Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 50 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
50
Dung lượng
1,07 MB
Nội dung
Using Remote Desktop CHAPTER 27 1353 When enabling Remote Desktop on a computer, you must also authorize which users will be allowed to remotely connect to that computer using RDC. By default, only administrators are authorized to remotely connect to the host computer. Authorize additional users by fol- lowing these steps: 1. Click the Select Users button to open the Remote Desktop Users dialog box. 2. Click Add and then either specify or find user accounts in AD DS (or on the local com- puter on stand-alone host computers) and add them to the list of Remote Desktop Users authorized to access the host computer using Remote Desktop. This adds the selected users to the Remote Desktop Users local group on the host computer. Enabling Remote Desktop Using Group Policy You can also use Group Policy to enable Remote Desktop on host computers. To enable Remote Desktop on all computers in a specified organizational unit (OU), open the Group Policy object (GPO) linked to the OU using Group Policy Object Editor, enable the following policy setting and add users to the Remote Desktop Users group: Computer Configuration\Policies\Administrative Templates\Windows Components \Remote Desktop Services\Remote Desktop Session Host\Connections\Allow Users To Connect Remotely Using Remote Desktop Services Enabling Remote Desktop on computers using Group Policy also enables the Allow Con- nections From Computers Running Any Version Of Remote Desktop (Less Secure) option on the computers targeted by the GPO. To enable Remote Desktop using the Allow Connections Only From Computers Running Remote Desktop With Network Level Authentication (More Secure) option instead, you must enable the following policy setting in addition to the preceding one: Computer Configuration\Policies\Administrative Templates\Windows Components \Remote Desktop Services\Remote Desktop Session Host\Security\Require User Authentication For Remote Connections By Using Network Level Authentication note By default, when the first policy setting is enabled but the second setting is not configured, local administrators on the targeted computers have the ability to change the Remote Desktop security level on their computers to Allow Connections Only From Computers Running Remote Desktop With Network Level Authentication (More Secure) if desired. When the second policy setting is enabled, the option Allow Connections From Computers Running Any Version Of Remote Desktop (Less Secure) on the Remote tab is unavailable and appears dimmed. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 27 Connecting Remote Users and Networks 1354 Configuring and Deploying Remote Desktop Connection After you have enabled Remote Desktop on the host computer, you must configure the RDC client software on the client computer. You can configure RDC in several ways: n Click Start, click All Programs, click Accessories, and then click Remote Desktop Connection. This opens the Remote Desktop Connection UI, shown in Figure 27-10. n Type mstsc at a command prompt or in the Search box to open the Remote Desktop Connection UI, or type mstsc followed by various parameters to customize how the RDC client software will run. For help with Mstsc.exe parameters, type mstsc /? at a command prompt. n Use Notepad to manually edit an *.rdp file previously saved from the Remote Desktop Connection UI. For more information, read the section titled “Configuring Remote Desktop Connection Using Notepad” later in this chapter. n Configure those Remote Desktop Services Group Policy settings that apply to Remote Desktop. FIGURE 27-10 The Remote Desktop Connection client UI shows configuration options both hid- den and displayed. Table 27-9 summarizes the configuration options available on the different tabs of the Remote Desktop Connection client UI. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Using Remote Desktop CHAPTER 27 1355 TABLE 27-9 Configuration Options for Remote Desktop Connection Client TAB SETTING NOTES General Logon Settings: Computer Specifies the FQDN or IP address (can be IPv4 or IPv6) of the host computer. Logon Settings: User Name Specifies the user account to be used to establish the Remote Desktop session. This is displayed only when credentials from previous Remote Desktop sessions have been saved. Logon Settings: Always Ask For Credentials Select this check box to require the user to always supply credentials. This is displayed only when credentials from previous Remote Desktop sessions have been saved. Connection Settings Saves the current configuration of RDC client as an *.rdp file or opens a previously saved *.rdp file. Display Display Configuration Changes the size of your remote desktop. Use All My Monitors For The Remote Session Configures the Remote Desktop session monitor layout to match the current client-side configuration. Colors Specifies color depth for your remote desktop. Display The