Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Management Practices


Administrative practices are also important to security. One example, change management, was introduced earlier in this chapter. This section introduces the best practices for securing administrative practices, including the use of administrative tools.

Adopt Secure Administration Practices


Administrators are entrusted with the security of the network, and yet few controls are placed on administration activity. Although administrators must have elevated privileges to do their job, many controls can be used to limit them to "just" the activities they need to do. There are ways to monitor their activity and to protect the process and lessen the possibility of account compromise. Monitoring administrative practice is discussed in Chapters 18 and 19. The other controls are described in this section.

Limiting Administrative Power

The security principles of separation of duties and limiting user rights and permissions to those needed to do their job also apply to Administrators. The first step is to realize that not every administrator needs to be able to do everything. To do so, examine default Windows Server 2003 administrative roles and create new roles where it is practical.

Default Administrative roles in Windows Server 2003 are described in Table 16-4.

Table 16-4. Windows Server 2003 Administrative Roles

Role

Description

Tip

Enterprise Admins

Have administrative rights in entire forest.

Should have few members. Some activities require membership in this group, and limiting its membership controls inadvertent or unauthorized activity.

Domain Admins

Have administrative rights in the domain.

Should have limited membership. Some activities require membership in this group, and limiting membership restricts access to these activities.

Schema Admins

Can modify schema.

Should have no members when schema modification activity is not necessary. Membership can be added when schema modification is necessary. By requiring a membership addition before schema changes are made, you prevent many inadvertent, unauthorized, or otherwise rash modifications to schema.

Local Administrators

Administrative rights are only available on the local computer.

Limit membership. The Domain Admins group is automatically a member if the server is joined to the domain. If necessary, remove the Domain Admins group and replace it with a limited number of administrators. Add accounts to this list if users require the ability to administer the server but do not need and should not have domain administrative rights. A good example is a database administrator who may need local server administrative authority.

Account Operators

Can manage accounts, except administrators.

Many individuals given membership in Domain Admins have the management of users as a primary responsibility. If they should manage users throughout the domain, membership in Account Operators is a better choice. If, however, they should manage accounts in some subset of accounts, an OU should be and may already be created to host these accounts, and users who should administer these accounts should be given privileges on the OU, not at the domain level.

Server Operators

Can manage servers.

Manage this group like you do Account Operators. That is, if users should manage all servers in the domain, grant them membership in this group; otherwise, delegate privileges within a specific OU or OUs.

Backup Operators

Can back up data.

Manage this group by assigning it membership in selective local Backup Operator groups.

Custom groups can be used as administrative groups. These groups obtain their administrative rights via delegation, using the Delegation of Control Wizard or by assigning the group specific user rights. By using these methods, you can ensure that users only have the administrative rights they need over the user and computer accounts that they are authorized to manage. For example, a sound recommendation is to leave the membership of the Backup Operators group empty and create two groups, a Backup group and a Restore group, then give them the Backup or Restore privilege, respectively. This provides a way to separate those functions, thus fulfilling the separation of duties security principle.

In addition to limiting administrative users by assignment of rights and permissions, separation of duties is partially obtainable, if not completely enforceable, by technical controls. Two types of administrators should be defined: service administrators and data administrators. Data administrators are responsible for managing users, computers, databases, printers, and so forth. Service administrators manage the infrastructure of the Active Directory network. Service administrators are members of Domain Admins, Schema Admins, Enterprise Admins, and other groups created to manage infrastructure. Data administrators are members of other groups restricted to specific data tasks or to limited administrative roles, such as local administrator.

Data administrators, because of the groups that they are members of, do not have service administrator rights. Do not provide them with these rights. Service administrators, however, by default do have data administrator rights, and must even use some of them in day-to-day operations. Service administrators, for example, should administer their own group membership and the accounts of service administrators. There would be more risk if data administrators were able to manage service administrator accounts and groups than can be gained by separating the privilege of user management. If data administrators could manage administrator accounts and groups, data administrators or others might be given elevated privileges. To assist in maintaining this separation, place administrative accounts in special OUs and, when giving user and group management duties to data administrators, either give data administrators membership in the Account Operators group or use delegation and only give them account management rights in OUs where no service administrator accounts or groups exist.

NOTE: FYI

For more information on service and data administrators, read the article "Design Considerations for Delegation of Administration in Active Directory" at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/plan/addeladm.asp.

