Remote Desktop

Iain Gill · 04-30-2004, 01:38 PM

Over the last week I've been looking at Remote Administration of my work network, and discovered the wonders of Remote Desktop (previously known as Terminal Services in Windows 2000) as a tool for remotely administering my users systems.

Without Windows XP installed on each client computer, this would prove most costly and difficult, but thankfully XP comes with Remote Desktop as standard.

Each user on my network used to have to look after system updates, etc., which meant that they had to be setup as Local Administrators (of their own machine only), so that they could run Automatic Updates, Office Update, Anti-Virus updates, Anti-Spyware updates, etc.

Of course, this meant that my users were running their system and connecting to the internet on their Admin accounts. This poses a threat as anyone who somehow manages to gain access to my network (a difficult job as it is) would then have Administrator control over the compromised machine. Malformed webpages could also adversely affect the system too, as they would be given administrative priveleges to the machine on which the page was executed.

So, the first job in further securing my network was to move all my users into Restricted User Accounts (locally and network-wide), which I discovered to be quick and easy, and it had no adverse effect on their day-to-day tasks. Enabling remote administration on each client to allow access to myself was a simple case of just adding my username and ticking the box.

I have all the other remote services enabled too, which allows me to traverse the entire networks hard drive resources (there is always an administrative share on all drives (C$, D$, E$, etc.)), use Computer Management and connect to every other computer so I can fiddle with their innards, as well as Remote Registry which is handy for when I need to manually remove entries that cannot be got rid of any other way.

System updates are now done on a daily basis, each user has a designated day of the week who at their lunchtime will log off their computer and inform me. Then I can easily remote in and do the following:

Windows Update
Office Update
Anti-Virus Update
Full Anti-Virus Scan
AdAware Update
Full AdAware Scan
Spybot Update
Full Spybot Scan

Admittedly this causes more work for myself, but it also gives me the control that I never had before.

I have already moved everyone from Internet Explorer to FireFox, as it combats against malformed webpages due to Firefox not being integrated with the system. Plus it can block popups very effectively, bonus!

Iain Gill · 05-12-2004, 09:25 AM

Further to this post, a little more indepth information.

Once you have Remote Desktop working within your LAN (Local Area Network), it's time to start considering external access to the LAN for administration of the network from a remote location.

This is specific to the way my network is setup, so yours may be more or less complex.

The server on our network is Windows 2000 Small Business Server, installed using a domain name (rather than a Workgroup), with users, computers and printers setup with Active Directory (AD). I wouldn't advise using AD unless you need to use Exchange Server, etc. as the benefits over non-Active Directory installations are not great. Although admittedly, it does have its uses in a security sense.

First thing to do is to create a new user that you will connect with across a Virtual Private Network (VPN), it's not too wise to allow remote access on your standard user and administrator accounts (for obvious reasons), so creating a VPN-Only user is the sensible route. Make sure that the user has absolutely no rights to any resources whatsoever (other than remote access). In AD, a new user is automatically placed within the Domain Users Group, and you'll not be wanting that, so create a new User Group (call it My Remote Users or something, make sure it isn't a member of any other User Groups, and don't give the Group any rights). Then return to your VPN User you just created and make it a member of 'My Remote Users', set that as it's default User Group, and remove the users membership from Domain Users.

That should lock down your server and clients from any unauthorised person managing to get onto your system. But maybe not... Check all of your Shared Folders (and Printers) and make sure that the Everyone group isn't listed in their permissions. If it is, replace it with Authenticated Users instead (remember, your VPN user will not be a member of the Authenticated Users Group, but would automatically be a member of the Everyone Group).

Stop what you're doing at this point, relax, have a ciggie and a coffee (or whatever relaxes you). No point in rushing.

And this is where I also stop. I will be continuing this little tutorial thingie later, maybe next week, maybe earlier. You'll just have to wait and see.

Security · 05-12-2004, 10:48 AM

It's still extremely early days, but it's nice to see you popping in, Iain.

Domainman · 08-01-2005, 07:53 PM

Hello Ian,

Remote desktop is a nifty tool thats for sure, Dont really know if you are aware but win2k shipped with a remote desktop tool, that does just the same. All my desktops in my network Lab are win2k and all I did is to share a folder and install from there.
hope you dont mind me asking, do you use active directory at work?

cesc · 04-10-2007, 12:39 AM

I've used Remote Desktop about 3 times in the entire time I had XP(note this was in 2002 or so)...therefore I don't use it every year...it's not a piece of software that I remember alot but it is very useful...