Connection Bar When In Full-Screen Mode Makes it easier to use Remote Desktop in full- screen mode without needing to remember keyboard shortcuts. Local Resources Remote Audio Controls where remote audio is played back and whether it should be recorded. Keyboard Specifies how Windows key combinations, such as Alt+Tab, behave when used from within a Remote Desktop session. Local Devices And Resources: Printers Prints to network computers connected to the host computer from within the Remote Desktop session without having to install additional drivers. Local Devices And Resources: Clipboard Shares a clipboard between the client and host computers. Local Devices And Resources: More Redirects additional devices local to the host computer to the remote client including serial ports, smart cards, disk drives, and supported PnP devices such as media players and digital cameras. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 27 Connecting Remote Users and Networks 1356 TAB SETTING NOTES Programs Start A Program Specifies a program that should automatically start when your Remote Desktop session is established. Experience Performance: Choose Your Connection Speed To Optimize Performance Specifies the connection speed closest to actual available network bandwidth to obtain the optimal mix of functionality and perfor- mance for your Remote Desktop session. Desktop Background Font Smoothing Desktop Composition Show Window Contents While Dragging Menu And Window Animation Visual Styles Persistent Bitmap Caching Enables or disables each desktop user interface feature that is indicated. Reconnect If Connection Is Dropped Specifies that the RDC client should attempt to re-establish a connection with the remote host if the connection between them is unexpectedly terminated. Advanced Server Authentication: Authentication Options Specifies whether unauthenticated Remote Desktop sessions should be allowed; if they are allowed, specify whether a warning mes- sage should be displayed. For more informa- tion, see the sidebar titled “Remote Desktop Connection Server Authentication” later in this chapter. Connect From Anywhere: Settings Configures Remote Desktop Gateway (RD Gateway) settings to allow RDC clients to connect to remote computers behind corporate firewalls. note In enterprise environments, administrators can also preconfigure RDC client con- figurations and save them as Remote Desktop files (*.rdp files). These *.rdp files can then be deployed to users as e-mail attachments or copied from a network share using a logon script. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Using Remote Desktop CHAPTER 27 1357 Remote Desktop Connection Server Authentication R DC includes a Server Authentication setting that ensures that you are connecting to the remote computer or server that you intend to connect to. To configure Server Authentication for an RDC, open the Properties dialog box of your connection, click the Advanced tab, and click Settings. Then select one of the following three options: n Connect And Don’t Warn Me (Least Secure) Lets you connect even if RDC can’t verify the identity of the remote computer. n Warn Me (More Secure) Lets you choose whether to continue with the connection when RDC can’t verify the identity of the remote computer. n Do Not Connect (Most Secure) Prevents you from connecting to the remote computer when RDC can’t verify the remote computer’s identity. The default setting for Server Authentication is Warn Me. Configuring Remote Desktop Connection from the Command Line To use the RDC client from the command line or custom shortcut, type mstsc followed by the appropriate command-line switches. For example, to initiate a Remote Desktop session using a custom display resolution of 1680 × 1050, type mstsc /w:1680 /h:1050 at a command prompt. You can use the /span switch to initiate a Remote Desktop session that spans across multiple monitors. Note that when both the /span and /h: /w: switches are present, the /span switch takes precedence. In addition, when the /span option is selected, the slider for adjust- ing remote desktop size is unavailable on the Display tab so that users cannot change their initial settings, which can cause confusion. New in Windows7 is the /multimon switch, which configures the Remote Desktop session monitor layout to match the current client-side configuration. Using the /public switch runs Remote Desktop in public mode. When an RDC client is run- ning in public mode, it does not persist any private user data (such as user name, password, domain, and so on) either to disk or to the registry on the computer on which the client is running, nor does the client make use of any saved private data that may exist on the com- puter (a trusted sites list, the persistent bitmap cache, and so on). This means that the client essentially functions as if there were no registry or secondary storage present for storing pri- vate data. A client running in public mode still honors Group Policy settings, however. Finally, the /console switch used in previous versions of Mstsc.exe was removed in Windows Vista SP1 and has been replaced with the /admin switch. For more information about this, see the fol- lowing sidebar, titled “Direct from the Source: Replacement of /console by /admin.” Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 27 Connecting Remote Users and Networks 1358 note For more help with Mstsc.exe parameters, type mstsc /? at a command prompt. diReCt FRoM tHe SoURCe Replacement of /console by /admin Mahesh Lotlikar, SDE II Remote Desktop Services Team I n Windows Server 2003, the /console option for Mstsc.exe was used for several purposes. With the introduction of the /admin option in Windows Vista SP1 and Windows Server 2008, the /console option has now been deprecated. The follow- ing examples illustrate the /console switch’s significance in previous versions of Windows and why the scenario does not apply for Windows 7, Windows Vista SP1 or later versions, Windows Server 2008, and Windows Server 2008 R2. First, in earlier versions of Windows such as Windows XP and Windows Server 2003, the /console option was used to connect to the session on the physical console (session 0), because some applications could not install and run in any session other than session 0. In Windows Vista and Windows Server 2008, the Windows features are re-architected, so that only services run in session 0 and applications do not need to run in session 0. Therefore, the administrator does not need the /console option for this purpose. Second, in earlier versions of Windows, the /console option was also used for the purpose of reconnecting to and resuming work in the user session on the physical console. In Windows Vista and Windows Server 2008, this option is not required to reconnect to the existing session on the physical console. (The blog post referenced at the end of this sidebar includes details on console behavior differences.) Third, in Windows Server 2003, the /console option was used for administering the Remote Desktop Session Host remotely without consuming a client access license (CAL). In Windows Server 2008, /admin option serves this purpose. Thus, you do not need the /console option while connecting to Windows Vista or Windows Server 2008, and you can now use the /admin switch to connect to the physical console of Windows Vista or Windows Server 2003. For more information, see the following post on the Remote Desktop Services Team Blog: http://blogs.msdn.com/ts/archive/2007/12/17/changes-to-remote- administration-in-windows-server-2008.aspx. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Using Remote Desktop CHAPTER 27 1359 Configuring Remote Desktop Connection Using Notepad You can also configure a saved RDC client by opening its *.rdp file in Notepad and editing it. For example, to configure a saved RDC client to use a custom display resolution of 1680 × 1050, change the lines specifying screen resolution to read as follows. desktopwidth:i:1680 desktopheight:i:1050 As a second example, to configure a saved RDC client to span a Remote Desktop session across multiple monitors, add or change the following line: span:i:0 to span:i:1 Configuring Remote Desktop Using Group Policy You can also use Group Policy to manage some aspects of how Remote Desktop works. You can find the policy settings for managing Remote Desktop in two locations: n Per-computer policy settings can be found under Computer Configuration\Policies \Administrative Templates\Windows Components\Remote Desktop Services n Per-user policy settings can be found under User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services Table 27-10 lists Group Policy settings that affect Remote Desktop. Policies that were introduced earlier in Windows Vista are marked with an asterisk (*), and policies that are new in Windows7 are marked with two asterisks (**). (Additional policy settings found in these locations apply only to Remote Desktop Session Hosts or only when an RDC client is used to connect to a Remote Desktop Session Host.) If a computer and user policy setting are identi- cal, the computer setting takes precedence if configured. To use the Group Policy settings in this table, configure them in a GPO linked to an OU where the host computers (the computers that have Remote Desktop enabled) are located. For additional Group Policy settings that affect Remote Desktop, see the section titled “Enabling Remote Desktop Using Group Policy” earlier in this chapter. note The folder layout of the Group Policy settings for Remote Desktop Services—under Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services and User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services—has been reorganized in Windows7 for ease of discoverability, but the registry keys are still the same. All policy settings common to both Windows Vista and Windows XP, even if located under different folders, will still be applied to all computers in the targeted OU. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 27 Connecting Remote Users and Networks 1360 TABLE 27-10 Group Policy Settings That Affect Remote Desktop FOLDER POLICY SETTING NOTES Remote Desktop Connection Client Do Not Allow Passwords To Be Saved Prevents users from saving their credentials in the RDC client. Windows Vista saves the password using Credential Manager instead of saving it within the *.rdp file as in earlier versions of Windows. Remote Desktop Session Host\Connections Automatic Reconnection Enables RDC clients to attempt to automati- cally reconnect when underlying network connectivity is lost. Allow Users To Connect Remotely Using Remote Desktop Services Enables Remote Desktop on the targeted computer. Deny Logoff Of An Administrator Logged In To The Console Session Prevents an administrator on the client computer from bumping an administrator off of the host computer. Remote Desktop Session Host\Device and Resource Redirection Allow Audio And Video Playback Redirection Enables redirection of the remote computer’s audio and video output in a Remote Desktop session. (This policy was named Allow Audio Redirection in Windows Vista and earlier versions.) Allow Audio Recording Redirection Enables recording of audio to the remote computer during a Remote Desktop session. **Limit Audio Playback Quality Enables limiting of audio quality to improve the performance of a Remote Desktop session over a slow link. Do Not Allow Clipboard Redirection Prevents sharing of a clipboard. Do Not Allow COM Port Redirection Prevents redirection of serial port devices. Do Not Allow Drive Redirection Prevents redirection of disk drive resources. Do Not Allow LPT Port Redirection Prevents redirection of parallel port devices. *Do Not Allow Supported Plug And Play Device Redirection Prevents redirection of supported PnP media players and digital cameras. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Using Remote Desktop CHAPTER 27 1361 FOLDER POLICY SETTING NOTES Do Not Allow Smart Card Device Redirec- tion Prevents redirection of smart card readers. Remote Desktop Session Host\Printer Redirection Do Not Set Default Client Printer To Be Default Printer In A Session Prevents users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. Do Not Allow Client Printer Redirection Prevents the client default printer from automatically being set as the default printer for the Remote Desktop session. Remote Desktop Session Host\Remote Session Environment Limit Maximum Color Depth Enables specifying a maximum color depth to improve performance of a Remote Desktop session over a slow link. **Limit Maximum Display Resolution Enables specifying a maximum display resolution to improve performance of a Remote Desktop session over a slow link. **Limit Maximum Number Of Monitors Enables specifying a maximum number of monitors to improve performance of a Remote Desktop session over a slow link. **Optimize Visual Experience For Remote Desktop Services Sessions Enables optimizing the Remote Desktop session for either multimedia or text. Enforce Removal Of Remote Desktop Wallpaper Prevents wallpaper from being displayed in the Remote Desktop session. Remove “Disconnect” Option From Shut Down Dialog Removes the Disconnect button from the Start menu but doesn’t prevent the remote user from disconnecting the session using other methods. Remote Desktop Session Host\Security Set Client Connection Encryption Level Specifies the level of encryption used to protect RDP traffic between the client and host computers. The options available are High (128-bit), Low (56-bit), and Client Compatible (highest encryption level supported by the client). When this policy setting is Not Configured, the default encryption level used is Client Compatible. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 27 Connecting Remote Users and Networks 1362 FOLDER POLICY SETTING NOTES Always Prompt For Password Upon Connection Requires remote users to always enter a password to establish a Remote Desktop session with the targeted computer. *Require Use Of Specific Security Layer For Remote (RDP) Connections Specifies whether the client should attempt to authenticate the host computer during establishment of the Remote Desktop ses- sion. The options available are: n DP, which means that no computer- level authentication is required. n SSL (TLS 1.0), which means that the client tries to use Kerberos or certificates to authenticate the host computer; if this fails, the session is not established. n Negotiate, which first attempts to authenticate the host using Kerberos or certificates; if this fails, the session is still established. When this policy setting is Not Configured, the default authentication method used is Negotiate. *Require User Authentication For Remote Connections By Using Network Level Authentication Requires client computers to be running Windows Vista or Windows XP SP2 with the downloadable RDC 6.0 client installed. (This policy was named Require User Authentica- tion Using RDP 6.0 For Remote Connections in Windows Vista and earlier versions.) *Server Authenti- cation Certificate Template Lets you specify a certificate template to be used for authenticating the host computer. Remote Desktop Session Host\Session Time Limits Terminate Session When Time Limits Are Reached Forcibly logs the remote user off of the Remote Desktop session when the session time limit has been reached. Set Time Limit For Disconnected Sessions Forcibly logs the remote user off of the Remote Desktop session when the session time limit for disconnected sessions has been reached. