Remote Assistance and Resulting Internet Communication in Windows Vista
In This Section
Benefits and Purposes of Remote Assistance
Overview: Using Remote Assistance in a Managed Environment
How Remote Assistance Communicates Through the Internet
Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet
Procedures for Controlling or Disabling Remote Assistance
Note that this section describes three different ways that Remote Assistance can work:
Remote Assistance through instant messaging (designed more for a home scenario than an enterprise scenario).
Solicited Remote Assistance (a user sends an invitation, through e-mail or as a file, to a person who can provide assistance).
Offer Remote Assistance within a domain setting (a designated set of people, such as support professionals, offer assistance to users).
Benefits and Purposes of Remote Assistance
With Windows Vista, a user can use Remote Assistance to get help from a member of the organization's support staff. Remote Assistance provides a convenient way for a helper to connect to a computer and to show the user a solution to the problem. The helper would typically connect to Windows Vista from another computer running Windows Vista.
After the user and helper are connected and the Remote Assistance session begins, both can view the user’s computer screen, communicate in real time about what they see, send files, and use the mouse and keyboard to work on the user’s computer.
Multiple protections are built into Remote Assistance:
Remote Assistance sessions use the Remote Desktop Protocol (RDP), and they are encrypted.
The user must consent before the assistance can begin, regardless of how the Remote Assistance process begins (through instant messaging, through an invitation sent through e-mail or delivered as a file, or through Offer Remote Assistance).
A user inviting assistance (through instant messaging or by sending e-mail or a file) must set up a password of at least six characters that the helper must type before assistance can begin.
The user can stop the Remote Assistance session at any time.
Through Remote settings (Advanced button) in Control Panel\System and Maintenance\System, you can set the maximum amount of time that a Remote Assistance invitation can remain open.
One way to start the Windows Remote Assistance Wizard is through Start\Help and Support\Use Windows Remote Assistance to get help from a friend or offer help. Another way is through Start\All Programs\Maintenance\Windows Remote Assistance. The Remote Assistance Wizard guides the user through the process of creating an e-mail or file invitation for remote assistance, and then setting up a password for the session. Similarly, the wizard guides the helper through the process of offering remote assistance to a specific computer (identified by name or IP address).
The following sections provide more detail, including information about the three types of Remote Assistance: instant-message-based Remote Assistance, Solicited Remote Assistance where the invitation is sent as an e-mail or delivered as a file, and Offer Remote Assistance (used within a domain).
Overview: Using Remote Assistance in a Managed Environment
In a managed environment, a firewall on your organization’s network will likely prevent those outside your network from connecting directly to a computer on your network (blocking Remote Assistance connections that are inbound to computers behind the firewall). However, for additional protection, you can also control Remote Assistance, either by disabling all types of Remote Assistance or by allowing only certain types. For example, by allowing only Offer Remote Assistance within your domain, you could specify a list of support professionals in your organization who can offer assistance. Only the people on that list would be able to assist users through Remote Assistance. (Offer Remote Assistance only works within a domain environment.)
For a list of Group Policy settings that are relevant for controlling Remote Assistance in a managed environment, see "Using Group Policy to Control Remote Assistance," later in this section.
The Remote Assistance Invitation and the Remote Assistance Session
There are two stages to the Remote Assistance process:
Establishing communication between the two computers: This is when an invitation or "ticket" is sent from one computer to another and the computers establish communication.
For a description of how communication can be established between the two computers, see "Types of Assistance Included in Remote Assistance," later in this section.
Conducting the Remote Assistance session itself: This is when the helper actually views or changes the configuration on the user's computer.
For more information about the communication in these processes, see "How Remote Assistance Communicates Through the Internet," later in this section.
Types of Assistance Included in Remote Assistance
When choosing among ways of controlling Remote Assistance, consider the types of assistance included in Remote Assistance in Windows Vista. The following list briefly describes each type. Details about controlling them are provided later in this section.
Note
The types of Remote Assistance refer to how the Remote Assistance session is initiated. For all types, the person receiving assistance must consent before assistance can begin.
Instant-message-based Remote Assistance: Both the person seeking assistance and the person who gives assistance must be using instant-messaging software based on the Rendezvous API (for example, Windows Live Messenger 8.0). A person seeking assistance can select a buddy from his or her list and ask that person to provide Remote Assistance.
Solicited Remote Assistance where an invitation is sent by e-mail or delivered as a file: A user on a computer running Windows Vista sends an invitation, through e-mail or as a file, to a person who can provide assistance.
