|Windows Vista's little surprises
By Mark Minasi
Have a look inside Windows security guru Mark Minasi's latest book, Administering Windows Vista Security: The Big Surprises, with this excerpt from Chapter 1, "Administering Vista Security: The Little Surprises."
At first glance, Remote Desktop for Vista looks pretty much identical to RD on XP. But a slightly closer look shows a small but important change in security. You can see this in the Remote tab of the System property page. Get to it like so:
- Click the Start button.
- In the resulting menu, right-click Computer and choose Properties.
- In the Control Panel page that appears, look at the Tasks list on the left-hand side of the page. Choose "Remote settings." You'll see a property page like Figure 1.6.
As I said, this looks similar to the corresponding page in XP, but notice that instead of two options—"enable or disable remote desktop"—there is a third offering, "Allow connections only from computers running Remote Desktop with Network Level Authentication."
To understand this, think about what's happened every time you've tried to use Remote Desktop to remote into a system. You start up the Remote Desktop Connection (RDC) app in XP or 2003 and tell the app to connect you to some system. RDC goes out and, assuming that Remote Desktop's enabled for that system and they've got their firewall set up so that people can remote in, you get a logon screen from the remote system. Now, from the point of view of a particularly paranoid security person, this is interesting: you haven't authenticated to this system yet, but it's responded to your command for its attention nonetheless. In other words, Remote Desktop is a little bit more trusting than it could be, as the sequence of events (1) request a Remote Desktop connection from the remote system, (2) the remote system stops what it's doing and creates a remote session to your computer, and (3) you log on.
By choosing the new third setting under Remote Desktop, you tell Remote Desktop to switch steps (2) and (3). When you try to log onto a remote system that supports this approach, which Microsoft calls "Network Level Authentication," you don't see a remote standard Windows logon dialog sitting atop a remote desktop; instead, you get a dialog box like the one in Figure 1.7.
But does this mean that a Network Level Authentication logon only works against Vista systems at the moment? Apparently yes. As I write this in September 2006, Microsoft has released a package called "Remote Desktop Connection 6.0" for XP SP2, 2003 SP1, and the x64 versions of XP and 2003. They did not release it to the general public, and it was only available from Microsoft's beta software site, but I'd be surprised if it weren't either generally available with Vista's release, or might even end up on the Vista DVD. But even with this updated RDP client, you cannot do a Network Level Authentication against a Vista system or, if you can, I've not figured out how.
What if you still want older systems to be able to remote into your system, but you'd like any Vista systems trying to log in to use Network Level Authentication? Then choose the second radio button. Vista clients will still use Network Level Authentication even if the Vista system they're remoting into doesn't require it. Is it a bad idea to enable the second radio button? Well, of course. On the one hand, enabling it means that you can RD into your Vista box from a wider variety of clients; on the other hand, the whole point of Network Level Authentication was to lessen the chance that someone could tie up your computer's CPU with bogus attempts at Remote Desktop sessions, and the second radio button leaves open that possibility. Once again, security and compatibility are sometimes tradeoffs.
Oh, hey, I almost forgot my favorite new Remote Desktop feature. You can cut and paste files across a Remote Desktop connection. Want to deliver a folder from your desktop to the computer that you're remoting into? Just right-click it, choose Copy, and then left-click on some folder in the remote system, right-click, and choose Paste. Quite nice, although as far as I can see, the revised RDP client for XP and 2003 doesn't support this. The revised RDP client looks as if it'll manage that drag and drop, but when you drop, nothing happens.
SearchWindowsSecurity.com also features excerpts from chapter eight, "Locking Up the Ports: Windows Firewall", of Mark Minasi's book, "Mastering Windows Server 2003 Upgrade Edition for SP1 and R2."
|Mark Minasi is a best-selling author, commentator and all-around alpha geek. Mark is best known for his books in the Mastering Windows series. What separates him from others is that he knows how to explain technical things to normal humans, and make them laugh while doing it. Mark's firm, MR&D, is based in Pungo, a town in Virginia's Tidewater area that is distinguished by having one -- and only one -- traffic light.
Copyright 2005 TechTarget