|
Lesson 3
Providing Secure Network Administration
13-29
Securing Remote Assistance
Because an expert offering remote assistance to another user can perform
virtually any
activity on the remote computer that the local user can, this feature can be
a significant
security hazard. An unauthorized user who takes control of a computer using
Remote
Assistance can cause almost unlimited damage. However, Remote Assistance is
designed to minimize the dangers. Some of the protective features of Remote
Assis-
tance are as follows:
■
Invitations No person can connect to another computer using Remote Assis-
tance unless that person has received an invitation from the client. Clients
can
configure the effective lifespan of their invitations in minutes, hours, or
days, to
prevent experts from attempting to connect to the computer later.
■
Interactive connectivity When an expert accepts an invitation from a client
and attempts to connect to the computer, a user must be present at the
client con-
sole to grant the expert access. You cannot use Remote Assistance to connect
to an
unattended computer.
■
Client-side control The client always has ultimate control over a Remote
Assis-
tance connection. The client can terminate the connection at any time by
pressing
the Esc key or clicking Stop Control (ESC) in the client-side Remote
Assistance
page.
■
Remote control configuration Using the System Properties dialog box or
Remote Assistance group policies, users and administrators can specify
whether
experts are permitted to take control of client computers. An expert who has
read-
only access cannot modify the computer’s configuration in any way using
Remote
Access. The group policies also enable administrators to grant specific
users
expert status, so that no one else can use Remote Access to connect to a
client
computer, even with the client’s permission.
■
Firewalls Remote Assistance uses Transmission Control Protocol (TCP) port
number 3389 for all its network communications. For networks that use Remote
Assistance internally and are also connected to the Internet, it is
recommended
that network administrators block this port in their firewalls, to prevent
users out-
side the network from taking control of computers that request remote
assistance.
However, it is also possible to provide remote assistance to clients over
the Inter-
net, which would require leaving port 3389 open.
Using Remote Desktop
While Remote Assistance is intended to enable users to obtain interactive
help from
other users, Remote Desktop is an administrative feature that enables users
to access
computers from remote locations, with no interaction required at the remote
site.
|
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)