Commentary
2/20/2003
05:26 PM
Fred Langa
Fred Langa
Commentary

Langa Letter: XP Professional's "Remote Control" Option

Fred Langa explains how this little-known feature of Windows can be a life-saver if used cautiously.



It's one of XP Pro's hidden gems: A simple way to control your PC from afar. It lets you do everything from basic file and data access up to fully taking over the keyboard and mouse of a distant PC, just as if you were sitting in front of it. What's more, XP extends this remote-control ability to any and all versions of Windows back to Win95, including Windows CE palm-top systems.

Here's an example of how it can work: Imagine you're away from the office, perhaps at home or on a business trip, and need a file you left on your PC at work. With XP running on your office PC, you can connect to that PC from afar and (with proper permissions) either transfer the file to yourself, or otherwise use your office PC just as if you were physically present at it.

Or, imagine that a distant co-worker or friend asks you for advice in solving some problem on his or her PC. Instead of having to try to talk them through a fix by phone, you can connect your PCs (via the Internet) so you can see exactly what they're doing wrong. You can then offer live guidance to them via a built-in text chat, or if that's still not enough, you can (with proper permissions) actually take over their PC and fix their problem for them.

While both those examples involve remote control at considerable distances, I find it handy even in closer surroundings. For example, I'll use my laptop to remotely control my desktop PC even if I'm just going to another part of the building: Instead of having to synch all my files and get everything onto the laptop before I change locations, I can just fire up the remote-control software, and use the laptop to access everything, live, on my main PC, just as if I'd never left my chair. When I return to my PC, nothing has to be transferred back from the laptop--I just pick up from where I left off. It's a real time-saver.

Three Flavors
XP's remote control has three major faces: Remote Desktop, Remote Desktop Web Connection, and Remote Assistance. They're all variations on the Windows Terminal Server that originally shipped in Windows 2000.

Remote Desktop is primarily meant to let a user at one PC access a Windows XP session running on another PC. Both the host and client software are built into XP Professional--any XP Pro setup can function as either a remote-control host or client with no additional software needed. But Win95, Win98, WinME, NT, Win2K, and WinCE all can function as client systems: All that's needed to access an XP host is proper permission and a small piece of software--the Remote Desktop client tool. This software is on the XP setup CD, and may be freely shared with other Windows systems. It's also available for free download from Microsoft http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp .

The Remote Desktop Web Connection functions in a similar way, but doesn't require any client software to be preinstalled. Instead, it relies on an ActiveX control inside a Web page. When that special Web page is accessed by a computer running Internet Explorer (or, theoretically, any browser that supports ActiveX controls), a user with proper permissions can then access the host computer. The Remote Desktop client software isn't needed.

The third variation, Remote Assistance, also works in a similar way, except that it's meant for two people--one local, one remote--to view the same desktop simultaneously. For example, imagine there are two users; a beginner and an expert. The beginner sends a message to the expert by E-mail or by Messenger, requesting Remote Assistance. The expert than views the beginner's computer in much the same way as with Remote Desktop, except that the expert can communicate in real-time with the beginner via a Messenger text chat box. If the expert can't guide the beginner through the problem, the expert can then take over the connection, in normal Remote Desktop fashion, and work the beginner's PC from afar.

Clearly, this is powerful stuff with an enormous range of positive uses. But there are also clear downsides and dangers.



Security Issues
Opening a system to outside control is a scary thing, a potentially huge security hole. (This isn't unique to Microsoft's implementation; it's true of all remote-control technologies and applications.) Thus, some thought must be given to how you set up and use remote access.

By default, XP restricts remote access only to Administrators of a given PC: Only members of the Administrators group can enable Remote Desktop, for example, and only they can add people to the list of users allowed to connect to that PC. Each user on the list of allowed remote connectors must also have a normal user account on the host system. In other words, accessing an XP box by remote control requires two levels of permissions: Someone wishing to access a PC must have a normal user account on that system, and that account must also specifically be in the subgroup of remote users.

But there's a catch: All Admin-level accounts are automatically included in the remote-access group. This is a potential problem--it's unwise to use an Admin-level account for remote access. It's much safer to use only less-privileged, non-Administrator accounts (such as those in the User or Power User group) because this will limit the potential damage that can be done to the host system if a remote-access account is compromised, hacked, or infected with a Trojan, worm, or virus.

This is actually one of the reasons why XP has Fast User Switching. The idea is that you set your primary account in the Power User or User group, and then employ Fast User Switching to jump to an Admin account only when needed. In fact, if this were done all the time, the risk of systemwide damage from all kinds of trouble, not just remote-access issues, would be reduced.

But in the real world, many people live inside an Admin-level account all the time, leaving the system more vulnerable to major problems than otherwise, especially as these Admin-level accounts are automatically included in the remote-access group.

For all these reasons, proper use of passwords is essential on any system used for remote access.

Passwords And Availability
Passwords may be the weakest link in any remote-access system: Without good passwords, a hacker may be able to guess his or her way into an admin-level account; or into a lower-level account, which then can be used as a base for a "privilege elevation" hack to boost the compromised account to Admin status.

