect to the same computer running Terminal Services, your session will still be there, exactly as you left it, and you can take up where you left off.This can be helpful in cases where you are running an application that requires lengthy processing.You do not have to remain connected for the application to run and you can check back in later and obtain the result. In general, it is best to properly log off and free up the resources being used by a session you no longer need. As we’ll see a bit later, an administrator can cause a disconnected session to be reset if you don’t return to it for a specified period of time. If you’ve left unsaved documents or other files open in your session, resetting will cause you to lose all work.Thus, it is usually safest to save your work and disconnect.You can disconnect from your session by clicking the close button (the X) in the top right corner of the Remote Desktop window. You can also log off or disconnect using the Windows Security dialog box.This can be accessed by opening the Windows Start menu and selecting Windows Security, or by using the CTRL + ALT + END key combination from within the session (this has the same effect as CTRL + ALT + DEL on the local machine). Once in the dialog, you can log off by clicking the Log Off… button, or by selecting Log Off from the drop-down box that appears if you click the Shut Down… button.This same drop-down box also contains the option to Disconnect. Configuring the Remote Desktop Connection Utility In the previous section, we simply launched the Remote Desktop Connection utility and estab- lished a connection. When you initially launch the utility, most of its configuration information is 942 Chapter 27 • Managing and Troubleshooting Terminal Services 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 942 hidden.To display it before you use it to establish a connection, click the Options button.This will reveal a series of tabs and many additional settings that have be configured. Let’s take a look at each in the following sections. The General Tab The General tab contains the Computer: drop-down box, which contains names and IP addresses of computers to which you have previously connected, along with an option to browse the network for computers not listed. It also contains User name:, Password:, and Domain: text boxes. Remember, by default the credentials with which you are logged on locally are used to establish your remote session. If you always want to ensure that a specific set of credentials is used to log on to Terminal Services, you can type the account information into these text boxes. You might be using an earlier Windows operating system that does not require you to log on. These boxes can be used in this instance if you want to avoid being prompted for a user name and password when you connect with the utility. This tab also enables you to save your connection settings.You might have several different sys- tems to which you connect using Terminal Services. If so, it is helpful to not have to configure the utility each time you open it. When you click the Save As… button, a Save As dialog box opens, asking you where you’d like to save the file that contains your configuration information.You can save the file with an RDP extension and can double-click it later to establish a terminal session.You can also use the Open… button on this tab to specify that the settings from a previously saved RDP file be loaded into the utility. The Display Tab The display tab controls how the remote desktop appears on your client computer.The top portion of the screen contains a slider that controls the size of the remote desktop that will be displayed on your screen.The slider has four possible positions: 640x480, 800x600, 1024x768, and Full Screen. The default is 800x600. The next portion of this tab controls the color depth (in bits) of the remote desktop when it is displayed on your local computer.The drop-down list box contains the following options: 256 colors, High Color (15 bit), High Color (16 bit), and True Color (24 bit). Higher color depths require more resources. Note that the settings on the server itself may override your selection. Finally, the bottom of the tab contains a check box entitled Display the connection bar when in full screen mode. When selected, this setting places a small bar, shown in Figure 27.3, at the top of a full screen remote desktop, which makes it easier to size, minimize or maximize (to full screen), or close the Remote Desktop window. Managing and Troubleshooting Terminal Services • Chapter 27 943 Figure 27.3 The Full Screen Connection Bar 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 943 The Local Resources Tab The Local Resources tab enables you to control whether or not client resources are accessible in your remote session. Remember that when you are working in a session, you are actually working on the remote computer.This means that when you open Windows Explorer, the disk drives you see are the ones that are physically located on the Terminal Services computer, not the ones installed on your local computer. Selections on the Local Resources tab can be used to make your local drives, client-attached printers, and similar client-side resources available for use within your remote desktop session. The first setting on the tab deals with whether audio will be used in the session.The default setting, Bring to this Computer, enables you to transfer any sounds played in the session from the Terminal Services computer to the client. Audio transfer can be bandwidth intensive in a thin client environment, so Microsoft also gives you the opportunity to not transfer this audio.The Leave at Remote Computer setting plays the audio in the session on the Terminal Services computer but does not transfer the audio to the client.The Do not play setting