Remote Desktop
Remote Desktop
Remote Desktop
Overview:
Terminal Services was first introduced in Windows NT 4.0 Terminal Server Edition. It was
significantly improved for Windows 2000 and Windows Server 2003. All versions
of Windows XP, except Home edition, also include a Remote Desktop server. Both the
underlying protocol as well as the service was again overhauled for Windows
Vista and Windows Server 2008.[3]Windows includes two client applications which utilize
terminal services: the first, Remote Assistance is available in all versions of Windows XP and
successors and allows one user to assist another user. The second, Remote Desktop, allows a
user to log in to a remote system and access the desktop, applications and data on the system
as well as control it remotely. However, this is only available in certain Windows editions.
These are Windows NT Terminal Server; subsequent Windows server editions, Windows XP
Professional, and Windows Vista Business, Enterprise and Ultimate. In the client versions of
Windows, Terminal Services supports only one logged in user at a time, whereas in the server
operating systems, concurrent remote sessions are allowed.
1
Microsoft provides the client software Remote Desktop Connection (formerly
called Terminal Services Client), available for most 32-bit versions of Windows,
including Windows Mobile, and Apple's Mac OS X, that allows a user to connect to a server
running Terminal Services. On Windows, both Terminal Services client and Remote Desktop
Protocol (RDP) use TCP port 3389 by default, which is editable[4] in the Windows registry. It
also includes an ActiveX control to embed the functionality in other applications or even a
web page.[5] AWindows CE version of the client software is also available.[1] Server versions
of Windows OSs also include the Remote Desktop for Administration client (a special mode
of the Remote Desktop Connection client), which allows remote connection to the
traditional session 0 console of the server. In Windows Vista and later this session is reserved
for services, and users always log onto session >0. The server functionality is provided by
the Terminal Server component, which is able to handle Remote Assistance, Remote Desktop
as well as the Remote Administration clients.[1] Third-party developers have created client
software for other platforms, including the open source rdesktop client for
common Unix platforms.
2
Architecture:
The server component of Remote Desktop Services is Terminal Server (termdd.sys), which
listens on TCP port 3389. When an RDP client connects to this port, it is tagged with a
unique SessionID and associated with a freshly spawned console session (Session 0,
keyboard, mouse and character mode UI only). The login subsystem (winlogon.exe) and
the GDIgraphics subsystem is then initiated, which handles the job of authenticating the user
and presenting the GUI. These executables are loaded in a new session, rather than the
console session. When creating the new session, the graphics and keyboard/mouse device
drivers are replaced with RDP-specific drivers: RdpDD.sys and RdpWD.sys.
The RdpDD.sys is the device driver and it captures the UI rendering calls into a format that is
transmittable over RDP. RdpWD.sys acts as keyboard and mouse driver; it receives keyboard
and mouse input over the TCP connection and presents them as keyboard or mouse inputs. It
also allows creation of virtual channels, which allow other devices, such as disc, audio,
printers, and COM ports to be redirected, i.e., the channels act as replacement for these
devices. The channels connect to the client over the TCP connection; as the channels are
accessed for data, the client is informed of the request, which is then transferred over the TCP
connection to the application. This entire procedure is done by the terminal server and the
client, with the RDP protocol mediating the correct transfer, and is entirely transparent to the
applications. RDP communications are encrypted using 128-bit RC4 encryption. Windows
Server 2003 onwards, it can use a FIPS 140 compliant encryption schemes.
Once a client initiates a connection and is informed of a successful invocation of the terminal
services stack at the server, it loads up the device as well as the keyboard/mouse drivers. The
UI data received over RDP is decoded and rendered as UI, whereas the keyboard and mouse
inputs to the Window hosting the UI is intercepted by the drivers, and transmitted over RDP
to the server. It also creates the other virtual channels and sets up the redirection. RDP
communication can be encrypted; using either low, medium or high encryption. With low
encryption, user input (outgoing data) is encrypted using a weak (40-bit RC4) cipher. With
medium encryption, UI packets (incoming data) are encrypted using this weak cipher as well.
With high encryption, the cipher is changed to an unspecified 128-bit one.