Protecting the Administrative Process


Securing the administrative process is a combination of securing administrative account, securing administration tools, securing the administrative workstations, and securing communications between administrative workstations and computers that are being remotely administered.

In addition to hardening the computer used as an administrative workstation, additional security can be gained by putting these computers on a separate, protected subnet and by providing additional physical security along with limiting the use of remote administration tools and connections to servers to the administrative workstations. Connections to servers can be limited by creating IPSec policies. Policies on servers should be configured to only accept remote administration tool connections from administrative workstations.

Protecting Administrative Accounts


All administrative activity, no matter how carefully assigned and limited, can be subverted if administrator accounts are compromised. Fortunately, when all administrative accounts are only given the admin rights necessary to perform required duties, the impact of an account compromise might be less of a disaster. However, administrative account access should be protected. Because many security breaches occur when an unauthorized individual gains control of an account by learning its password, passwords for administrative accounts should be stronger than the general domain account password policy. Although you cannot provide different technical controls (the same password policy is used throughout the domain), you can require that administrators use longer passwords or provide them with smart cards or other authentication devices. The actual use of long passwords can be verified by using a password cracker. Don't forget to obtain written management approval before using a password cracker even on your own network for this purpose.

Hardening Remote Administrative Tools


In addition to the administrative tools present on the console, native Windows Server 2003 tools exist that can be used for remote administration. These tools can also be used to administer Windows XP. Remote administration tools include the Remote Desktop Connection for Windows Server 2003 (known as Terminal Services in Administrative Mode in Windows 2000) and Remote Assistance.

Remote Desktop Connection for Windows Server 2003

The Remote Desktop Connection for Windows Server 2003 was called Terminal Server in Remote Administration Mode in Windows 2000. (Terminal services in application mode, the other terminal services mode that allows clients to connect and run applications, is simply called Terminal Server in Windows Server 2003.) Remote Desktop does not require the installation of a terminal server. However, terminal services, a Windows Server 2003 service, is enabled and started by default. The Remote Desktop application must be enabled in order to use the service. Remote Desktop is not meant to be used as an application provider. Its only purpose is to provide support for remote administration. Using Remote Desktop, an administrator can administer the server using the server's local administration tools. Like terminal services, screen displays and keystrokes are the only data transferred between the administrator's desktop and the remote computer. All data is encrypted by default. 128-bit encryption is the default; however, this can be reduced if legacy clients must be used for administrative purposes. There is no computer authentication; however, only authorized administrators can use the service. If further securityincluding mutual authenticationis desired, it can be added by using IPSec.

Additionally, Remote Desktop provides roaming disconnect supportthat is, an administrator can start a lengthy task and disconnect, and then come back later. The Remote Desktop client is part of Windows Server 2003 and Windows XP. It can be installed on Windows 98, Windows Me, and Windows 2000 SP2 and above.

NOTE: FYI

Download the Remote Desktop client for earlier versions of Windows from http://www.microsoft.com/downloads/details.aspx?FamilyID=a8255ffc-4b4a-40e7-a706-cde7e9b57e79&DisplayLang=en.

Configuration Options for the Client

The Remote Desktop client provides a console where connections can be defined. Once defined, the connection can simply be clicked to start the connection process. Multiple connections can be stored. Each connection is configured with connection information (user name and password, server address), and each connection can be set up to allow connection to the local drives during the session and to either connect to the console or start a specific program. The drive connection option is actually giving permission for the connected server to access the local drives and ports. Although this option makes it convenient, as files can easily be transferred, it also makes the local system more vulnerable to an attack that originates at the server.Figure 16-17. These properties can be configured on the server and in Group Policy. Settings in Group Policy override local server and Remote Desktop connection settings. Server settings override Remote Desktop connections.

To create a connection, follow these steps:


1.

Select the Start, All Programs, Accessories, Communications, Remote Desktop Connection program.

2.

Click the Options button.

3.

Enter the computer name that you want to access and your user name, password, and domain, as shown in Figure 16-20. Do not select Save my password.

Figure 16-20. Enter server and logon credentials for the connection.

4.

Use the Property pages to configure settings for this connection. Options are displayed in Table 16-5.

Table 16-5. Remote Desktop Connection Settings

Page

Setting

Description

Comment

Display

Remote Desktop Size

Set the default size of the desktop.