Because of this, all the accounts, but most especially Admin-level accounts, need a very strong password. That's defined as one:

  • At least seven characters long
  • Containing at least one number and one symbol (e.g., punctuation) character
  • Significantly different from prior passwords
  • Not containing your name or user name or any simple variation thereof
  • Not a common word or name (nothing found in a dictionary)

Of course, managing obscure passwords is a hassle, which is why so many people use only weak passwords. A relatively weak password may not be a huge risk for a private PC, but becomes a major liability once that same PC can be taken over from afar. For any kind of remote access, a strong password is an absolute must.

The best passwords are totally random. There are many software tools that can help generate excellent passwords, and a few also can help you securely store your passwords. I particularly like "AI RoboForm" (http://www.roboform.com/) which is a secure form-filler, encrypted filer, and password generator: When I need a password, I can generate a random string like "Dx*SHeOAniy&ju" with one click. The software also can store the password in any of several secure ways for later retrieval, so you won't go nuts trying to remember it.



But software-based solutions don't help much at initial login, because you don't yet have access to the software that stores the password. Instead, you need a way to generate a password that's simultaneously hard-to-crack and easy to remember.

You might, for example, use the "warez" and cracker trick of simple but orderly substitution of numbers and punctuation for normal letters: You pick a word or phrase--the longer the better, up to the limits of your password system--and devise simple substitution rules. For example, a capital "I" might become a "!" while an "o" becomes a "0" (zero), "e" becomes a '3" and an "i" becomes a numeral "1." If you start with a random phrase--let's use "I read InformationWeek"--and then remove the spaces and perform the substitution, you get "!r3ad!nf0rmat10nW33k."

That's a trivial example, but you get the idea: With a properly obscure phrase-and-substitution system, you can develop passwords that are both resistant to casual cracking and yet easy to reproduce from memory.

But even an excellent password can eventually be broken if a cracker is given enough time, so it's also important both to change passwords regularly, and not to leave remote-access services running indefinitely: If you use strong passwords and change them often, and enable remote access only on an as-needed basis, and deactivate it when the need no longer exists, you can greatly reduce the odds of someone being able to hack in.

Setting Up Remote Access
Anyone with an Admin account on an XP Pro box can enable Remote Desktop in seconds--it's very easy: Right click on My Computer/Properties; click the Remote tab, and under Remote Desktop, check "Allow users to connect to this computer." That's it.

But as the foregoing discussion suggests, there's actually a lot to consider in getting remote access set up and working properly. The XP help system is actually a good place to start some in-depth reading: Begin with a search on "Remote Desktop" and you'll find many pages of relevant information, including good security advice.

That may be all you need, but if not, you can find additional information from Microsoft in "Using Remote Desktop." http://www.microsoft.com/windowsxp/pro/using/howto/gomobile/remotedesktop/ And again, the client software is also available for free download from Microsoft here. http://www.microsoft.com/windowsxp/ pro/downloads/rdclientdl.asp

The best third-party sites on the subject are J Helmig's "Remote Desktop Access" http://www.wown.com/j_helmig/wxprmdtp.htm and "Remote Assistance" http://www.wown.com/j_helmig/wxprmass.htm.

Doug Knox's "How To Use Remote Desktop Web Connection" http://www.dougknox.com/xp/tips/xp_rd_web.htm is sketchier, but still useful.



There's a brief tutorial called "Windows XP Remote Desktop (And Web Access)" available here http://www.serverwatch.com/tutorials/article.php/1474031, and a lengthy Microsoft support presentation, "Windows XP Professional: Remote Desktop" also is available in streaming video, PowerPoint, or transcript form here http://support.microsoft.com/default.aspx?scid=/ servicedesks/webcasts/ wc030502/wcblurb030502.asp .

And of course, there's lots more info via Google: http://www.google.com/search?q=remote+desktop+xp

Benefits And Risks
Putting it all together: If the remote-access service is only enabled for limited times and used only by non-Admin accounts, and if all accounts, especially the Admin accounts, on the host system are protected with strong passwords that change regularly, then services like Remote Desktop can be used without extreme risk.

There are other steps that can increase security, too. For example, on NT file system-based XP systems, you can enable per-user file privacy and encryption, so that even if one account is hacked, the files of other users on the system will be very difficult, perhaps all but impossible, to access from afar.

In my own case, I have no qualms about setting up remote access across my office LAN, especially because my firewall blocks inbound remote access queries from the Internet at large. Using Remote Desktop, I can move around the building with ease, yet remain just as productive as if I were still sitting at my desktop PC.

Remote Desktop also has made it easier for me to handle various IT chores (mine is a small business and I wear many hats): I can, for example, use Remote Desktop to trigger virus scans, defragmentation, backups, or other maintenance activities on various machines around the building without having to run back and forth to each machine several times during the maintenance cycle. It's very convenient; I use Remote Desktop almost every day across my LAN.

I also have no security concerns in responding to requests for long-distance help (Remote Assistance) from others. Reaching out from my machine to someone else's carries very little risk to me, as my connection in this case is primarily outbound, and involves lowering no security on my system.

I'm less casual about using remote access for inbound Internet-based access; it's inherently more risky, and requires that all the security steps mentioned above be carried out with great care.

In short: used improperly, remote access can be a major problem. But used properly, it can be a major asset.

What's your take? Are remote-access and remote-control tools worth the security risks? Have you ever benefited or been harmed by use of such a tool? How do XP's tools compare with other remote control products like NetOp, Radmin, LapLink, pcAnywhere, and GoToMyPC? Join in the discussion!

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service