S 2.327 Secure remote access under Windows XP, Windows Vista and Windows 7
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
In Windows XP, two new mechanisms for remotely controlling a computer have been introduced: the Remote Desktop and the Remote Assistance. The Remote Desktop is based on the terminal services technology (RDP protocol) and allows users to log in to the system over a network. Remote Assistance extends the Remote Desktop functionality by adding an option for accessing the screen contents of a remote computer during an active session and, if necessary, taking over control of the computer. Windows Vista and Windows 7 also support these remote control mechanisms.
The Remote Desktop is used primarily to perform maintenance on Windows XP, Windows Vista and Windows 7 computers over a network. A number of tools by third-party suppliers can also be used for this purpose. Special consideration should be given to the use of Remote Assistance in companies and government agencies in scenarios where the tasks of the employees of an internal or external support centre include providing users with the necessary assistance. If the remote access via mmc.exe-Tools, telnet and command line tools is activated, a timeout must always be set. A timeout ensures that the user is logged out automatically from the remote access after a defined period of inactivity.
When using the Remote Desktop, it must be noted that only one user at a time can be logged in to the target computer. The Remote Desktop should not be understood as a replacement for terminal services.
The Remote Desktop is activated by default. In general, this setting should be disabled. The Remote Desktop and Remote Assistance can be enabled and disabled using the following group policy objects: Computer Configuration | Administrative Templates | Windows Components | Terminal Services, or User Configuration | Administrative Templates | Windows Components | Terminal Services and Computer Configuration | Administrative Templates | System | Remote Assistance, or locally via the Control Panel (in Windows XP under System | Remote and in Windows Vista under System | Advanced System Settings | Remote). In Windows 7, the path is System and Security | System | Remote Settings.
The following must be considered when using these two technologies:
- Strong encryption must be used (128-bit, High Level setting). This must be enabled in the policy Set client connection encryption level (in Windows XP, this is specified under Computer Configuration | Windows Settings | Administrative Templates | Terminal Services | Encryption and Security and in Windows Vista under Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Security). In Windows 7, this setting can be found under Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security. Under Set Client Connection Encryption Level, the Highest Level must be selected.
- Automatic password logins should not be used. This must be disabled in Windows XP by enabling the policy Always prompt client for password upon connection under Computer Configuration | Windows Settings | Administrative Templates | Terminal Services | Encryption and Security. The same applies to the XP mode in Windows 7. In Windows Vista, the setting must be enabled under Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Security. In Windows 7, the setting must be enabled under Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security.
- The redirection of clipboards, printers, file repositories, and Smart card connections, which is enabled and disabled in Windows XP under Computer Configuration | Windows Settings | Administrative Templates | Terminal Services | Client/Server Data Redirection, should be avoided if possible. In Windows Vista, the corresponding paths are Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Printer Redirection or | Device and Resource Redirection or | Temporary Folders. In Windows 7, the options can be found under Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Device and Resource Redirection or Temporary Folders.
The group of users authorised for Remote Desktop access is specified by assigning the corresponding user rights in the policies (Allow logon through Terminal Services, Deny logon through Terminal Services) or via the Control Panel. By default, remote access is possible for members of the group of administrators and of the group of Remote Desktop Users, which is empty by default after installation.
A remote assistance session can be initiated in one of the two following ways:
- "Inviting a trustworthy person for assistance"
- "Offering assistance to a user who invited you"
The user currently logged on must explicitly agree to start a session. Because the user name of the helper is not authenticated when a remote assistance connection is established, such connections pose a security risk. For this reason, the Remote Assistance mechanism should be used with care.
A remote session can be started in two possible ways. The first option is dialling in using an invitation file. To initiate a Remote Session using this option, the communication partner must always authenticate himself by means of a corresponding password for each new session. This password must be requested by the other communication partner via a separate channel.
The second option is to use EasyConnect. In this case, the communication partner must authenticate himself once by means of a password. Since the communication partners do not need to authenticate themselves in future sessions of the same communication partners, EasyConnect should generally not be used in the company. The option of dialling in by means of an invitation file should be preferred.
The following must be guaranteed when using Remote Assistance by defining the corresponding policies:
- A session should only be initiated when explicitly invited. If you want to allow helpers to offer Remote Assistance, then connections should only be able to be established by certain user groups (e.g. Support employees). This is defined in this case in the following form:
<domain name>\<user name>
<domain name>\<group name> <user name>@<domain>.<top level domain>.
It is impossible to select from the existing users or user groups. - The maximum validity period of the invitation must be set to a value that is acceptable to the company or institution. -The maximum validity period should not exceed five minutes.