3
Terminal Server
Terminal Server is the server component of Terminal services. It handles the job of
authenticating clients, as well as making the applications available remotely. It is also
entrusted with the job of restricting the clients according to the level of access they have. The
Terminal Server respects the configured software restriction policies, so as to restrict the
availability of certain software to only a certain group of users. The remote session
information is stored in specialized directories, called Session Directory which is stored at the
server. Session directories are used to store state information about a session, and can be used
to resume interrupted sessions. The terminal server also has to manage these directories.
Terminal Servers can be used in a cluster as well.[1]
In Windows Server 2008, it has been significantly overhauled. While logging in, if the user
logged on to the local system using a Windows Server Domain account, the credentials from
the same sign-on can be used to authenticate the remote session. However, this
requires Windows Server 2008 to be the terminal server OS, while the client OS is limited
to Windows Server 2008, Windows Vista and Windows 7. In addition, the terminal server
can provide access to only a single program, rather than the entire desktop, by means of a
feature namedRemoteApp. Terminal Services Web Access (TS Web Access) makes a
RemoteApp session invocable from the web browser. It includes the TS Web Access Web
Part control which maintains the list of RemoteApps deployed on the server and keeps the list
up to date. Terminal Server can also integrate with Windows System Resource Manager to
throttle resource usage of remote applications.[3]
4
Terminal Services Gateway
The Terminal Services Gateway service component, also known as TS Gateway,
can tunnel the Remote Desktop Protocol session using a HTTPS channel.[7] This increases the
security of Remote Desktop Services by encapsulating the session with Transport Layer
Security (TLS)[8] This also allows the option to use Internet Explorer as the RDP client.
This feature was introduced in the Windows Server 2008 and Windows Home
Server products.
Important to note at the time of writing (Nov 2010), there are no Mac OS or Linux clients that
support connecting through a Terminal Services Gateway.
5
from these devices can be used by the remote applications as well.[3] RDC can also be used to
connect to WMC remote sessions; however, since WMC does not stream video using Remote
Desktop Protocol, only the applications can be viewed this way, not any media. RDC can also
be used to connect to computers, which are exposed via Windows Home
Server RDP Gateway over the Internet. RDC can be used to reboot the remote computer with
the CTRL-ALT-END key combination.
RemoteApp
RemoteApp (or TS RemoteApp) is a special mode of Remote Desktop Services, available
only in Remote Desktop Connection 6.1 and above (with Windows Server 2008 being the
RemoteApp server), where a remote session connects to a specific application only, rather
than the entire Windows desktop. The RDP 6.1 client ships with Windows XP SP3,
KB952155 for Windows XP SP2 users,[11] Windows Vista SP1 and Windows Server 2008.
The UI for the RemoteApp is rendered in a window over the local desktop, and is managed
like any other window for local applications. The end result of this is that remote applications
behave largely like local applications. The task of establishing the remote session, as well as
redirecting local resources to the remote application, is transparent to the end user. [12]Multiple
applications can be started in a single RemoteApp session, each with their own windows.[13]
A RemoteApp can be packaged either as a .rdp file or distributed via an .msi Windows
Installer package. When packaged as an .rdpfile (which contains the address of the
RemoteApp server, authentication schemes to be used, and other settings), a RemoteApp can
be launched by double clicking the file. It will invoke the Remote Desktop Connection client,
which will connect to the server and render the UI. The RemoteApp can also be packaged in
a Windows Installer database, installing which can register the RemoteApp in the Start
Menu as well as create shortcuts to launch it. A RemoteApp can also be registered as handler
for filetypes or URIs. Opening a file registered with RemoteApp will first invoke Remote
Desktop Connection, which will connect to the terminal server and then open the file. Any
application, which can be accessed over Remote Desktop, can be served as a RemoteApp.[12]
Windows 7 includes built-in support for RemoteApp publishing but it has to be enabled
manually in registry, since there is no RemoteApp management console in client versions of
Microsoft Windows.[14]
6
Windows Desktop Sharing
Windows Vista onwards, Terminal Services also includes a multi-party desktop sharing
capability known as Windows Desktop Sharing. Unlike Terminal Services, which creates a
new user session for every RDP connection, Windows Desktop Sharing can host the remote
session in the context of the currently logged in user without creating a new session, and
make the Desktop, or a subset of it, available over Remote Desktop Protocol.[15] Windows
Desktop Sharing can be used to share the entire desktop, a specific region, or a particular
application.[16] Windows Desktop Sharing can also be used to share multi-monitor desktops.