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... /details.aspx?FamilyID=c76296fd-61c9-4 079 -a0bb-582bca4a846f &displaylang=en For further details on the DNS name query and registration behavior in Windows7 and Windows Vista, see the article titled “Domain Name System Client Behavior in Windows Vista” on Microsoft TechNet at http://technet.microsoft.com/en-us/library/bb7 270 35.aspx IPv6 Enhancements in Windows7 The TCP/IP networking stack in the Windows XP and Windows Server... http://technet.microsoft.com/en-us/library /bb 877 985.aspx For additional information on DNS behavior in Windows7 and Windows Vista, see “Domain Name System Client Behavior in Windows Vista” at http://technet.microsoft.com/en-us/library/bb7 270 35.aspx For information about the different types of IPv6 addresses usually assigned to an interface, see the section titled “Configuring and Troubleshooting IPv6 in Windows7 later in this... Area Connection No Manual 256 fe80::100:7f:fffe/128 15 Teredo Tunneling Pseudo- No Manual 256 fe80::5efe: 172 .16.11.131/128 14 No Manual 256 fe80::5da9:fa1d:2 575 :c766/128 12 No Manual 256 ff00::/8 1 No Manual 256 ff00::/8 15 No Manual 256 ff00::/8 12 1 Loopback Pseudo-Interface 1 Teredo Tunneling PseudoInterface Interface isatap.{9D607D7D- 070 3-4E 678 2ED-9A8206 377 C5C} Local Area Connection Loopback Pseudo-Interface... http://download.microsoft.com/download/b/1/0/b106fc39-936c-48 57- a6ea3fb9d1f 370 63/Deploying%20SSTP%20Remote%20Access%20Step%20by%20Step%20 Guide.doc On the Companion Media n 1 370 Get-Modem.ps1 Chapter 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark C hapter 2 8 Deploying IPv6 n Understanding IPv6 1 371 n IPv6 Enhancements in Windows7 1388 n Configuring and Troubleshooting IPv6 in Windows7 ... the dual-layer TCP/IP stack in Windows7 means that both IPv4 and IPv6 are enabled by default, DNS name lookups by clients running Windows7 can involve the use of both A and AAAA records (This is true only if your name servers support IPv6, which is the case with the DNS Server role for Windows Server 2008 and Windows Server 2003.) By default, the DNS client in Windows7 uses the following procedure... Additional Resources 1414 L ike the Windows Vista operating system before it, the Windows 7 operating system has a new Next Generation Transmission Control Protocol/Internet Protocol (TCP/IP) stack with enhanced support for Internet Protocol version 6 (IPv6) This chapter provides you with an understanding of why IPv6 is necessary and how it works The chapter describes the IPv6 capabilities in Windows 7, Windows. .. Note For more information about the performance enhancements in the Next Generation TCP/IP stack, see Chapter 25, “Configuring Windows Networking.” Summary of IPv6 Enhancements in Windows 7Windows7 builds on the many IPv6 enhancements introduced earlier in Windows Vista and Windows Server 2008 These earlier enhancements include the following: n n 1388 Dual–IP-layer architecture A new TCP/IP stack... 13 87 DNS server address (DHCP servers running Windows Server 2003 do not support stateful address assignment using DHCPv6.) Note For more information on enabling Windows Server 2003 DNS server support for IPv6, see Chapter 9, Windows Support for DNS,” in the online book TCP/IP Fundamentals for Microsoft Windows, which you can download from http://www.microsoft.com/downloads /details.aspx?FamilyID=c76296fd-61c9-4 079 -a0bb-582bca4a846f... concerning BranchCache can be found at http://technet.microsoft.com/en-us/network/dd425028.aspx n General information concerning Remote Desktop Services in Windows Server 2008 R2 and Windows 7 can be found at http://technet.microsoft.com/en-us/library /cc 770 412.aspx n The white paper, “Networking Enhancements for Enterprises,” at http://www.microsoft.com/downloads/details.aspx?FamilyID=38fd1d96-3c6e-43cab083-3334ddd1ef86&DisplayLang=en... network share, or by using scripts Using Remote Desktop Chapter 27 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 1369 For more information on RemoteApp and Desktop Connection, see the Remote Desktop Services section of Microsoft TechNet at http://technet.microsoft.com/en-us/library /cc 770 412.aspx Summary Windows7 includes new remote connectivity technologies, such as VPN . previous versions of Windows and why the scenario does not apply for Windows 7, Windows Vista SP1 or later versions, Windows Server 2008, and Windows Server. 1 371 CHAPTER 28 Deploying IPv6 n Understanding IPv6 1 371 n IPv6 Enhancements in Windows 7 1388 n Configuring and Troubleshooting IPv6 in Windows 7 1392