04-30-2004, 01:38 PM	#1 (permalink)
Iain Gill Junior Member Join Date: Apr 2004 Posts: 4	Remote Desktop Over the last week I've been looking at Remote Administration of my work network, and discovered the wonders of Remote Desktop (previously known as Terminal Services in Windows 2000) as a tool for remotely administering my users systems. Without Windows XP installed on each client computer, this would prove most costly and difficult, but thankfully XP comes with Remote Desktop as standard. Each user on my network used to have to look after system updates, etc., which meant that they had to be setup as Local Administrators (of their own machine only), so that they could run Automatic Updates, Office Update, Anti-Virus updates, Anti-Spyware updates, etc. Of course, this meant that my users were running their system and connecting to the internet on their Admin accounts. This poses a threat as anyone who somehow manages to gain access to my network (a difficult job as it is) would then have Administrator control over the compromised machine. Malformed webpages could also adversely affect the system too, as they would be given administrative priveleges to the machine on which the page was executed. So, the first job in further securing my network was to move all my users into Restricted User Accounts (locally and network-wide), which I discovered to be quick and easy, and it had no adverse effect on their day-to-day tasks. Enabling remote administration on each client to allow access to myself was a simple case of just adding my username and ticking the box. I have all the other remote services enabled too, which allows me to traverse the entire networks hard drive resources (there is always an administrative share on all drives (C$, D$, E$, etc.)), use Computer Management and connect to every other computer so I can fiddle with their innards, as well as Remote Registry which is handy for when I need to manually remove entries that cannot be got rid of any other way. System updates are now done on a daily basis, each user has a designated day of the week who at their lunchtime will log off their computer and inform me. Then I can easily remote in and do the following: Windows Update Office Update Anti-Virus Update Full Anti-Virus Scan AdAware Update Full AdAware Scan Spybot Update Full Spybot Scan Admittedly this causes more work for myself, but it also gives me the control that I never had before. I have already moved everyone from Internet Explorer to FireFox, as it combats against malformed webpages due to Firefox not being integrated with the system. Plus it can block popups very effectively, bonus! __________________ receptive design

05-12-2004, 09:25 AM	#2 (permalink)
Iain Gill Junior Member Join Date: Apr 2004 Posts: 4	Re: Remote Desktop Further to this post, a little more indepth information. Once you have Remote Desktop working within your LAN (Local Area Network), it's time to start considering external access to the LAN for administration of the network from a remote location. This is specific to the way my network is setup, so yours may be more or less complex. The server on our network is Windows 2000 Small Business Server, installed using a domain name (rather than a Workgroup), with users, computers and printers setup with Active Directory (AD). I wouldn't advise using AD unless you need to use Exchange Server, etc. as the benefits over non-Active Directory installations are not great. Although admittedly, it does have its uses in a security sense. First thing to do is to create a new user that you will connect with across a Virtual Private Network (VPN), it's not too wise to allow remote access on your standard user and administrator accounts (for obvious reasons), so creating a VPN-Only user is the sensible route. Make sure that the user has absolutely no rights to any resources whatsoever (other than remote access). In AD, a new user is automatically placed within the Domain Users Group, and you'll not be wanting that, so create a new User Group (call it My Remote Users or something, make sure it isn't a member of any other User Groups, and don't give the Group any rights). Then return to your VPN User you just created and make it a member of 'My Remote Users', set that as it's default User Group, and remove the users membership from Domain Users. That should lock down your server and clients from any unauthorised person managing to get onto your system. But maybe not... Check all of your Shared Folders (and Printers) and make sure that the Everyone group isn't listed in their permissions. If it is, replace it with Authenticated Users instead (remember, your VPN user will not be a member of the Authenticated Users Group, but would automatically be a member of the Everyone Group). Stop what you're doing at this point, relax, have a ciggie and a coffee (or whatever relaxes you). No point in rushing. And this is where I also stop. I will be continuing this little tutorial thingie later, maybe next week, maybe earlier. You'll just have to wait and see. __________________ receptive design Last edited by Iain Gill; 05-12-2004 at 09:35 AM.

05-12-2004, 10:48 AM	#3 (permalink)
Security Administrator Join Date: Apr 2004 Posts: 68	Re: Remote Desktop It's still extremely early days, but it's nice to see you popping in, Iain.

08-01-2005, 07:53 PM	#4 (permalink)
Domainman Junior Member Join Date: Aug 2005 Posts: 3	Re: Remote Desktop Hello Ian, Remote desktop is a nifty tool thats for sure, Dont really know if you are aware but win2k shipped with a remote desktop tool, that does just the same. All my desktops in my network Lab are win2k and all I did is to share a folder and install from there. hope you dont mind me asking, do you use active directory at work?

04-10-2007, 12:39 AM	#5 (permalink)
cesc Member Join Date: Apr 2007 Posts: 34	Re: Remote Desktop I've used Remote Desktop about 3 times in the entire time I had XP(note this was in 2002 or so)...therefore I don't use it every year...it's not a piece of software that I remember alot but it is very useful...

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode


CCTV Technology News & Society