When sharing applications individually (rather than the entire desktop), the windows are
managed (whether they are minimized or maximized) independently at the server and the
client side.[16]
The functionality is only provided via a public API, which can be used by any application to
provide screen sharing functionality. Windows Desktop Sharing API exposes two
objects:RDPSession for the sharing session and RDPViewer for the viewer. Multiple viewer
objects can be instantiated for one Session object. A viewer can either be a passive viewer,
who is just able to watch the application like a screen cast, or an interactive viewer, who is
able to interact in real time with the remote application.[15] The RDPSession object contains
all the shared applications, represented as Application objects, each with Window objects
representing their on-screen windows. Per-application filters capture the application Windows
and package them as Window objects.[17] A viewer must authenticate itself before it can
connect to a sharing session. This is done by generating an Invitation using
the RDPSession. It contains an authentication ticket and password. The object
is serialized and sent to the viewers, who need to present the Invitation when connecting.[15]
[17]
Windows Desktop Sharing API is used by Windows Meeting Space for providing application
sharing functionality among peers; however, the application does not expose all the features
supported by the API.[16] It is also used by Remote Assistance.
7
Remote Desktop Protocol:
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft,
which concerns providing a user with a graphical interface to another computer. The protocol
is an extension of the ITU-T T.128 application sharing protocol. Clients exist for most
versions of Microsoft Windows (including Windows Mobile), Linux, Unix, Mac OS
X, Android, and other modern operating systems. By default the server listens
on TCP port 3389.
Microsoft currently refers to their official RDP server software as Remote Desktop Services,
formerly "Terminal Services". Their official client software is currently referred to as Remote
Desktop Connection, formerly "Terminal Services Client".
Every Windows version beginning with Windows XP includes an installed Remote Desktop
Connection (RDC) ("Terminal Services") client (mstsc.exe) whose version is determined by
that of the operating system or last applied Windows Service Pack. The Terminal Services
server is supported as an official feature on Windows NT 4.0 Terminal Server
Edition, Windows 2000 Server, all editions of Windows XP except Windows XP Home
Edition, Windows Server 2003, Windows Home Server, on Windows Fundamentals for
Legacy PCs, in Windows Vista Ultimate, Enterprise and Business editions, Windows Server
2008 and Windows Server 2008 R2 and on Windows 7 Professional and above.
Microsoft provides the client required for connecting to newer RDP versions for down level
operating systems. Since the server improvements are not available down level, the features
introduced with each newer RDP version only work on down level operating systems when
connecting to a higher version RDP server from these older operating systems, and not when
using the RDP server in the older operating system.
Version 4.0
Based on the ITU-T T.128 application sharing protocol (during draft also known as
"T.share") from the T.120 recommendation series, the first version of RDP (named version
4.0) was introduced by Microsoft with "Terminal Services", as a part of their
product Windows NT 4.0 Server, Terminal Server Edition. The Terminal Services Edition of
NT 4.0 relied on Citrix's MultiWin technology, previously provided as a part of Citrix
WinFrame atop Windows NT 3.51, in order to support multiple users and login sessions
8
simultaneously. Microsoft required Citrix to license their MultiWin technology to Microsoft
in order to be allowed to continue offering their own terminal services product, then named
Citrix MetaFrame, atop Window NT 4.0. The Citrix provided DLLs included in Windows NT
4.0 Terminal Services Edition still carry a Citrix copyright rather than a Microsoft copyright.
Later versions of Windows integrated the necessary support directly.
Version 5.0
It was introduced with Windows 2000 Server, added support for a number of features,
including printing to local printers, and aimed to improve network bandwidth usage.
Version 5.1
It was introduced with Windows XP Professional, included support for 24-bit color and
sound. The client is available for Windows 2000, Windows 9x, Windows NT 4.0.[3] With this
version, the name of the client was changed from Terminal Services Client to Remote
Desktop Connection.
