How to ensure security when Win XP remote control

Similar to other remote control technologies, Remote Assistance and Remote Desktop should also consider security issues before use. For the highest level of security requirements, it is not recommended to use remote control technology in practical applications, but it is understood that this technology can also bring convenience to users. This chapter describes how to ensure safety when using remote control technology. Remote Assistance Remote Assistance (RA) technology allows users (inviters) to invite others (invitees) through the network to solve the actual problems they have encountered. Using this method, invitees can view the inviter's computer screen and exchange information with each other, and if the inviter allows, the invitee can also solve the problem directly by operating the inviter's computer through the network. The inviter can decide whether the invitee's permissions are screen-only or have control. To use Remote Assistance, both parties need to use the Windows XP operating system. Remote assistance can be initiated by the inviter, which is called remote assistance; and the invitee can also provide remote assistance to the inviter, which is called remote assistance. The HelpAssistant account is prepared for remote assistance operations. This account was created during the installation of the system and is randomly assigned a complex password, which is then disabled. When the Remote Assistance invitation is opened, a ticket to the "Inviter" will be created on the user's computer, and port 3389 will also be opened and access to the Terminal Services will be allowed. The HelpAssistant account will be automatically enabled. Once enabled, invitees can use this account and the created ticket to access the inviter's computer. If all tickets are closed or expired, the HelpAssistant account will be automatically disabled again and Port 3389 will be closed at the same time. Note: The Remote Desktop feature also uses Terminal Services, so if the Remote Desktop feature is enabled, port 3389 may remain open. Remote assistance in request mode Users can request remote assistance via email or Windows Messenger, or save a remote assistance request as a file. There is currently no way to limit the invitation of beginners. Anyone who can physically connect to a beginner's computer can accept his invitation. When a remote assistance request is answered, the beginner can see the expert's username. However, the only way to be sure that the connected user is the correct user is to use a password. Beginners can choose to protect this assistance with a password when creating a help request. The password is not included in the request file, and the invitee must enter the correct password to establish a connection. The password can be sent to the invitee by other methods. By. However, password complexity, password policies, and account lockout policies do not apply to this password and account. Invitations sent via Windows Messenger are sent in plain text in XML format. Invitation files sent or saved via email are sent in MsRcIncident format, which is also a plain text XML format. So anyone can access the contents of the data, such as the machine's IP address, the port number used, and whether the inviter has password protection. For these reasons, remote assistance is not recommended for networks with strict security requirements. Providing remote assistance Providing remote assistance is often considered a safer way to provide remote assistance to inviters. Providing remote assistance is only available between two computers located in the same domain or in a trusted domain, and by setting allows users to provide remote assistance. When using this feature, the expert cannot connect to the user's computer without a statement, or control the computer without obtaining permission from the user. At the same time, the user has the ability to allow or deny the other party's connection. To use this type of remote assistance, the User Permissions section of the Security Configuration Template must be modified as follows:

User Permissions Proposal Settings Allows Terminal Services Login to determine which users or groups of users have login as Terminal Services Clients. Capabilities, remote desktop users need this permission. If you also use the Remote Assistance feature, you should only have this privilege for administrators who use this feature. Note: If you want to use the remote assistance provided, you don't need to add any users or user groups to this setting. <Nobody> Refuse to log in through Terminal Services to determine which users or groups of users are banned from logging in as Terminal Services clients. This privilege is used for remote desktop users. <Unmanned>

