Remote Assistance and Internet Communication
Applies To: Windows Server 2003 with SP1
This section provides information about:
The benefits of Remote Assistance
How Remote Assistance communicates with sites on the Internet
How to control Remote Assistance to prevent the flow of information to and from the Internet
Benefits and Purposes of Remote Assistance
With Microsoft Windows Server 2003, users and administrators in your organization can use Remote Assistance to get help from a member of your support staff. Users or administrators can also collaborate in other ways through screen sharing. Remote Assistance is a convenient way for support professionals to connect to a computer from another computer running a compatible operating system, such as Windows Server 2003 or Windows XP, and to show the users or administrators a solution to the problem.
Using Windows Messenger Service or an e-mail program, such as Microsoft Outlook or Outlook Express, you can provide support to a user by connecting to the user’s computer. After you are connected, you can view the user’s computer screen, communicate in real time about what you both see on the user’s computer, send files, use voice communication, and use your mouse and keyboard to work on the user’s computer.
Overview: Using Remote Assistance in a Managed Environment
On Windows Server 2003, with or without Service Pack 1 (SP1), Remote Assistance is disabled by default. By opening Control Panel\System and clicking the Remote tab, you can enable Remote Assistance (unless it is disabled through Group Policy). Then you can open Help and Support Center, click Remote Assistance, and then click Invite someone to help you. When you do this, you can have someone inside or outside your network connect to your server.
Although a firewall on your organization’s network will likely prevent outsiders from connecting directly to a computer on your intranet, some firewall settings might permit users or administrators to connect remotely to someone within your intranet or outside your network through Remote Assistance. As an administrator in a highly managed environment, you might want to prevent the use of this feature. You can do this during your deployment of Windows Server 2003 with SP1, or post-deployment using Group Policy.
In a domain environment there is also the option of a support person or IT administrator offering unsolicited assistance. From Help and Support Center using Tools\Help and Support Center Tools\Offer Remote Assistance, an administrator in the domain may offer assistance to users in the same domain or trusted domains without being asked. However, users can decline the invitation. This capability can be strictly controlled with Group Policy. Controlling the use of unsolicited as well as solicited Remote Assistance is described further in the subsection "Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet."
How Remote Assistance Communicates with Sites on the Internet
When a user (referred to as the "novice") initiates a request for assistance through either the e-mail option or the Save invitation as a file option in Remote Assistance, the operating system starts Help and Support Center. Help and Support Center then passes the information to Remote Assistance.
When the person who is being contacted (the "expert") accepts the invitation from the novice, Remote Assistance calls Help and Support Center application programming interfaces (APIs) to initiate the session. Help and Support Center relies on Terminal Services to negotiate the session. Help and Support Center passes the Remote Assistance invitation (the "ticket") file to Terminal Services. The Remote Assistance session is established using RDP (Remote Desktop Protocol), and uses port 3389 through Terminal Services on the novice computer.
There are safeguards built into the Remote Assistance feature. All sessions are encrypted and can be password-protected. The novice (user soliciting the assistance) sets the maximum time for the duration of the ticket. Also, firewalls on your organization’s network can be configured to prevent communication associated with Remote Assistance, for example, Remote Assistance connections that are inbound to computers behind the firewall.
The following information presents additional details on how information transfer over the Internet takes place when a connection is made:
Specific information sent or received: Information that is transmitted in a Remote Assistance ticket includes user name, IP address, and computer name. Information necessary to provide functionality for Remote Assistance (for example, screen sharing, file transfer, and voice) is sent in real time using point-to-point connections.
Default and recommended settings: Anyone with access to Help and Support Center can access the Remote Assistance feature. Users can prevent someone from connecting to their computer by declining an invitation. You can also prevent someone from remotely controlling a server running Windows Server 2003 SP1 by using Control Panel settings or Group Policy.
Triggers: A user or administrator establishes contact with the expert by sending an invitation through e-mail, instant messaging, or by saving an invitation as a file and transferring it manually, such as on a floppy disk, to the expert. Or, an expert offers unsolicited assistance to a user.
User notification: Whether assistance is solicited or unsolicited, the novice is notified of the offer of assistance from the expert. The novice must accept the connection before Remote Assistance begins.
Logging: Events such as a person initiating a connection or a user or administrator accepting or rejecting an invitation are recorded in the event logs. Windows Server 2003 Service Pack 1 (SP1) records more details than were recorded previously, including events such as taking and releasing control. sending and accepting files, and ticket creation and deletion. SP1 also records details such as whether assistance is solicited or unsolicited as well as more detailed user name and IP address information.
