Enabling Windows 7 Remote Desktop and Remote Assistance
Enabling Windows 7 Remote Desktop and Remote Assistance
Windows 7 offers greater remote management and assistance options than any prior Microsoft O.S. Layered security regularly prevents help desk experts from easily accepting or offering assistance requests. Technical support sites tend to cloud the issue by offering solutions to singular problems as reported, often missing the big picture. Let’s try to rectify the issue, guiding a comprehensive overview.
Remote Desktop and Remote Assistance are not the same program or feature. One does not have to enable Remote Desktop to support Remote Assistance, or visa versa. They both, however, have similarly layered controls that are found in near identical locations. As such, both will be discussed simultaneously in the context of control settings. You will want to consider and research all four areas when enabling or debugging Remote Desktop and Remote Assistance issues.
This discussion does not include problem resolution associated with network connectivity, router configuration, edge or internal hardware firewalls, or other network troubleshooting. By default, Remote Desktop and Remote Assistance support host identity through standard DNS resolution or IP address visibility. Windows 7 also supports Peer-to-Peer (P2P) connection scenarios including Global Clouds using IPv6 and Link-Local Clouds that can utilize computer, user, device, group or service names for host identification. In a Windows 7 environment, Remote Desktop and Remote Assistance can be used across P2P technologies.
This article focuses on configuring Windows 7 to support Remote Desktop or Remote Assistance in a potentially mixed platform environment.
Microsoft documentation refers to the ‘novice’ as the system or user receiving the remote connection, and the ‘expert’ as the system or user providing assistance via the remote connection. The ‘expert’ is sometimes referred to as the ‘helper’. Remote Desktop connections are always established by the ‘expert’, and enable uni-directional system management. Remote Assistance sessions may be requested by the ‘novice’ or offered by the ‘expert’. Remote Assistance enables the ‘expert’ to either perform the work or to observe while the ‘novice’ performs the work, depending on pre-configured settings. With appropriate prior configuration and coordination, the ‘novice’ and ‘expert’ can handoff control during an active Remote Assistance session. In all cases the ‘novice’ may disconnect the session if they are physically present at the system console.
There are at least four components that should be enabled to some degree on both ends of a Remote Assistance session or on the receiving end of a Remote Desktop connection. The four components are:
- Allowing remote assistance and/or remote desktop as a system property, and configuring related connectivity options.
- Identifying the users/groups granted remote connectivity within local security or Group policy.
- Configuring and starting the requisite system services.
- Enabling relevant features or ports firewall access.
Group policy could be used to enable or block elements within each of the four components, and therefore must also be considered when debugging Remote Desktop and Remote Assistance within a domain environment.
The first three of the components must be set using administrative level authority, suggesting a preset in the deployment image or Group Policy management, while the fourth may be controlled with standard user rights. Screenshots within this article represent the recommended settings for a mixed Windows XP, Vista and Windows 7 environment.
FIRST. “Allow Remote Assistance” and/or Remote Desktop must be enabled within the System Properties>Remote tab. Remote Assistance must be enabled on both machines.
Note under Remote Desktop configuration that inbound connections can be further limited by type. The bottom option requires the use of systems that support Network Level Authentication (NLA), which itself has several underlying criteria, including the Credential Security Support Provider (CredSSP) protocol. Windows Vista and 7 support NLA natively, while a mixed environment with Windows XP machines may not. (Windows XP SP3 and Windows Server 2008 or Windows Server 2008 R2 session host servers are additional requirements for NLA).
The Remote Assistance Advanced button allows for the selection of additional remote management filters. Without remote control, the ‘expert’ can only offer direction via remote chat, and potential audio/video feeds while viewing the ‘novice’ activity. In other words, mouse and keyboard control cannot be taken or transferred.
The checkbox at the bottom of the Remote Assistance Settings panel (and its commensurate policy setting) can limit Remote Assistance sessions to Vista and Windows 7 platforms. In a mixed environment supporting Windows XP, do NOT set this option.
Group Policy or Registry settings may also be used to block Remote Assistance via settings that appear to be Remote Desktop related.
Check to assure that the following policy allows connectivity or is disabled (thereby allowing the local setting).
Computer configuration/Administrative Templates/Windows Components/Terminal Services/Allow users to connect remotely using Terminal Services
Check the registry key:
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services
If the Value named fDenyTSConnections is present, then Remote Assistance is blocked.
If the policy is not configured, the Registry value should not exist and is a residue or was blocked by an alternate security application.