Version 5.2
It was introduced with Windows Server 2003, included support for console mode
connections, a session directory, and local resource mapping. It also introduces Transport
Layer Security (TLS) 1.0 for server authentication, and to encrypt terminal server
communications.[4] This version is built into Windows XP Professional x64 Edition and
Windows Server 2003 x64 Editions.
Version 6.0
It was introduced with Windows Vista and incorporated support for Windows Presentation
Foundation applications, Network Level Authentication, multi-monitor spanning and large
desktop support, and support for TLS 1.0 connections. Version 6.0 client is available for
Windows XP SP2, Windows Server 2003 SP1/SP2 (x86 and x64 editions) and Windows XP
Professional x64 Edition.
Version 6.1
It was released in February 2008 and is included with Windows Server 2008, as well as with
Windows Vista Service Pack 1. The client is included with Windows XP Service Pack 3. It is
also installable through KB952155 for Windows XP SP2. In addition to changes related to
how a remote administrator connects to the "console", this version incorporates new
9
functionality introduced in Windows Server 2008, such as connecting remotely to individual
programs and a new Terminal Services Easy Print driver, a new client-side printer redirection
system that makes the client's full print capabilities available to applications running on the
server, without having to install print drivers on the server.
Version 7.0
It was released to manufacturing July 2009 and is included with Windows Server 2008 R2, as
well as with Windows 7. With this release, the server name was also changed fromTerminal
Services to Remote Desktop Services. This version incorporates new functionality such as
Windows Media Player redirection, bidirectional audio, true multimonitor support, Aero glass
support, enhanced bitmap acceleration (which improves user experience over high latency
network connections), Easy Print redirection, Language Bar docking. The RDP 7.0 client is
available on Windows XP SP3 and Windows Vista SP1/SP2. RDP 6.1 client and RDP 7.0
client are not supported on Windows Server 2003 x86 and Windows Server 2003 / Windows
XP Professional x64 editions. RDP 7.0 clients also do not support connecting to terminal
servers running Windows 2000 Server.
Most RDP 7.0 features like Aero glass remoting, bidirectional audio, Windows Media Player
redirection, true multiple monitor support, Remote Desktop Easy Print are only available in
Windows 7 Enterprise or Ultimate editions.
Features:
32-bit color support. 8-, 15-, 16-, and 24-bit color are also supported.
128-bit encryption, using the RC4 encryption algorithm, as of Version 6. Older
implementations suffer from a man-in-the-middle vulnerability, which can allow an
attacker to decrypt the encrypted streams by recording the encryption key as it is
transmitted.
Audio Redirection allows users to run an audio program on the remote desktop and
have the sound redirected to their local computer.
File System Redirection allows users to use their local files on a remote desktop
within the terminal session.
Printer Redirection allows users to use their local printer within the terminal session
as they would with a locally or network shared printer.
10
Port Redirection allows applications running within the terminal session to access
local serial and parallel ports directly.
The clipboard can be shared between the remote computer and the local computer.
Seamless Windows: Remote applications can run on a client machine that is served by
a Remote Desktop connection. It uses virtual channel method, and available since RDP 5.
RemoteFX: RemoteFX provides virtualized GPU support and host side encoding and
is being shipped as part of Windows Server 2008 R2 SP1.
The following features were introduced with the release of RDP 6.0 in 2006:
There are numerous non-Microsoft implementations of RDP clients and servers. The open-
source command-line client rdesktop is the most commonly-used backend for the Remote
11
Desktop Protocol on Linux/Unix operating systems. There are many GUI clients,
like tsclient and KRDC, which are built on top of rdesktop. In 2009, rdesktop was forked
as FreeRDP, a new project aiming at modularizing the code, addressing various issues, and
implementing new features. The current most popular front-end to FreeRDP is Remmina.
Overview:
It can also be explained as remote control of a computer by using another device connected
via the internet or another network. This is widely used by many computer manufacturers and
large businesses' help desks for technical troubleshooting of their customers' problems.
