Microsoft Windows XP Professional Administrators Guide
Remote Assistance is a new feature for Windows operating systems. It provides the ability for one Windows XP user to remotely access and view another Windows XP computer's desktop and, if given permission, to share control of the other person's mouse and keyboard.
Note | Remote Assistance only works with Windows XP and .NET server. It cannot be used on older versions of Windows operating systems. |
Similar technologies, such as pcAnywhere (http://www.symentec.com) have been around for a number of years. However, Remote Assistance and another Windows XP feature called Remote Desktop negate the need to purchase such programs to support remote computers running Windows XP Professional.
Note | Remote Desktop is a Windows XP feature that allows a user or administrator to take remote control of another user's desktop. Unlike Remote Assistance it does not require interaction between the user and a helper. More information about Remote Desktop is available in "Allowing Remote Desktop Access" in Chapter 15, "Supporting Mobile Users." |
Remote Assistance operates using a subset of terminal service technology adapted from Microsoft Terminal Services. Remote Assistance is provided in the form of a service called the Remote Desktop Help Session Manager. This service can be viewed and managed using the Computer Management MMC and must be enabled on both computers in a Remote Assistance session in order for things to work.
Tip | To open the Computer Management MMC and view Windows XP services, rightclick on the My Computer icon and select Manage. Then expand the Services and Applications node and select Services. More information about administering Windows XP services is available in "Services and Applications" in Chapter 10, "Microsoft Management Consoles." |
Remote Assistance provides a cost-effective alternative to maintaining an onsight technical staff at every remote site. Remote Assistance allows administrators to:
-
Monitor a remote computer's desktop
-
Take control of a remote computer's desktop
-
Send a file to a remote computer
-
Receive a file from a remote computer
-
Chat with remote users
-
Speak with remote users
Note | Windows XP Professional automatically creates a special local user account called HelpAssistant that is used by the helper during a Remote Assistance session. This account is disabled by default and is enabled whenever a Remote Assistance session is initialized. |
Remote Assistance supports two types of remote access:
-
Solicited. A Windows XP user creates a Remote Assistance invitation and sends it to a helper, soliciting the helper's assistance.
-
Unsolicited. A helper sends an offer of remote assistance without receiving a Remote Assistance invitation.
Remote Assistance Security Considerations
Remote Assistance is a very helpful tool and can be used by administrators to provide hands-on assistance to remote users. However, Remote Assistance also introduces a number of security concerns that need to be identified and addressed. Remote Assistance's default settings allow users to create and send Remote Assistance invitations. By default, users can send Remote Assistance invitations to anyone they wish on the corporate network or the Internet and have the ability to allow helpers to take remote control of their computer. This remote control capability includes access not only to the computer and its resources, but also to any network resources that the user has access to. Another default setting allows Remote Assistance invitations to be created that do not expire for up to 30 days.
There are a number of ways that administrators can manage Remote Assistance. Remote Assistance is based on Microsoft's Terminal Services and uses the same TCP communications port, port 3389. Remote Assistance uses the RDP (Remote Desktop Protocol) to create a Remote Assistance session through this port. By ensuring that port 3389 is closed at the corporate firewall, administrators can increase security by blocking the use of Remote Assistance with external helpers while still allowing its use internally.
Tip | Blocking port 3389 also disables Terminal Services and Windows XP's Remote Desktop. If blocking these services at the firewall is not an acceptable option, then Remote Assistance can be locked down from the Remote properties sheet on the System Properties dialog as described later in this section. In addition, domain or local group policy can be used to secure Remote Assistance. |
Note | Windows XP Professional's internal personal firewall, ICF (Internet Connection Firewall), automatically configures itself to open port 3389 when Remote Assistance is used. However, if a third-party software-based personal firewall is being used instead of ICF, you may have to explicitly configure the personal firewall to allow traffic over port 3389 to pass through. Otherwise, Remote Assistance will not work. Additional information about ICF can be found in "Personal Firewalls" in Chapter 17, "Supporting Internet Communication." |
Administrators can configure Remote Assistance from the Remote property sheet located on the System Properties dialog using the following procedure.
-
Click on Start and then right-click on My Computer and select Properties. The System Properties dialog appears.
-
Select the Remote properties sheet, as shown in Figure 3.6.
Figure 3.6: The Remote properties sheet on the System Properties dialog controls whether or not Remote Assistance is enabled -
To disable Remote Assistance, clear the Allow Remote Assistance invitations to be set from this computer option.
-
To configure specific Remote Access settings, click on Advanced. This opens the Remote Assistance Settings dialog, as shown in Figure 3.7.