SECOND. For Remote Desktop use add either user or group permissions to the Local Users and Groups – Groups – Remote Desktop Users group for any ‘experts’ that require access or may be requested to assist the ‘novice’.
For the ‘expert’ to offer Remote Assistance, enable the Computer Configuration\Administrative Templates\System\Remote Assistance\Offer remote Assistance policy and add user or group permissions to the ‘Helpers’ list. Note that these settings need to be made well in advance of the need or offer for remote connection.
As indicated in the Group policy, unless the policy is both enabled and properly configured, Remote Assistance can only be requested by the ‘novice’. Never offered by the ‘expert’. This becomes an important policy, and ‘helper’ group membership must be predefined for help desk and other support personnel to offer and take control of a remote desktop. This setting can be established in the local image or through Group Policy.
Remote Assistance ‘experts’ utilize the current UAC permissions of the active ‘novice’ by default. It is not possible for the ‘expert’ to elevate permissions through UAC. In such cases it will be useful to have previously added a user or group account with elevated permissions, and to set UAC to prompt for permissions at the application level per launch. This default cannot be changed, or a standard user ‘novice’ could disconnect the session once elevated rights were received from the ‘expert’ and retain the elevated rights.
THIRD. Confirm that Remote Desktop Services are configured for Automatic (or Automatic Delayed) Start. Standard users cannot start the services if they are not enabled.
Note that Remote Desktop should not need the Remote Procedure Call (RPC) service, though Remote Assistance may need the RPC service (on port 135) for DCOM to support the Offer Assistance option.
In my next blog article, I will discuss command line support for Windows Remote (winRm) and Remote Assistance (MSRA). Each can be used to start, stop, and configure remote sessions, including service starts, the opening or bypass of firewall rules, remote function management, and offering remote assistance. Command line tools, however, are not designed to establish permanent services states for remote access tools. If Remote Desktop or Remote Assistance will be regularly used by support staff, then automatic (delayed) states should be set for each desired service.
FOURTH. Enable the desired remote support programs or features through the Windows (or other) firewall applications. A standard user should be able to allow Remote Assistance and Remote Desktop features through the standard Windows firewall without a need to understand the firewall ports.
Windows 7 and Windows Vista utilize TCP/UDP ports 49152 to 65535 for Remote Assistance. Windows 7/Vista use port 3389 for Remote Assistance with Windows XP systems, and Offer Remote Assistance uses a DCOM scenario on port 135 (TCP). If you are supporting a mixed platform environment, you may need to configure your firewall settings for the range of above ports on both sides of the connection.
You may choose to block or allow Remote Assistance and Remote Desktop features through the Windows Firewall with Advanced Security. Choosing this option would either leave the related ports open (using an allow rule) or closed (using a block rule). This would require administrative level rights to change settings, rights the standard user would not likely have in time of need. Windows Firewall with Advanced Security could be controlled through Group Policy, although a policy change to affect an open port is not a timely solution should remote connectivity be desired. For enhanced security, Windows Firewall with Advanced Security could be configured using connectivity rules, tunneling, or advanced authentication in conjunction with remote connection filters.
Once you have properly configured your settings, you can start a Remote Desktop session via Start > All Programs >Accessories > Remote Desktop Connection.
Don’t forget to select the Options button at the bottom of the panel and configure Display and Local Resources before you connect.
For better connection on a Windows XP box, you may want to download Remote Desktop Connection (version 6.0 or later) to your XP desktops for better compatibility.
To launch Windows Remote Assistance, type MSRA in the search line and tap enter (or right click and select run as administrator for elevated permissions).
Microsoft offers a step by step lesson for Offering Remote Assistance on the Vista platform, which is almost identical to the Windows 7 methodology.
Chapter 23 of the Window 7 Resource Kit, focusing on Remote Assistance is available from Microsoft here.
You May Also Like
In this video, Windows Instructor Steve Fullmer presents the navigation and some of the new features associated with Windows 10 including Sysinternals Tools for Windows Client, Windows core concepts, exploring Process Explorer as well as some of the features that are not yet ready for prime time but will be released shortly in the future with Windows 10.
One of the coolest new features in Window Server 2012 and Windows Server 2012 R2 is the ability to clone a Domain Controller. In the past, if we had virtualized Domain Controllers and we actually took a snapshot of it and then rolled back to that snapshot, it would break the logon service on that … Continue reading How to clone a Windows Server 2012 or 2012 R2 Domain Controller
In this IT Security training video, Security expert Mike Danseglio (CISSP / CEH) will perform several malware investigations including rootkits, botnets, viruses, and browser toolbars.