Configure for your convenience.

Display

Colors

Set requested settings for display colors. The remote computers settings may override.

Configure for your convenience.

Display

Display connection bar

Display or don't display connection bar.

The bar helps identify that the window is a remote connection and allows you to change the size of the Window.

Local Resources

Remote computer sound

Hear sounds, don't hear sounds, or don't play sounds that will be played on the remote computer when using this connection.

Sound played on the remote computer may help you in administration if redirected to your client.

Local Resources

Apply Windows key combinations

Determine if these key combinations will affect the remote computer or the local computer.

Use In full screen mode only setting. This makes it convenient; you can manipulate the remote computer. It also protects you from accidentally using something on the local system (such as Ctrl+Alt+Del and shutdown) during a remote administration session.

Local Resources

Connect automatically to these local devices when logged on to the remote computer

Have access to local drives, printers, and serial ports during a remote administration session.

Malicious code running on the remote computer might have access to local resources. Uncheck these resources to prevent possible successful attacks.

Programs

Enable and enter the name and path of program to run upon connecting

Start any program when connection is made.

Use to start up a custom MMC that contains the administration tools this user requires. This can help limit administrators, especially those who have been delegated limited administration privileges.

Experience

Choose connection speed

Set the connection to use the speed that matches the capability of theconnection hardware.

Configure for your environment.

Experience

Allow the following

Select options such as background, menu animation, etc.

Configure for your convenience. Appropriate configuration can aid performance when using slow links.

5.

Click the Save As button and name the connection. You will be able to select the connection and use it later.

6.

Click Connect. If the connection is successful, the desktop of the remote connection will be displayed on the local desktop, as shown in Figure 16-21. Note in the figure that the title bar tells you that this is a remote connection and which server it is located on.

Figure 16-21. The Remote Desktop is display on the local machine.

[View full size image]

7.

Select disconnect, Log Off. If you close the window, the connection remains open, and any software running will continue to run. You can connect to the session again; however, because there are limited remote connections when terminal services is used for administrative purposes, you should only do this when you need to continue some process.


Configuration Options on the Server 2003 Computer

Windows Server 2003 Remote Desktop connections can be controlled by

Configuring the Remote tab in the System applet in Control Panel

Enabling or disabling the Terminal Services service

Setting local server options in Terminal Services Configuration

Using the Terminal Services settings in Group Policy


You can effectively block all terminal services connections, including Remote Desktop connections from administrators, either by disabling the Terminal Services service or by deselecting the Remote Desktop Allow users to connect remotely to this computer check box, as shown in Figure 16-22. If your policy is to disallow connections via terminal services, do both.

Figure 16-22. Disable Remote Desktop connections by removing that option in the System applet.

Local Terminal Services Configuration settings are managed by opening the Terminal Services Configuration console, as shown in Figure 16-23, and setting properties for the RDP-TCP protocol. To access the properties, right-click the RDD-Tcp node in the detail pane and select Properties. There are four important security considerations.

Encryption level
The General tab, shown in Figure 16-24, provides the option to change the encryption strength in the Encryption level drop-down box. Set encryption to High or FIPS compatible. The object here is to ensure the best encryption. If clients cannot match the High or FIPS compatible encryption setting, a different client should be used for administrative purposes. Encryption settings are detailed in Table 16-6.

Table 16-6. Terminal Services Encryption Levels

Encryption Level

Description

High

128-bit encryption.

Low

56-bit encryption.

Client Compatible

Encryption is negotiated depending on what the client is capable of.

FIPS

Compliant United States federal standard encryption algorithms are used.

Figure 16-24. Leave encryption strength at High if possible.

Resource redirection
Override user settings by disabling resource redirection on the Client Settings tab, as shown in Figure 16-25. To disable any use of local resources during a Remote Desktop session, uncheck Use connection settings from user settings. To disable the use of a specific resource, use the Disable the following: section and check the resource.

Figure 16-25. Set server connection properties for program start or drive redirection.

Override User Program Requests
Use the Environment tab to override any user request to start a program on connection. It is important to control access to server resources.

