Boy, sometimes I wish this was the Linux column. It would certainly be fun to write a Novell column for this week: a half billion dollars, a new desktop OS product in the same week that Microsoft attacks Intuit, and an announcement that it's trying to patent half the Internet technologies on the planet. It all makes my fingers tingle.
Alas, the Penguin is not our mascot here. So instead, let's examine RD (Remote Desktop), a Windows feature that's been maligned since Windows 2000.
Because of Microsoft's security disast- … er, catast- … er, troubles, many systems administrators simply have a default position of Disable for anything that has the words network and Microsoft in the same descriptive sentence and isn't absolutely critical to doing business. Don't need it? Don't use it. Don't worry. Certainly it's a mantra that has justification, but one that should be re-evaluated from time to time, and especially so in the case of RD.
Microsoft has been making improvements on Remote Desktop over the last year, and today it's actually a nifty utility -- and far more secure, too. For one thing, you can and should run it using 128-bit encryption as long as you're using the new RD client. It's fully manageable via AD (Active Directory) and, indeed, that's the way I'd recommend handling it for any AD-controlled domains.
Using AD means being able to enforce security rules for every RD session, including encryption and password authentication at every logon, as well as the ability to disable the use of saved passwords at this stage. Yeah, I've seen folks do that in the field. You just learn to scratch your head and keep quiet, then change the settings when they're looking at something shiny.
To me, the niftiest feature of all is something I saw a much smarter tech set up at a client site recently: RDWC (Remote Desktop Web Connection). For administrators still running more than one version of Windows on the client side, or for those looking to enable easy RD for roaming users, RDWC is a boon -- and it's free. All you need is Windows 2003 Server or Windows XP Professional acting as a host box. RDWC is relatively easy to install, supports the same basic security as Remote Desktop, and it now allows authenticated users to access a variety of machines no matter where they are.
But Remote Desktop still frightens some administrators. What scares them is that users have the ability to manipulate client resources during an RD session. Of course, that's a feature, but if the hacking boogeyman gets control, it can also be a huge liability. Fortunately, AD allows administrators to throttle RD capabilities on the client side. You can disable things like file or printer redirection and stop Clipboard sharing.