======================================================================== ENTERPRISE WINDOWS: OLIVER RIST http://www.infoworld.com ======================================================================== Monday, November 15, 2004
REMOTE DESKTOP RETURNS WITH STYLE By Oliver Rist Posted November 12, 2004 3:00 PM Pacific Time Boy, sometimes I wish this was the Linux column. It would certainly be fun to write a Novell column for this week: a half billion dollars, a new desktop OS product in the same week that Microsoft attacks Intuit, and an announcement that it's trying to patent half the Internet technologies on the planet. It all makes my fingers tingle. ADVERTISEMENT -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- INFOWORLD SECURITY SPECIAL REPORT: SURVEYING THE THREATSCAPE IT is awash in data from firewalls, server logs, anti-virus software, app security appliances, and intrusion protection systems. Security event management systems aggregate and correlate that data, offering deep reports and dashboard views that help identify real threats. Learn more in this InfoWorld security special report http://newsletter.infoworld.com/t?ctl=9F1EAE:2B910B2 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Alas, the Penguin is not our mascot here. So instead, let's examine RD (Remote Desktop), a Windows feature that's been maligned since Windows 2000. Because of Microsoft's security disast- ... er, catast- ... er, troubles, many systems administrators simply have a default position of Disable for anything that has the words network and Microsoft in the same descriptive sentence and isn't absolutely critical to doing business. Don't need it? Don't use it. Don't worry. Certainly it's a mantra that has justification, but one that should be re-evaluated from time to time, and especially so in the case of RD. Microsoft has been making improvements on Remote Desktop over the last year, and today it's actually a nifty utility -- and far more secure, too. For one thing, you can and should run it using 128-bit encryption as long as you're using the new RD client. It's fully manageable via AD (Active Directory) and, indeed, that's the way I'd recommend handling it for any AD-controlled domains. Using AD means being able to enforce security rules for every RD session, including encryption and password authentication at every logon, as well as the ability to disable the use of saved passwords at this stage. Yeah, I've seen folks do that in the field. You just learn to scratch your head and keep quiet, then change the settings when they're looking at something shiny. To me, the niftiest feature of all is something I saw a much smarter tech set up at a client site recently: RDWC (Remote Desktop Web Connection). For administrators still running more than one version of Windows on the client side, or for those looking to enable easy RD for roaming users, RDWC is a boon -- and it's free. All you need is Windows 2003 Server or Windows XP Professional acting as a host box. RDWC is relatively easy to install, supports the same basic security as Remote Desktop, and it now allows authenticated users to access a variety of machines no matter where they are. But Remote Desktop still frightens some administrators. What scares them is that users have the ability to manipulate client resources during an RD session. Of course, that's a feature, but if the hacking boogeyman gets control, it can also be a huge liability. Fortunately, AD allows administrators to throttle RD capabilities on the client side. You can disable things like file or printer redirection and stop Clipboard sharing. Frankly, for most installations, secure passwords and encryption are enough. In my opinion, disabling the aforementioned features limits the use of RD, but then we only use it for remote help-desk scenarios. For that particular use, however, RD has two critical limitations. First, we can't easily use it as a remote help desk across multiple clients. It requires a blizzard of network documentation to make sure all settings are recorded. Second, RD forces the user who placed the call to the help desk to log off. Remote Desktop can't take control of an existing session; it can only knock off the current user and start its own session. For this reason, we use RD mostly for server administration and the like. Help-desk remote control is reserved for third-party applications such as NetOp Remote Control (my favorite) or Radmin (a smaller and less expensive newcomer that we're currently testing). For administrators running a single network, however, Remote Desktop is a powerful utility that's both versatile and secure. Best of all, it allows creative IT administrators to enable new tools for users without spending any additional bucks from the software budget. If you've dismissed RD in your network, give it another look. Oliver Rist is a senior contributing editor at InfoWorld. ======================================================================== TECHWORLD: THE NEW WEB SITE FOR UK IT PROFESSIONALS Techworld is IDG's Web site for the IT professional. It has been set up with one aim in mind; that of making the network and IT manager(1)s job easier. It is written by people with experience of running networks, people who are aware of the technical problems that are thrown up in the course of the working day. People like you in fact. Let us know what you think at http://www.techworld.com ADVERTISE ======================================================================== For information on advertising, contact [EMAIL PROTECTED] UNSUBSCRIBE/MANAGE NEWSLETTERS ======================================================================== To subscribe, unsubscribe or change your e-mail address for any of InfoWorld's e-mail newsletters, go to: http://newsletter.infoworld.com/t?ctl=9F1EAB:2B910B2 To subscribe to InfoWorld.com, or InfoWorld Print, or both, or to renew or correct a problem with any InfoWorld subscription, go to http://newsletter.infoworld.com/t?ctl=9F1EAD:2B910B2 To view InfoWorld's privacy policy, visit: http://newsletter.infoworld.com/t?ctl=9F1EAC:2B910B2 Copyright (C) 2004 InfoWorld Media Group, 501 Second St., San Francisco, CA 94107 This message was sent to: [EMAIL PROTECTED]