Permissions
By default, Administrators have Full Control, and Remote Desktop Users (a configurable group that does not include all users) are given User Access and Guest Access, as shown in Figure 16-26. User Access only allows viewing (query, connect, logon). If this is not necessary (the only users who should be able to use the terminal services connection should be administrators), you may delete the Remote Desktop Users selection. You may also want to grant or restrict access to a subset of the Administrators group. You can create a unique group, add administrator or delegated administrators accounts to it, and then assign the new group appropriate permissions.

Figure 16-26. Manage permissions using the Permissions tab of the Properties page.


Figure 16-23. Remote Desktop Server controls are set in Terminal Services Configuration.

[View full size image]

Group Policy Configuration Options

Group Policy settings for Remote Desktop connections are configured in the Terminal Services section of Computer Configuration, Figure 16-27, and User Configuration, Figure 16-28, under the Administrative Tools, Windows Components sections. Use a GPO linked to an OU to manage different servers differently. For example, you may want to insist on 128-bit encryption when administering more sensitive servers, but modify that setting for others.

Figure 16-27. Most Remote Desktop restrictions can be made in the Computer Configuration section of Group Policy.

[View full size image]

Figure 16-28. Use the User Configuration section to configure basic session information.

[View full size image]

Allowing client compatibility for encryption settings when terminal services will be used for administrative purposes is a bad idea. Doing so would mean that you want administrators to be able to use Windows 98, for example, to remotely administer servers. Windows 98 cannot be secured, and you should secure administrative workstations. Always use the best security you can when performing remote administration.


Use Non-Standard TCP/IP Port for Remote Desktop


An additional security configuration for Remote Desktop connections is to change the TCP/IP port to a non-standard one. An attacker cannot connect without knowledge of the port and cannot determine the presence of terminal services by scanning for port 3389, which is the default port. To change the port, a registry edit is required. The PortNumber value can be changed from 3389 to any non-standard port number. The client must then connect to terminal services using the IP address followed by the port number, such as 192.168.5.150:3150 if 3150 is the new port specified. The registry key location for PortNumber is

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
\TerminalServer\WinStations\RDP-Tcp\PortNumber

Remote Assistance

Remote Assistance is different from Remote Desktop. Remote Assistance is designed to offer selected users, even users who do not have domain logons, to remotely control a Windows desktop. The Remote Assistance feature was introduced with Windows XP and can be used to offer repair, troubleshooting, and instruction to users of Windows XP and Windows Server 2003. Unlike Remote Desktop, connection with or without remote control is not possible unless a user is logged on to the remote computer. Like Remote Desktop, Terminal Services Configuration and Group Policy settings for terminal services can be used to prevent or manage Remote Assistance connections.

Although primarily a feature designed for use by help desk employees in their job as first-level response to user PC problems, Remote Assistance can be used to provide administrative assistance to those empowered to manage Windows Server 2003 servers. In large organizations, branch offices and other locations may require servers, but justification for a full-time staff of Windows experts may not be present. Instead, IT pros with less experience or personnel with other duties may be responsible for the operation of the servers. Remote Assistance may be the ideal way to offer these individuals expert assistance when they need it.

Group Policy settings can and should be configured to securely manage Remote Assistance. If it is not managed, it may be possible for unauthorized persons to obtain administrative access to XP or Windows Server 2003 computers. Users of Remote Assistance, both the novice requesting help and the expert providing help, should receive training in how to use Remote Assistance. Two strategies are outlined here: first, how to use Remote Assistance in a secure manner, and second, how to absolutely prevent its use. Your implementation of Remote Assistance may be a combination of both strategies, securing remotes assistance for some computers but not for others. You can manage Remote Assistance using Group Policy to provide this option.

Using Remote Assistance

To use Remote Assistance,

The novice must have available either Windows Messenger or a Messaging Applications Programming Interface (MAPI) compliant email program, such as Microsoft Outlook or Outlook Express.

Both the novice and expert computers must be connected to the Internet (or a TCP/IP network if email is used).

The Turn on Remote Assistance and allow invitation to be sent from this computer option in the System\Remote Property page in Control Panel must be checked.

The Allow this computer to be controlled remotely check box in the Advanced page of the Remote Property page in Control Panel must be checked if remote control is desired (see Figure 16-29).

Figure 16-29. Remote Assistance can be granted without granting remote control.

Any firewalls between the novice and expert computer must be configured to allow Remote Assistance traffic. Port 3389 is used by the novice's computer to accept Remote Assistance communications. Or, the Remote Desktop Web connection must be deployed.

