How to ensure security when Win XP remote control

Remote Assistance

Remote Assistance (RA) Technology
Allows users (inviters) to invite others (invitees) to solve their own problems through the network. Practical problems. Using this method, invitees can view the inviter's computer screen and exchange information with each other, and if the inviter allows, the invitee can also solve the problem directly by operating the inviter's computer through the network. The inviter can decide whether the invitee's permissions are screen-only or have control. To use Remote Assistance, both parties need to use the Windows XP operating system.

Remote assistance can be initiated by the inviter, which is called remote assistance; and the invitee can also provide remote assistance to the inviter, which is called remote assistance. The HelpAssistant account is prepared for remote assistance operations. This account was created during the installation of the system and is randomly assigned a complex password, which is then disabled. When the Remote Assistance invitation is opened, an "Inviter" ticket will be created on the user's computer, and port 3389 will also be opened and access to the Terminal Services will be allowed. The HelpAssistant account will be automatically enabled. Once enabled, invitees can use this account and the created ticket to access the inviter's computer. If all tickets are closed or expired, the HelpAssistant account will be automatically disabled again and Port 3389 will be closed at the same time.

Note: The Remote Desktop feature also uses Terminal Services, so if the Remote Desktop feature is enabled, port 3389 may remain open.

Remote Assistance for Request Methods

Users can request remote assistance via email or Windows Messenger, or save a remote assistance request as a file. There is currently no way to limit the invitation of beginners. Anyone who can physically connect to a beginner's computer can accept his invitation. When a remote assistance request is answered, the beginner can see the expert's username. However, the only way to be sure that the connected user is the correct user is to use a password. Beginners can choose to protect this assistance with a password when creating a help request. The password is not included in the request file, and the invitee must enter the correct password to establish a connection. The password can be sent to the invitee by other methods. By. However, password complexity, password policies, and account lockout policies do not apply to this password and account.

The invitation sent via Windows Messenger is sent in plain text in XML format. The invitation file sent or saved by email is sent in MsRcIncident format. This is also a plain text XML format. So anyone can access the contents of the data, such as the machine's IP address, the port number used, and whether the inviter has password protection.

For these reasons, remote assistance is not recommended for networks with strict security requirements.
Providing Remote Assistance

Providing remote assistance is generally considered a safer way to provide remote assistance to inviters. Providing remote assistance is only available between two computers located in the same domain or in a trusted domain, and by setting allows users to provide remote assistance. When using this feature, the expert cannot connect to the user's computer without a statement, or control the computer without obtaining permission from the user. At the same time, the user has the ability to allow or deny the other party's connection.

To use this method of remote assistance, the user rights section of the security configuration template must be modified as follows:

User rights
Recommended settings< Br>Allow login through Terminal Services
to determine which users or groups have the ability to log in as a Terminal Services client, which is required for remote desktop users. If you also use the Remote Assistance feature, you should only have this privilege for administrators who use this feature. Note: If you want to use the remote assistance provided, you don't need to add any users or user groups to this setting. <Nobody> Refuse to log in through Terminal Services to determine which users or groups of users are banned from logging in as Terminal Services clients. This privilege is used for remote desktop users. <Unmanned>

In addition, in order to allow users to use the remote assistance of the provisioning method, the following group policies need to be set:
Open the GPO in the Group Policy component of the MMC or pass Container Properties - Group Policy Tab Access GPO Links
If you are accessing through the Group Policy tab, highlight the target GPO and click Edit to access the Group Policy component
Locate Computer Configuration\\Administrative Templates\\System\\ Remote Assistance Node
Double-click the Request for Remote Assistance on the right side panel
Click the Enabled button to allow the user to request Remote Assistance
Select the "Allow helpers only to view this computer" option from the drop-down menu
Set the maximum ticket time (value) to 0 and the longest ticket time (unit) to minutes

Apply settings, close the dialog box

Note: In order to use the remote assistance of the provided method, use It is necessary to request a remote assistance policy, however, setting the maximum ticket time to 0 prevents the user from using the request remote assistance feature.

Double-click on the right side of the panel to provide remote assistance.

If you plan to allow experts to provide remote assistance on this computer, click the Enable button

Select from the drop-down menu "Allow only helpers to view this computer"

Warning: It is recommended that you never allow users to give remote control of the computer to others, even though the user can see the other party's actions and can withdraw control at any time because It takes a few seconds to destroy a system.