Figure 3.7: Administering advanced Remote Assistance settings Note Using Group Policy, you can configure whether or not users can generate Remote Assistance requests, whether Remote Assistance is enabled, and whether the user is allowed to grant remote control access to helpers. You can also prevent helpers from offering unsolicited Remote Assistance. Remote Assistance is configured in Group Policy by configuring the following two policies:
-
Solicited Remote Assistance. Configures whether users can create Remote Assistance invitations, whether remote control is allowed, and how long the requests remain valid.
-
Offer Remote Assistance. Determines whether unsolicited Remote Assistance is allowed.
These two policies are located within Group Policy under \Computer Configuration\ Administrative Templates\System\Remote Assistance. More information about Group Policy and its application is available in "Group Policy" in Chapter 9, "Security Administration."
-
-
To prevent the user from granting remote control of the computer, clear the Allow this computer to be controlled remotely option.
-
To limit the maximum amount of time that a Remote Assistance invitation remains valid, configure the settings in the Invitations section. A value can be specified in units of minutes, hours, or days.
-
Click on OK to close the Remote Assistance Settings dialog.
-
Click on OK to close the System Properties dialog.
Establishing a Remote Assistance Session
When the user initiates a Remote Assistance invitation, Windows XP encrypts an XML-based ticket, which is then passed on to the helper. When the helper opens the ticket, the invitation is displayed.
Tip | The performance of a Remote Assistance session can be improved by lowering the Color Quality setting on the user's computer. This reduces the amount of data that is transferred during the session. The Color Quality setting is changed on the Display Properties dialog. For information on how to access the Display Properties dialog and change this setting, refer to "Setting Resolution and Color" in Chapter 7, "Configuring Desktop Settings." |
Remote Assistance provides three means of soliciting Remote Assistance:
-
Messenger Service. The user sends a Remote Assistance invitation to the helper using Windows Messenger.
-
E-mail. The user sends a Remote Assistance invitation using e-mail.
-
File. The user creates and saves a Remote Assistance invitation as a file and sends it to the helper via various means, such as FTP or a Webbased e-mail service like Yahoo mail.
Using Windows Messenger to Deliver a Remote Access Invitation
Use of Windows Messenger is prohibited in many environments in order to discourage employee abuse of the Internet and to cut off a possible avenue of attack from Internet hackers. In order to use Windows Messenger, the user must be able to connect to the Internet and port 3389 must be opened on any firewall
that resides between the user and the Internet connection. Also, the e-mail address of the helper must be defined in the user's Buddies list within Windows Messenger, and the user must be logged on to Microsoft's MSN network. However, if both the user and the helper have access to an internal ILS (Internet Location Service) then a connection to the MSN network is not required.
Note | Windows Messenger requires that all users log in to an ILS. Once logged on, users can see if any of the individuals in their Buddies list are also logged on. The ILS is also responsible for coordinating communications between computers. Typically most users log in to the Microsoft MSG network when using Windows Messenger. Optionally, networking administrators can install a local ILS inside the corporate network allowing corporate users to log in to it and use it to manage all internal Windows Messenger communications. |
Using an instant messenger requires that both the sender and the helper use Windows Messenger and that both are logged on. The following procedure outlines the steps involved when using Windows Messenger to deliver a Remote Assistance invitation.
-
Click on Start and then Help and Support Center.
-
Click on Invite a friend to connect to your computer with Remote Assistance. The screen shown in Figure 3.8 appears.
Figure 3.8: Creating a Remote Assistance invitation -
Click on Invite someone to help you. The screen shown in Figure 3.9 appears.
Figure 3.9: There are three ways to deliver Remote Assistance invitations -
Click on the Windows Messenger Sign In button. The .NET Messenger Service dialog appears requesting an e-mail address and password.
-
Type the e-mail address and password required to log in to Windows Messenger and click on OK.
-
The Windows Messenger dialog appears as shown in Figure 3.10.
Figure 3.10: Remote Assistance invitations can be sent using Windows Messenger -
Within Windows Messenger select Tools/Ask for Remote Assistance and then click on the e-mail address of the person who is to receive the invitation.
-
The Windows Messenger dialog changes appearance, as demonstrated in Figure 3.11. A message is displayed that states that the request has been sent to the helper. A similar dialog appears on the helper's screen, as shown in Figure 3.12.
Figure 3.11: Windows Messenger waits while the invitation is sent to the helper Figure 3.12: The helper receives the Remote Assistance invitation and clicks on Accept to initiate a Remote Assistance session -
When the helper clicks on Accept, a message appears in the user's copy of Windows Messenger informing the user.
-
The Remote Assistance Console appears on the helper's computer. The message Waiting for an answer appears in the left-hand pane.
-
On the user's screen, a pop-up dialog appears, requiring the user to click on Yes to allow the helper to view the computer's desktop and chat.
-
Next, the Remote Assistance dialog appears on the user's computer. At the same time the Remote Assistance console on the helper's computer displays the user's desktop.