Remote Assistance must be configured and not blocked by Control Panel settings or security settings in Group Policy. Do not rely on a firewall or the use of a NAT device to prevent a Remote Assistance connection. If you do not want to allow Remote Assistance, disable it. Using Remote Assistance through a NAT device is possible if the NAT device supports Universal Plug and Play (UPnP). For example, the Windows Internet Connection Firewall does support UPnP, and a Remote Assistance connection can be used as long as both novice and expert computers are not behind NAT devices.


In addition to using the Remote Desktop connection client, a Remote Desktop Web Connection option is available for use when the IIS Remote Desktop Web Connection subcomponent of IIS is installed. The client can then use Internet Explorer to download and install the ActiveX control. This control can then be used to use Remote Desktop services and Remote Assistance.

Remote Assistance is configured either directly in Control Panel or through Group Policy. By default, it is enabled. The Remote Assistance process can be divided into four parts:

First, the novice requests Remote Assistance by sending a Windows Messenger instant message or an email to another individual. (An option to create an invitation in a file and send it as part of an email message is also provided.)

Second, this individual accepts the request.

Third, the novice is asked to accept the expert's connection to their computer.

Finally, if novice authorizes it, the remote connection is established.


After the connection is established, the expert can then provide the following assistance:

View the desktop of the remote computer in real time.

Chat with the novice.

If given approval, take remote control of the novice's desktop by clicking the Take Control button. (This ability is disabled by default and must be approved by the novice.)

Send and receive files.


Requesting Remote Assistance

To use the Windows Messenger option, follow these steps:


1.

Connect to the Internet and sign into Windows Messenger.

2.

Check to see if the expert is online. If the expert is not online, the operation will not work (see step 7).

3.

Click Start, and then click Help and Support.

4.

Under Support Tasks, click Support.

5.

Click Get Remote Assistance.

6.

In the Detail pane, click Invite someone to help you.

7.

If Windows Messenger is running, any of your Windows Messenger contacts that are online will be displayed. Select the Windows Messenger contact to invite, select email, or select to save the invitation as a file.

8.

Wait for a response.

Windows Messenger will show the following message: "Inviting person-you-invited to connect to your computer. Please wait for a response." This message is followed by "Invitation Is Accepted."

9.

Click Yes to respond to the message: "person-you-invited has accepted your Remote Assistance Invitation and is ready to connect to your computer. Do you want to let this person view your screen and chat with you?"


To use email, follow thses steps:


1.

Click Start, and then click Help and Support.

2.

Under Support Tasks, click Support.

3.

Click Get Remote Assistance.

4.

In the Detail pane, click Invite someone to help you, as shown in Figure 16-30.

Figure 16-30. Use Help and Support to request assistance.

[View full size image]

5.

Scroll to the or prepare an e-mail invitation section and enter the name of the user you want to invite. Click Continue.

6.

Set the invitation expiration time. It is always a good idea to make sure an invitation will eventually expire. This limits the time an attacker may have to use the Remote Assistance connection if he discovers its existence.

7.

Check the box Require the recipient to use a password, enter and confirm the password to be used. Always do so because leaving an unprotected invitation provides an opening that an attacker can use to gain control of the server. Never include the password in the email invitation. Instead, communicate the password via telephone or other communication.

WARNING: Require a Password

If no password is required, anyone who can obtain the URL from the invitation can connect to the computer. Because the request to allow the connection will specify the name entered in the email message, the connection will probably be accepted by the user, as will a remote control request. This is a highly dangerous situation that can be prevented using Group Policy to prevent "buddy" connections. Buddy connections are those that do not require a user account on the computer and instead are approved by the simple use of a password. If buddy connections are not allowed, you can control Remote Assistance connections by including user accounts in the Remote Desktop Users group. (Administrators have the ability to connect without being added to this group.)

8.

Click Create Email Invitation.

9.

Enter the email address to send the message to, add any personal message, and click Send.

WARNING: Users Should Not Include the Password in the Invitation!

Warn users not to include the password for the session in the message. The password should be communicated via other means, such as a telephone call. If the password is included in the message, any person who can obtain the message can make the connection.

10.

Enter the name of the intended recipient in the To: box of the email message, as shown in Figure 16-31. Add an additional message if required and then click Send.