Click on the Helper: Show... button and add all users who are allowed to provide remote assistance to this computer, such as administrators, desktop helpers, etc. It is recommended to limit this feature to only those users who do need it. Users can display in the following format:
<Domain Name>\\<User Name> or <Domain Name>\\<Group Name>

Remote Desktop Connection

Remote Desktop (RD) is another priority-enabled terminal service for Windows XP Professional that allows users to connect to the unit remotely and use the various resources of the unit as if they were used directly. The Remote Desktop feature is disabled by default in Windows XP Professional systems.

Remote Desktop Connection is implemented using the Remote Desktop Client software, which is installed by default on XP, and Microsoft Windows 2000, NT, Windows 98 and Windows 95 client software is also included. Windows XP. Remote Desktop also has an ActiveX-based client called RWDC (Remote Desktop Web Connection) that can be installed on the IIS server. With RDWC, any computer can connect to the appropriate web page by using an ActiveX-enabled browser, download the ActiveX client, and then open the remote desktop connection. When installing IIS to XP Professional, RWDC will be installed by default.

When Remote Desktop is enabled, port 3389 is opened for access to Terminal Services. All administrators (both native and in the domain) and the users and user groups listed in Remote Desktop Users can access the computer remotely. When the connection is enabled, the connected computer will be automatically locked. If there is already a user logged in on the target computer, the remote user will see an option to log off the locally logged in user on the target computer and then log in remotely. Go up, but this requires the remote user to have been successfully authenticated and needs to have administrator privileges. Remote Desktop uses a standard Windows authentication mechanism, so password policies and account lockout policies can also be applied to remote desktops, and all accounts for remote desktops must have passwords.

Note: It is recommended to lock the default administrator account during the process of using Remote Desktop and prohibit the account from logging in remotely, but local login is not subject to this restriction.

To use the Remote Desktop feature, the User Permissions section in the Security Template must be changed as follows:

User Permissions
Recommended Settings
Allowed through Terminal Services Login
determines which users or user groups have the right to log in through the Terminal Services client. Remote desktop users need this permission. If the remote assistance function is used at the same time, only the administrator who uses this function should have this permission. Administrators and Remote Desktop Users refuse to log in through Terminal Services to determine which users or groups of users do not have permission to log in through the Terminal Services client. This permission is prepared for remote desktop users. <No one>

To allow your computer to accept remote desktop connections, you can do the following:

Right-click on my computer and select Properties to open system properties Dialog

Open Remote Tab in Dialog Box

Select the Allow users to connect to this computer remotely check box

Click the Select Remote User... button to open the remote desktop user. Dialog box

Add the corresponding user or user group to the local policy definition of the local office

Note: This operation will add the selected users and user groups to the local Remote Desktop Users group. Edit the users and user groups that join the group directly through the local computer management tool.

Group Policy - Administrative Templates

Terminal Services

In addition to some of the settings noted above, it is also recommended to make the following settings for Terminal Services, and also as part of the GPO or Apply the application to your computer through your local computer.

These recommended settings for Terminal Services are located under the GPO's Computer Configuration\\Administrative Templates\\Windows Components\\Terminal Services node and can be accessed through the MMC Group Policy component. Terminal service settings can also be found under the User Settings node, but the settings there will be overridden by the settings under Computer Configuration.

Table 16 Terminal Services Policy Options
Network Configuration Suggestions
Both Remote Assistance and Remote Desktop use Terminal Services to allow users to remotely access local computers. When using these features in Windows XP, the terminal The service uses port 3389. It is strongly recommended to allow only the local area network to use the remote connection function and to block the 3389 port on the external firewall or router. All inbound and outbound connections on this port must be blocked to prevent unauthorized access. If only inbound connections are blocked, the Remote Assistance feature is still possible to use outside of the LAN via Windows Messenger, so both-way communication is blocked.
If you need to use Remote Assistance or Remote Desktop Connection from the local area network, it is recommended to set up filtering on the firewall or router to ensure that only specific IP addresses can be asked when the system in the LAN is available. All other addresses to the 3389 port should be blocked. If you need a higher level of security protection, you can install a VPN server and use a very strong authentication method so that a small number of users can dial into the VPN server. Of course, it is also a good idea to allow only specific IP addresses to connect to the VPN server.