Using E-mail to Deliver a Remote Access Invitation
E-mail provides an alternative means of delivering Remote Assistance invitations. This option requires that the user and helper both use MAPI (Messaging API) compliant e-mail applications such as Outlook Express. The following procedure outlines the steps involved when using e-mail to deliver a Remote Assistance invitation.
Note | In order to use e-mail to deliver Remote Assistance, invitations Outlook Express needs to be configured. If it is not, a wizard will appear to assist in its setup. |
-
Click on Start and then Help and Support Center.
-
Click on Invite someone to help you.
-
Type an e-mail address in the Outlook Express e-mail field and click on Invite this person.
-
The screen shown in Figure 3.13 appears. Type the name that should appear in the invitation and a brief message explaining the reason for the invitation in the From and Message fields and click on Continue.
Figure 3.13: Supply a contact name and message describing the reason for the invitation -
The screen shown in Figure 3.14 appears. Specify the invitation's expiration time and date. Select Require the recipient to use a password option and type a password in the two password fields and click on Send Invitation.
Figure 3.14: To provide additional security, instruct users to limit invitation expiration periods and to assign a password to every invitation -
A confirmation dialog appears to verify that the invitation should be sent. Click on Send to deliver the invitation.
-
When the helper receives the e-mail, the invitation will be included as an attachment. When opened, the helper can accept the invitation, allowing the Remote Assistance session to be established.
Using a File to Deliver a Remote Access Invitation
Another alternative for creating Remote Assistance invitations is to create and save them as files. The invitations can then be sent to helpers in a variety of ways, such as uploading them to an FTP site or as attachments to e-mail generated by noncompliant MAPI e-mail applications.
The following procedure outlines the steps involved in creating an invitation and saving it as a file.
-
Click on Start and then Help and Support Center.
-
Click on Invite someone to help me.
-
Click on the Save invitation as a file (Advanced) link.
-
Type the name that should appear on the invitation and specify the invitation's expiration time limit. Click on Continue.
-
Select Require the recipient to use a password option and type a password in the two password fields. Click on Save Invitation.
-
The Save As dialog appears. Type a name for the invitation file. A file extension of .msrincident will automatically be added. Specify the location where the file is to be saved and click on Save.
Once the file containing the invitation has been saved, arrange for it to be delivered to the helper. When the helper receives the file and opens it, the dialog shown in Figure 3.15 appears.
The helper will see the name of the person who sent the invitation as well as the invitation's expiration date. To start the Remote Assistance session, the helper must type the password assigned to the invitation and click on Yes when prompted to initiate the session.
Working with Remote Assistance
Once the user and helper have successfully established a Remote Assistance session, they can begin working together. During a Remote Assistance session, the user and helper see different Remote Assistance consoles. The user's console, shown in Figure 3.16, is smaller than the helper's console. It includes a chat area in the left page for sending and receiving text messages and a collection of controls in the right pane. These controls include:
-
Send a File. Sends a file to the other computer. In order for the transfer to complete, the helper's computer displays a prompt requesting permission to allow the file to be received.
-
Start Talking. Enables voice communications if appropriate hardware is installed on the computer.
-
Settings. Used to configure console size and audio settings.
-
Disconnect. Terminates a Remote Assistance session.
-
Help. Provides access to Remote Assistance help information.
The helper's console, shown in Figure 3.17, is larger than the user's console. It includes the same collection of controls as the user's console as well as a Take Control option. The controls are located at the top of the console in a toolbar. Underneath the toolbar, the rest of the screen is divided into two panes. The leftpane provides a chat area for sending and receiving text messages. The right pane displays the user's desktop including the taskbar and the user's Remote Assistance console.
Taking Remote Control
By default Remote Assistance allows the helper to view the user's screen and observe the user's activities. However, the helper's Remote Assistance console also includes a Take Control option, which sends a request to the user asking for permission to take active control of the user's desktop. The user must click on Yes in order to grant the helper the ability to take remote control.
Even when granted permission by the user to take control of his or her computer, the helper never has complete control of the user's computer. Control is actually shared and the user can continue to use the mouse and keyboard (although this will make things difficult for the helper). In addition, the user can terminate the Remote Assistance session at any time by clicking on Disconnect or pressing the Esc key.
Exchanging Text and Speech
In addition to providing the ability to take remote control of the user's console, the user and helper can send and receive text messages by clicking the message entry area of their perspective consoles, typing a message, and clicking on the green Send button.
If both the user's and helper's computers are equipped with the appropriate hardware (for example, microphone, speakers, and an audio card), they can click on the Start Talking option. This sends a message to the other computer informing it of the request to begin voice communications. Voice communications can be very helpful when the administrator needs to convey complex information to the user that would otherwise be difficult to explain using plain text messages.
