Boy, sometimes I wish this was the Linux column. It would certainly be fun to write a Novell column for this week: a half billion dollars, a new desktop OS product in the same week that Microsoft attacks Intuit, and an announcement that it's trying to patent half the Internet technologies on the planet. It all makes my fingers tingle.
Alas, the Penguin is not our mascot here. So instead, let's examine RD (Remote Desktop), a Windows feature that's been maligned since Windows 2000.
Because of Microsoft's security disast- … er, catast- … er, troubles, many systems administrators simply have a default position of Disable for anything that has the words network and Microsoft in the same descriptive sentence and isn't absolutely critical to doing business. Don't need it? Don't use it. Don't worry. Certainly it's a mantra that has justification, but one that should be re-evaluated from time to time, and especially so in the case of RD.
Microsoft has been making improvements on Remote Desktop over the last year, and today it's actually a nifty utility -- and far more secure, too. For one thing, you can and should run it using 128-bit encryption as long as you're using the new RD client. It's fully manageable via AD (Active Directory) and, indeed, that's the way I'd recommend handling it for any AD-controlled domains.
Using AD means being able to enforce security rules for every RD session, including encryption and password authentication at every logon, as well as the ability to disable the use of saved passwords at this stage. Yeah, I've seen folks do that in the field. You just learn to scratch your head and keep quiet, then change the settings when they're looking at something shiny.
To me, the niftiest feature of all is something I saw a much smarter tech set up at a client site recently: RDWC (Remote Desktop Web Connection). For administrators still running more than one version of Windows on the client side, or for those looking to enable easy RD for roaming users, RDWC is a boon -- and it's free. All you need is Windows 2003 Server or Windows XP Professional acting as a host box. RDWC is relatively easy to install, supports the same basic security as Remote Desktop, and it now allows authenticated users to access a variety of machines no matter where they are.
But Remote Desktop still frightens some administrators. What scares them is that users have the ability to manipulate client resources during an RD session. Of course, that's a feature, but if the hacking boogeyman gets control, it can also be a huge liability. Fortunately, AD allows administrators to throttle RD capabilities on the client side. You can disable things like file or printer redirection and stop Clipboard sharing.
Frankly, for most installations, secure passwords and encryption are enough. In my opinion, disabling the aforementioned features limits the use of RD, but then we only use it for remote help-desk scenarios. For that particular use, however, RD has two critical limitations. First, we can't easily use it as a remote help desk across multiple clients. It requires a blizzard of network documentation to make sure all settings are recorded. Second, RD forces the user who placed the call to the help desk to log off. Remote Desktop can't take control of an existing session; it can only knock off the current user and start its own session.
For this reason, we use RD mostly for server administration and the like. Help-desk remote control is reserved for third-party applications such as NetOp Remote Control (my favorite) or Radmin (a smaller and less expensive newcomer that we're currently testing). For administrators running a single network, however, Remote Desktop is a powerful utility that's both versatile and secure. Best of all, it allows creative IT administrators to enable new tools for users without spending any additional bucks from the software budget. If you've dismissed RD in your network, give it another look.