Windows XP, Vista, and Server 2003/2008 include Remote Desktop Services; Apple
includesScreen Sharing with Mac OS X but sells its Apple Remote Desktop separately. There
are various professional third-party, open source and freeware remote desktop applications,
some of which are cross-platform across various versions of Windows, Mac, and
UNIX/Linux/BSD.
12
FogCreek-like solution. There are also many open-source solutions,
including FreeRDP, TightVNC, and quite a few others.
How it Works:
When it works the controlling computer displays a copy of the image received from the
controlled computer's display screen. The copy is updated on a timed interval, or when a
change on screen is noticed by the remote control software. The software on the controlling
computer transmits its own keyboard and mouse activity to the controlled computer, where
the remote control software implements these actions. The controlled computer then behaves
as if the actions were performed directly at that computer. In many cases the local display and
input devices can be disabled so that the remote session cannot be viewed or interfered with.
The quality, speed and functions of any remote desktop protocol are based on the system
layer where the graphical desktop is redirected. Software such as PC Anywhere, VNC and
others use the top software layer to extract and compress the graphic interface images for
transmission. Other products such as Microsoft RDP, Graphon GO-Global and others use a
kernel driver level to construct the remote desktop for transmission.
Uses:
A main use of remote desktop software is remote administration. It can also be used for
"headless computers": instead of each computer having its own monitor, keyboard, and
mouse, or using a KVM switch, a monitor, keyboard and mouse can be attached to one
computer with remote control software, and headless computers controlled by it. The
duplicate desktop mode is useful for user support and education. Remote control software
combined with telephone communication can be nearly as helpful for novice computer-users
as if the support staff were actually there.
Since the advent of cloud computing remote desktop software can be housed on USB
hardware devices, allowing users to connect the device to any PC connected to their network
or the Internet and recreate their desktop via a connection to the cloud. This model avoids one
problem with remote desktop software, which requires the local computer to be switched on
at the time when the user wishes to access it remotely. (It is possible with a router with C2S
VPN support, and Wake on LAN equipment, to establish a virtual private network (VPN)
connection with the router over the Internet if not connected to the LAN, switch on a
computer connected to the router, then connect to it.) The common name for USB devices
with the capacity to remotely recreate a user's desktop is "secure portable office".[1]
13
Malicious use
Remote control software is also used maliciously. From 2008, typically someone will be
telephoned at random by a caller claiming to be from Microsoft. The victim might be told that
a virus has been detected originating on their machine, or offered a free checkup. They will
be asked to install remote control software, often TeamViewer as it is very easy to use. This
gives the attacker full control, and they can do anything they want. Typically they will do
things which imply that the system is not working properly, e.g. by displaying alarming
messages, then demand payment to resolve the "problem". It is also possible
for Trojan software to be installed to recruit the machine to a botnet.
Terminology Used
Listening mode: where a server connects to a viewer. The server site does not have to
configure its firewall/NAT to allow access on port 5900 (or 5800); the onus is on the
viewer, which is useful if the server site has no computer expertise, while the viewer user
would be expected to be more knowledgeable.
Audio Support: the remote control software transfers audio signals across the
network and plays the audio through the speakers attached to the local computer. For
example, music playback software normally sends audio signals to the locally-attached
speakers, via some sound controller hardware. If the remote control software package
supports audio transfer, the playback software can run on the remote computer, while the
music can be heard from the local computer, as though the software were running locally.
Built-in Encryption: the software has at least one method of encrypting the data
between the local and remote computers, and the encryption mechanism is built into the
remote control software.
File Transfer: the software allows the user to transfer files between the local and
remote computers, from within the client software's user interface.
Seamless Window: the software allows an application to be run on the server, and
just the application window to be shown on the clients desktop. Normally the remote user
interface chrome is also removed, giving the impression that the application is running on
the client machines.
14
Remote Assistance: remote and local users are able to view the same screen at the
same time, so remote user can assist an local user.
Access Permission Request: local user should approve a remote access session start.
NAT Passthrough: the ability to connect to the server behind a NAT without
configuring the router's port forwarding rules. It gives an advantage when you cannot
configure router (for example it is on Internet service provider's side), but is a serious
security risk (unless the traffic is end-to-end encrypted), because all the traffic should pass
through some proxy server which in most cases is owned by remote access application's
writers
15