Configuring Audio and Screen Settings
Once in a Remote Assistance session, the user and the helper can also click on their Settings icon to display the Remote Assistance Settings—Web Page Dialog. Using this dialog, they can configure audio quality and start the Audio Tuning Wizard.
In addition to the audio settings, the helper's dialog includes an option to configure the default screen view. The available options are Scale to windows and Actual size. These two options mirror the options displayed in the upper righthand corner of the helper's Remote Assistance console. Selecting one of these settings specifies the default view of the user's screen. The helper can toggle between these two settings using the buttons on his or her Remote Assistance console.
Note | The Audio Tuning Wizard steps you through a process that verifies that a digital camera, speakers, or a microphone works correctly. |
Sending and Receiving Files
Sometimes when assisting a remote user with Remote Assistance, it is helpful to be able to send the user a file. This file may contain self-help documentation to assist the user should the problem reoccur. It may also contain a configuration file for an application or a script that the administrator wants executed. In addition, it may be just as helpful to collect files on the user's computer and send them to the helper for later analysis.
The following procedure outlines the steps involved in copying a file from the helper's computer to the user's computer.
-
Start Remote Assistance and establish a session with the user's computer.
-
Click on the Send a file icon.
-
A dialog appears. Type the path and filename of the file to be copied or click on Browse to locate the file.
-
Click on Send File.
-
A pop-up dialog appears on the user's computer announcing that the helper is sending a file. Two options are available:
-
Save As. Allows the user to specify the location where the file should be stored.
-
Cancel. Stops the file transfer process.
-
-
If the user elects to save the file, he or she is prompted to open the file. The user can click on Yes or No.
-
A pop-up message is displayed on the helper's computer stating whether the user saved the file or terminated the transfer operation. Click on OK to acknowledge the prompt.
Disconnecting a Remote Assistance Session
The user or the helper can terminate a Remote Assistance session at any time. The helper terminates the session by clicking on the Disconnect icon on the toolbar at the top of the Remote Assistance console. The user can also terminate the session by clicking on the Disconnect icon. Once disconnected, the session between the helper's and the user's computers is closed and the helper is unable to reestablish the session without the user's consent.
To prevent the helper from attempting to reestablish the session, the user can revoke or delete the invitation, as described in the next section.
Managing Invitations
Remote Assistance invitations can be viewed and managed locally. This provides their creator with the ability to perform any of the following tasks:
-
View invitation details. Displays additional information about invitations
-
Expire invitations. Invalidates invitations and prevents them from being used
-
Resend invitations. Resends e-mail–based invitations to their original recipients
-
Delete invitations. Removes invitations from the Remote Assistance invitation list and prevents them from being used
The following procedure outlines the steps involved in viewing and managing Remote Assistance requests.
-
Open the Help and Support Center.
-
Click on Invite someone to help me.
-
Click on View the status of all my invitations. Note that the number of outstanding invitations is listed just to the right of this link. The dialog shown in Figure 3.18 appears.
Figure 3.18: Viewing and managing Remote Assistance invitations -
To manage a Remote Assistance invitation, select it and click on the Details, Expire, Resend, or Delete button.
Remote Assistance invitations are listed in a table. The following data is displayed about each invitation:
-
Sent To. The e-mail address or MSN address of the invitation recipient or the location where the invitation was saved.
-
Expiration Time. The date and time that each invitation becomes invalid.
-
Status. The current status of the invitation. Valid status options are open, expired, and closed.
Offering Unsolicited Remote Assistance
Administrators can also configure Windows XP to allow helpers to offer unsolicited Remote Assistance. Unsolicited Remote Assistance is only applicable to corporate networks. It requires that the user and helper belong to the same domain or to domains that trust one another. In order to provide unsolicited Remote Assistance, the Offer Remote Assistance policy must be enabled in Group Policy. Once enabled, helpers can use Remote Assistance to offer help to users whom they know are experiencing problems, as outlined in the following procedure.
Note | In order to offer unsolicited Remote Assistance the Offer Remote Assistance Group Policy setting must be enabled on the helper's computer. This policy is located within Group Policy under \Computer Configuration\Administrative Templates\ System\Remote Assistance. More information about Group Policy and its application is available in "Group Policy" in Chapter 9, "Security Administration." |
-
Open the Help and Support Center.
-
Click on the Use Tools to view your computer information or diagnose problems option in the Pick a task section.
-
Click on the Offer Remote Assistance.
-
The Offer Remote Assistance screen is displayed. Type the IP address or DNS name assigned to the computer to which Remote Assistance is being offered and click on Connect.
-
A pop-up dialog appears on the user's computer indicating the offer of Remote Assistance. Wait for the user to accept the invitation.