In addition, in order to allow users to use the remote assistance of the provisioning method, the following group policies need to be set: Open the GPO in the Group Policy component of the MMC or pass the properties of the container. - Group Policy tab to access the GPO link If you are accessing through the Group Policy tab, highlight the target GPO and click Edit to access the Group Policy component. Locate the Computer Configuration\\Administrative Templates\\System\\Remote Assistance node and double-click on the right side of the page. Request Remote Assistance Click the Enabled button to allow the user to request Remote Assistance from the drop-down menu and select "Allow only helpers to view this computer" option to set the maximum ticket time (value) to 0 and the maximum ticket time (unit) to Minutes application settings, close the dialog Note: In order to use the provided remote assistance, it is necessary to request a remote assistance policy, however, setting the maximum ticket time to 0 prevents the user from using the request remote assistance function. Double-click on the right side of the side to provide remote assistance. If you plan to allow experts to provide remote assistance on this computer, click the Enable button and select "Allow only helpers to view this computer" in the drop-down menu. Warning: I suggest you never allow The user gives other people remote control over the computer, although the user can see the other party's operations and can withdraw control at any time, because it takes a few seconds to destroy a system. Click on Helper: Show … button and add all users who are allowed to provide remote assistance to this computer, such as administrators, desktop helpers, etc. It is recommended to limit this feature to only those users who do need it. Users can display in the following format: <domain name>\\<username> or <domain name>\\<group name> Remote Desktop Connection Remote Desktop (RD, Remote Desktop) is used in Windows XP Professional Another priority function of Terminal Services, which allows users to connect to the machine remotely and use the various resources of the machine as if they were used directly. The Remote Desktop feature is disabled by default in Windows XP Professional systems. Remote Desktop Connection is performed using the Remote Desktop Client software, which is installed by default on XP, and Microsoft Windows 2000, NT, Windows 98, and Windows 95 client software is also included with Windows XP. Remote Desktop also has an ActiveX-based client called RWDC (Remote Desktop Web Connection) that can be installed on the IIS server. With RDWC, any computer can connect to the appropriate web page by using an ActiveX-enabled browser, download the ActiveX client, and then open the remote desktop connection. When installing IIS to XP Professional, RWDC will be installed by default. When the remote desktop is enabled, port 3389 is opened to accept access by Terminal Services. All administrators (both native and in the domain) and the users and user groups listed in the "Remote Desktop Users" can access the computer remotely. When the connection is enabled, the connected computer will be automatically locked. If there is already a user logged in on the target computer, the remote user will see an option to log off the locally logged in user on the target computer and then log in remotely. Go up, but this requires the remote user to have been successfully authenticated and needs to have administrator privileges. Remote Desktop uses a standard Windows authentication mechanism, so password policies and account lockout policies can also be applied to remote desktops, and all accounts for remote desktops must have passwords. Note: It is recommended to lock the default administrator account during the process of using Remote Desktop and prevent the account from logging in remotely, but local login is not subject to this restriction. To use the Remote Desktop feature, the User Permissions section of the security template must be changed as follows: User Permissions Proposal Settings allows you to determine which users or groups of users have the right to log in through the Terminal Services client through Terminal Services login, which is required for remote desktop users. If you are using Remote Assistance at the same time, only administrators who use this feature should have this privilege. Administrators, Remote Desktop Users refuses to log in through Terminal Services to determine which users or groups of users are not logged in through the Terminal Services client, which is prepared for remote desktop users. <Nobody>

To allow your computer to accept remote desktop connections, you can do the following: Right-click on my computer and select Properties to open the System Properties dialog box. Open the Remote Options in the dialog box. The card selects the Allow users to remotely connect to this computer check box. Click the Select Remote User … button to open the Remote Desktop User dialog. The local policy definition of this local office adds the corresponding user or user group. Note: This operation will select the selected user and user. Groups are added to the local Remote Desktop Users group, and users and groups that join the group can be edited directly through the local computer management tool. Group Policy - Administrative Templates Terminal Services In addition to some of the settings noted above, it is also recommended to make the following settings for Terminal Services, and also apply to the computer as part of a GPO or through a local computer configuration. These recommended settings for Terminal Services are located under the GPO's Computer Configuration\\Administrative Templates\\Windows Components\\Terminal Services node and can be accessed through the MMC's Group Policy component. Terminal service settings can also be found under the User Settings node, but the settings there will be overridden by the settings under Computer Configuration.

Table 16 Terminal Services Policy Options Network Configuration Recommendations Both Remote Assistance and Remote Desktop use Terminal Services to allow users to remotely access local computers. When using these features in Windows XP, Terminal Services uses port 3389. It is strongly recommended to allow only the local area network to use the remote connection function and to block the 3389 port on the external firewall or router. All inbound and outbound connections on this port must be blocked to prevent unauthorized access. If only inbound connections are blocked, the Remote Assistance feature is still possible to use outside of the LAN via Windows Messenger, so both-way communication is blocked. If you need to use Remote Assistance or Remote Desktop Connection from the local area network, it is recommended to set up filtering on the firewall or router to ensure that only specific IP addresses can be used to ask the system within the LAN. All other addresses to the 3389 port should be blocked. If you need a higher level of security protection, you can install a VPN server and use a very strong authentication method so that a small number of users can dial into the VPN server. Of course, it is also a good idea to allow only specific IP addresses to connect to the VPN server.