Some organizations have embraced Windows Remote Assistance as a valuable tool for desktop support, but several of these environments are now experiencing problems with this feature. Given the differing opinions on Windows Remote Assistance, is it possible to determine whether this feature is a friend or foe?
I am tempted to classify Windows Remote Assistance as a nuisance, simply because, like every other IT professional I know, I have friends and family who think of me as their personal tech-support line. The fact that I can provide those people with remote assistance has only increased the number of support calls that I receive. However, setting aside any personal bias, from an enterprise support standpoint, I don't think that there is anything inherently evil about the feature.
So what about all of those people who have told me about the problems that Windows Remote Assistance has caused in their organizations? I have heard stories of corporate users bypassing the help desk and seeking remote assistance from friends who may not even work for the same company. These stories rarely have happy endings. Sensitive data can be exposed through a Remote Assistance session, and simple problems can be made worse by a well-intentioned friend who is a self-professed computer expert.
But a closer look at these anecdotes reveals that Windows Remote Assistance itself is not the problem: The problem is that Windows has not been properly secured, allowing users to seek help from sources other than the help desk. Thus, the "helper" can wreak havoc on a corporate desktop.
To avoid such problems, adhere to Microsoft's recommended best practices for desktop security. It is equally important, however, to configure Windows Remote Assistance in a way that prevents it from being abused.
Restricting access with Group Policy
Although Microsoft doesn't offer many options for configuring Windows Remote Desktop, you can use some Group Policy settings to gain control over how it can be used in your organization. These Group Policy settings can all be found in the Group Policy Editor at Computer Configuration | Administrative Templates | System | Remote Assistance.
The first setting to use is Allow Only Vista or Later Connections. Essentially, this setting is designed to improve security by preventing Windows XP users from using Windows Remote Assistance. Microsoft offers this capability because the Windows XP version of the feature used relatively weak encryption. Note, however, that this setting does not affect Remote Assistance connections that are initiated by instant messaging contacts. Also unaffected is assistance based on unsolicited offers, discussed in further detail below.
The next policy setting that's available is Turn On Session Logging. As the name implies, it allows computers to keep a log of Remote Assistance-related activity. The actual tasks that are performed during a Remote Assistance session are not recorded, but Windows does keep track of any Remote Assistance sessions that are established.
The third Group Policy setting has nothing to do with security. Optimize Settings For Reduced Bandwidth is designed to conserve network bandwidth by doing things like disabling the Windows background or reducing the color depth during a Remote Assistance session.
You can use the Customize Warning Messages setting to display a warning before a user asks someone for help or before a user accepts a connection to his computer. You could clearly indicate the corporate policy regarding the use of Remote Assistance as well as the consequences of violating that policy.
The next setting on the list is the Solicited Remote Assistance setting, which refers to a situation in which a user asks for help via a Remote Assistance session. You can prevent users from asking for help, allow users to receive help via Remote Assistance or allow Remote Assistance sessions in which the helper only has the ability to view (but not interact with) the remote desktop.
The final setting is Offer Remote Assistance. This setting controls Remote Assistance sessions that a user did not specifically request. Not only can you enable or disable unsolicited remote assistance; you can also compile a list of the users who are allowed to provide unsolicited assistance.
Your options for locking down Windows Remote Assistance are limited. If your goal is to prevent users from receiving unauthorized "help" from friends or family, then your best bet is to prevent solicited remote assistance. That way, users are not allowed to send Remote Assistance invitations. Instead, the user should call the help desk. You can give the help desk staff permission to offer "unsolicited" remote assistance to users who ask for it by phone.
ABOUT THE AUTHOR
Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award seven times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and health care facilities and was once a network administrator for Fort Knox. You can visit his personal website at www.brienposey.com.
This was first published in September 2010