prevents audio in the session altogether. The next setting on the Local Resources tab relates to whether keyboard shortcut combinations are used by the local operating system or the Remote Desktop window.There are three possible set- tings for keyboard shortcut combinations: ■ In full screen mode only. In this mode (which is the default), when you use a shortcut combination, the system applies it to the local operating system, unless there is a full screen Remote Desktop window open. ■ On the local computer.This setting applies all shortcut combinations to the local oper- ating system. ■ On the remote computer.This setting applies all shortcut combinations to the Remote Desktop window. It is important to note that you cannot redirect the CTRL + ALT + DEL keyboard combina- tion.This combination works only on the local operating system. An equivalent that can be used in the Remote Desktop window (mentioned earlier in the chapter) is CTRL + ALT + END. The final section of the tab contains a series of check boxes that can be selected to determine which devices from the client system are automatically made available to the user within the remote desktop session. By default, the following are selected: Disk drives, Printers, and Smart cards (if installed). An additional one, Serial ports, is not selected by default. When Disk drives, Serial ports, or Smart cards are selected, you may see a Remote Desktop Connection Security Warning box pop up when you begin the connection process.This happens because opening up devices that enable input or may relate to the underlying security of your local machine can be risky.You should con- sider carefully whether these settings are actually needed, and configure the utility appropriately. The Programs Tab By default, when you connect to a Terminal Services session, you will receive a Windows 2003 desktop.The selections on this tab enable you to receive only a specified application instead. If Terminal Services is being used to provide only a single application for each user, this setting can 944 Chapter 27 • Managing and Troubleshooting Terminal Services 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 944 increase security by ensuring that users do not receive a full desktop upon connection.This will prevent them from performing tasks on the server other than running the specified application. If the check box next to Start the following program on connection is selected, only that appli- cation will be available in the session. Selecting the box enables the Program path and file name: text box. If the path to the application is already contained in one of the Windows path variables on the Terminal Services computer, you can just type the name of the application’s executable file in this box. If not, you must include the full path and file name of the executable.The check box also enables the Start in the following folder: text box. If the application requires the specification of a working directory, enter it here.This is often the same directory in which the application itself is installed. After the connection is made with a specified program starting, the traditional methods of ending your session (discussed earlier) will not always be possible. Most programs have an Exit com- mand on a menu, embedded in a button or contained in a link. When you have specified an initial program, the Exit command is the equivalent of logging out.To disconnect, simply close the Remote Desktop Connection utility. The Experience Tab The Experience tab enables you to customize several performance features that control the overall feel of your session. All of these settings except Bitmap Caching can generate substantial amounts of additional bandwidth and should be used sparingly in low bandwidth environments.The check boxes on this page include the following: ■ Desktop background Enables the background image of the desktop (wallpaper) in the remote session to be transferred to and displayed on the client. ■ Show contents of window while dragging Rapidly refreshes a window so that its contents are visible as the user moves it around the screen in his or her Remote Desktop window. ■ Menu and window animation Enables some sophisticated effects, such as the Windows Start menu fading in and out, to be displayed in the Remote Desktop window on the client computer. ■ Themes Enables any themes used in the remote session to be enabled and transferred to the Remote Desktop window on the client. ■ Bitmap Caching Enables bitmaps to be stored locally on the client system and called up from cache, rather than being transmitted multiple times across the network. Examples of bitmaps include desktop icons and icons on application toolbars.This setting improves per- formance, but not all thin client systems have a hard drive or other storage mechanism in which to store the bitmaps. At the top of this tabbed page, there is a dropdown box that contains several predefined combi- nations of these settings that Microsoft has optimized for different levels of available bandwidth. Table 27.1 shows which bandwidth level corresponds to which settings: Managing and Troubleshooting Terminal Services • Chapter 27 945 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 945 . connections to the terminal server will be allowed 120 days after the first client connects. Install the Terminal Server Role The terminal server role can be installed from the Manage Your Server utility,. with the connection at this point, simply type the name or IP address of the terminal server, Windows Server 2003 computer, or Windows XP Professional computer to which you want to connect in the. setting plays the audio in the session on the Terminal Services computer but does not transfer the audio to the client .The Do not play setting prevents audio in the session altogether. The next setting