Encryption: The RDP (Remote Desktop Protocol) encryption algorithm for the main Remote Assistance communication and the RTC (Real-Time Communication) encryption algorithm for voice are used. The RDP encryption algorithm is RC4 128-bit.
Access: No information is stored at Microsoft.
Transmission protocol and port: The port is 3389 and the transmission protocols are RDP and RTC. For Offer Remote Assistance, Distributed Component Object Model (DCOM) is also used.
Ability to disable: This component can be disabled by using Group Policy or locally through Control Panel.
Firewall protection: Any firewall that blocks port 3389 will not allow a Remote Assistance connection to users outside the firewall. This does not prevent users from within the network protected by the firewall from connecting to each other. If you close port 3389, you will block all Remote Desktop and Terminal Services events through it as well. If you want to allow these services but want to limit Remote Assistance requests, use Group Policy. If the port is opened only for outbound traffic, a user can request Remote Assistance by using Windows Messenger.
Note
Windows Server 2003 with SP1 includes enhancements to the firewall component, now called Windows Firewall. To use Remote Assistance with Windows Firewall enabled, in Windows Firewall, on the Exceptions tab, select Remote Desktop. Alternatively, you can configure Windows Firewall through Group Policy with a setting at Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall, either in Domain Profile or in Standard Profile. The setting to configure is Windows Firewall: Allow Remote Desktop exception.
For more information about the Remote Assistance connection process, see article 300692, "Description of the Remote Assistance Connection Process" in the Microsoft Knowledge Base at:
https://go.microsoft.com/fwlink/?LinkId=29212
Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet
Administrators can control the use of Remote Assistance in the following ways:
Group Policy to prevent Remote Assistance from being solicited from this computer
Group Policy to prevent unsolicited Remote Assistance from being offered to this computer
Local control of Remote Assistance through Control Panel
Group Policy settings are described in detail in this subsection. Procedures for disabling Remote Assistance are presented in the next subsection.
Using Group Policy
There are two Group Policy settings you can configure to control the use of Remote Assistance:
Solicited Remote Assistance. Use this policy setting to determine whether Remote Assistance can be solicited from a given computer. In Solicited Remote Assistance the user of a computer explicitly requests help from another party.
Offer Remote Assistance. Use this policy setting to determine whether a support person or IT administrator (expert) can offer remote assistance to a computer without a user explicitly requesting it first through e-mail, a file, or instant messaging.
These policy settings are located in Computer Configuration\Administrative Templates\System\Remote Assistance. Configuration options for these policy settings are described in the following table.
Group Policy Settings for Controlling Remote Assistance
Policy Setting | Description |
---|---|
Solicited Remote Assistance (enabled) |
When this policy setting is enabled, a user can create a Remote Assistance invitation that a person (“expert”) can use at another computer to connect to the user’s computer. If given permission, the expert can view the user’s screen, mouse, and keyboard activity in real time. Additional configuration options are available when you enable this policy setting. |
Solicited Remote Assistance (disabled) |
If the status is set to Disabled, users cannot request Remote Assistance and this computer cannot be controlled from another computer. |
Solicited Remote Assistance (not configured) |
If the status is set to Not Configured, the configuration of solicited Remote Assistance is determined by the Control Panel settings. |
Offer Remote Assistance (enabled) |
When this policy setting is enabled, a remote user or administrator can offer Remote Assistance to the computer. When you configure this policy setting, you have two choices: you can select either Allow helpers to only view the computer or Allow helpers to remotely control the computer. In addition to making this selection, when you configure this policy setting, you also specify the list of users or user groups that will be allowed to offer remote assistance. Administrators of this computer can offer remote assistance to it by default. They do not need to be added to the list. |
Offer Remote Assistance (disabled or not configured) |
If you disable or do not configure this policy setting, users or groups cannot offer unsolicited remote assistance to this computer. |
For additional configuration options, see the Remote Assistance policy settings in Group Policy. To find more information about editing Group Policy, see Appendix B: Resources for Learning About Group Policy.
Procedures for Disabling Remote Assistance
This section presents procedures administrators can use for disabling Remote Assistance through Group Policy or Control Panel.
To Disable the Use of Remote Assistance Using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy, and then edit an appropriate GPO.
Click Computer Configuration, click Administrative Templates, click System, and then click Remote Assistance.
In the details pane, double-click Solicited Remote Assistance, click Disabled, and then click OK.
In the details pane, double-click Offer Remote Assistance, click Disabled, and then click OK.
To Disable the Use of Remote Assistance Through Control Panel
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Double-click System.
In System Properties, click the Remote tab.
Under Remote Assistance, clear the check box labeled Turn on Remote Assistance and allow invitations to be sent from this computer.