- If the invitation for Remote Assistance is stored in a file, then a password should be assigned to reduce the threat of unauthorized use of the invitation.
- The control mode Allow helpers to only view the computer and Allow helpers to remotely control the computer) should be set restrictively, if possible (Allow helpers to only view the computer).
When using Remote Desktop and/or Remote Assistance, the effects on the configuration and administration of firewalls must be taken into account. It is recommended in general not to allow Remote Desktop or Remote Assistance connections from outside of the organisation's own network.
In summary, careful consideration must be given to the use of remote control mechanisms. In particular, due to the differences between the mechanisms in terms of user authentication, it is necessary to take the advantages and disadvantages of the particular mechanism into account. If Remote Desktop or Remote Assistance will not be used in a company or government agency, then they absolutely must be disabled.
Basic settings for GPOs
The following settings only apply when both remote control mechanisms are used. If only one of these two or neither of these mechanisms will be used, then the corresponding mechanism(s) must be disabled. It is necessary to change the policy settings specified below in this case.
The following table lists the group policy settings to be configured when using Remote Desktop and Remote Assistance on computers running Windows XP.
| Policy | Status | Setting |
|---|---|---|
| Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Encryption and Security | Set Client Connection Encryption Level | enabled | highest level |
| Computer Configuration | Administrative Templates | Windows components | terminal services | Encryption and Security | Always Prompt Client for Password upon Connection | enabled | |
| Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Client/Server Data Redirection | * | enabled/ disabled | |
| Computer Configuration | Administrative Templates | System | Remote Assistance | Offer Remote Assistance | disabled | |
| Computer Configuration | Administrative Templates | System | Remote Assistance | Solicited Remote Assistance | enabled | Helpers are allowed to remotely control the computer. Maximum validity period: 5 minutes |
Table: Group policy settings for computers (Windows XP)
The following table lists the group policy settings to be configured when using Remote Desktop and Remote Assistance on computers running Windows Vista and Windows 7.
| Policy | Status | Setting |
|---|---|---|
| Windows Vista: Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Security | Always Prompt Client for Password upon Connection Windows 7: Computer Configuration | Administrative Templates | Windows Components |Remote Desktop Services | Remote Desktop Session Host | Security | Always Prompt for Password upon Connection | enabled | |
| Windows Vista: Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Security | Set Client Connection Encryption Level Windows 7: Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security | Set Client Connection Encryption Level | enabled | highest level |
| Windows Vista and Windows 7: Computer Configuration | Administrative Templates | System | Remote Assistance | Offer Remote Assistance | disabled | |
| Windows Vista and Windows 7: Computer Configuration | Administrative Templates | System | Remote Assistance | Solicited Remote Assistance | enabled | Helpers are allowed to remotely control the computer. Maximum validity period: 5 minutes |
Table: Group policy settings for computers (Windows Vista and Windows 7)
The following table lists the group policy settings to be configured for Windows XP users who are allowed to use the Remote Desktop and Remote Assistance.
| Policy | Status | Setting |
|---|---|---|
| User Configuration | Administrative Templates | Windows Components | Terminal Services | Set rules for remote control of Terminal Services user sessions | enabled | Full control with the permission of the user |
| User Configuration | Administrative Templates | Windows Components | Terminal Services | Client | Do not allow passwords to be saved | enabled |
Table: Group policy settings for users (Windows XP)
The following table lists the group policy settings to be configured for Windows Vista users who are allowed to use the Remote Desktop and Remote Assistance.
| Policy | Status | Setting |
|---|---|---|
| Windows Vista: User Configuration | Administrative Templates | Windows Components | Terminal Services | Remote Desktop Connection Client | Do not allow passwords to be saved Windows 7: User Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Connection Client | Do not allow passwords to be saved | enabled | |
| Windows Vista: User Configuration | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Connections | Set rules for remote control of Terminal Services user sessions Windows 7: User Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Connections | Set rules for remote control of Remote Desktop services user sessions | enabled | Full control with the permission of the user |
Table: Group policy settings for users (Windows Vista and Windows 7)
Review questions:
- Is the automatic password login option in Windows XP, Windows Vista and Windows 7 disabled?
- Is the group of users authorised for Remote Desktop access specified by assigning the corresponding user rights or is it specified in the policies?
- Are the group policies configured securely while still meeting all needs?
- Can Remote Assistance only be provided after explicit invitation via EasyConnect or an invitation file?
- Has the maximum validity period of the invitation been set to an acceptable value?
- When an invitation is stored in a file, is a password assigned to the file?
- Were the effects on the configuration of the firewall taken into account when planning the remote assistance procedures?
- Have the remote control mechanisms been completely disabled if they will not be used?