Figure 16-31. A Remote Assistance invitation, when answered, can be refused or accepted.

11.

Click Yes in response to the message in Figure 16-32 if the invitation was mailed or use the page to manually create an email.

Figure 16-32. Use the confirmation page to manually create a message if necessary.

[View full size image]

12.

If you receive the message "person-you-invited would like to share control of your computer to help solve the problem," and you want the expert to remotely control your computer, click Yes.


Offering Remote Assistance

Remote Assistance can also be offered without an invitation if the following is present:

The Administrative Templates, System, Remote Assistance, Offer Remote Assistance setting in Group Policy, as shown in Figure 16-33, must be enabled and configured on the user's computer.

Figure 16-33. Click the Show button to list user that may offer assistance.

The user offering assistance must be listed as a Helper in the Offer Remote Assistance policy or a member of the Administrators group on the computer. The Helper list is configured by clicking the Helpers: Show button.

The Solicited Remote Assistance Policy, as shown in Figure 16-34, must be enabled.

Figure 16-34. Configure the Solicited Remote Assistance Policy if you want administrators to offer assistance without an invitation.


The user must give permission before the assistance can see the user's desktop. The user must also give permission before remote control can proceed. To offer assistance, the expert should do the following:


1.

Click Start, Help and Support.

2.

Click Support Tasks, Tools.

3.

Click Tools, Help and Support Center Tools.

4.

Click Help and Support Center Tools, Offer Remote Assistance.

5.

Enter the IP address or the name of the computer to connect to and click Connect.

6.

The user on the remote server still has the option to accept or not accept the offer of assistance.


Configuring Remote Assistance for Security

Create a Remote Assistance policy that specifies who will classify computers that are allowed to request Remote Assistance, and who can actually offer assistance. Then, configure computers either directly or in Group Policy.

To control Remote Assistance locally, follow these steps:


1.

Open Control Panel, System.

2.

Click the Remote tab.

3.

Click Allow this computer to be controlled remotely or click to deselect this option to prevent Remote Assistance.

4.

To allow a Remote Assistance connection but to prevent remote control, click the Advanced button.

5.

Uncheck the box Allow this computer to be controlled remotely.

6.

To limit the time invitations are allowed to remain open (regardless of the user settings in the invitation), use the Invitations section of the Remote Assistance Settings page to indicate the number of hours or days allowed.

7.

Click OK twice to close the System Properties box.


To control Remote Assistance via Group Policy, follow these steps:


1.

Open the GPO in the Group Policy Editor.

2.

Navigate to the Computer Configuration, Administrative Templates, System, Remote Assistance node.

3.

In the Solicited Remote Assistance Group policy, if enabled, the following items should be configured:

Select the type of control that is permitted in the Permit remote control of this computer drop-down box. Choices are Allow helpers to remotely control this computer or Only allow helpers to view this computer. Permit remote control of this computer should not be checked for sensitive computers. It should be checked for computers for which a plan for Remote Assistance has been approved. For example, you may want to prevent remote control of the payroll database server and all domain controllers, but allow remote control of desktop systems and perhaps some file or print servers or servers at remote locations where no local assistance is available.

Maximum Ticket Time and Maximum Ticket Unit controls the time for which a request is valid and the number of times it can be used, respectively. To secure Remote Assistance, this time should be short, and the number of uses should be set very low. (This is not the time that an established connection can be maintained; rather, it is the time for which a request can be successfully answered.)

4.

If the Offer Remote Assistance policy will be enabled, use the Show button to add the user account names for those users who will be allowed to offer Remote Assistance.


Prevent Remote Assistance

To prevent employees from using Remote Assistance, especially to prevent Remote Assistance on servers, use the Group Policy Solicited Remote Assistance. This policy is located in the Computer Configuration, Administrative Templates, System, Remote Assistance area of Group Policy. If this policy is enabled, a user can request help and another user can connect to the computer. If the setting is disabled, no user can solicit help, and no user can assist using Remote Assistance. (If the setting is not configured, local requirements can be set.)

TIP: Terminal Services Setting

The Terminal Services service is installed and enabled by default. However, this does not make the Windows Server 2003 server a terminal server that can be used to allow users to run applications on the terminal server. Instead, this service is used to provide Remote Desktop and Remote Assistance tools. If this service is disabled, these tools cannot be used.


/ 194