Offer Remote Assistance: For Offer Remote Assistance to work, a certain amount of configuration is necessary, and the computers must be within a domain. With Offer Remote Assistance, you (the system administrator) determine who can offer remote assistance to the computer running Windows Vista.
For more information, see "Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet" and "Procedures for Disabling Remote Assistance," later in this section.
Windows Firewall Settings in Relation to Remote Assistance
Windows Firewall is on by default in Windows Vista. Windows Firewall includes a number of exceptions that can be chosen from a list, including an exception for Remote Assistance. Enabling the Remote Assistance exception has different effects, depending on which network location the computer is using at a given time:
Private network: This is intended for home or small office networks, and it is therefore less restrictive than the public network location. For a private network, network discovery is on by default. Network discovery is the ability of a computer to recognize or be recognized by computers and other devices on the network.
Public network: This is intended for networks in public places (such as coffee shops or airports). The public network location is intended to be more restrictive to help keep the computers secure. For a public network, network discovery is off by default.
Domain network: This is automatically applied when a computer is joined to a domain (and is connected to that domain). For a domain network, network discovery is on by default.
The following table lists the network categories and describes how the Remote Assistance exception in Windows Firewall works in each network location:
| Network Location | Remote Assistance Exception in Windows Firewall |
|---|---|
Private |
|
Public |
|
Domain |
|
How Remote Assistance Communicates Through the Internet
In Windows Vista, Remote Assistance can be initiated through an option that is displayed in Help and Support, but Remote Assistance actually runs standalone, not within the software for Help and Support. The following information presents additional details on how Remote Assistance can communicate through the Internet:
Specific information sent or received: Information that is transmitted in a Remote Assistance ticket includes user name, IP address, and computer name. Information transmitted during a Remote Assistance session depends on the features being used (for example, screen sharing and file transfer), and it is sent in real time using point-to-point connections.
Note that in Solicited Remote Assistance, when a user creates an e-mail invitation for Remote Assistance, the e-mail uses the SMAPI (Simple MAPI) standard, which means the invitation is attached to the e-mail message.
Default settings: By default, the user can start the Remote Assistance Wizard. Also, by default, Offer Remote Assistance is not enabled.
Default settings for Windows Firewall also have important effects on Remote Assistance as described in "Windows Firewall Settings in Relation to Remote Assistance," earlier in this section. However, note that the Remote Assistance Wizard senses whether Windows Firewall is using settings that block Remote Assistance. If this is the case, the Remote Assistance Wizard allows the user to begin selecting options, but then displays a notification that Windows Firewall is blocking it and provides the user with information about unblocking (opening Windows Firewall and selecting Remote Assistance as an exception).
Regardless of any other settings, users can always prevent someone from connecting to their computer by declining prompts to begin a Remote Assistance session.
For additional information about a default setting, see "Encryption" in this list.
Triggers: With Solicited Remote Assistance, a user establishes contact with the helper by sending an invitation through e-mail, by saving an invitation as a file and transferring it manually (such as on a floppy disk), or through compatible instant-messaging software. To be compatible, instant-messaging software must use the Rendezvous API (an example is Windows Live Messenger 8.0).
With Offer Remote Assistance, a support professional or other helper offers unsolicited assistance to a user (which the user can decline). The person offering the assistance must be an administrator or must be on an Offer Remote Assistance list configured for the user's computer.
User notification: Whether assistance is solicited or unsolicited, the user is notified of the offer of assistance from the support professional or other helper. The user must accept the invitation before the helper can see the user's computer. Then, before the helper can make configuration changes on the user's computer, the user is asked whether to allow this. (Remote Assistance can also be configured to allow the helper to view but not make changes on the user's computer.)
Logging: On the computer running Windows Vista, Remote Assistance records events in the System log in Event Viewer and in files in the path \Users\user name\Documents\Remote Assistance Logs.
Events such as a user initiating a connection or a user accepting or rejecting an invitation are recorded in the Remote Assistance logs, and the details include taking and releasing control, sending and accepting files, and ticket creation and deletion. Remote Assistance also records details such as whether assistance is solicited or unsolicited as well as detailed user name and IP address information.
Encryption: The Remote Desktop Protocol (RDP) encryption algorithm is used. The RDP encryption algorithm is RC4 128-bit.
Note
One item in the Remote Assistance invitation (for Solicited Remote Assistance) that is not encrypted in some cases is a clear-text IP address. This clear-text IP address is included by default, for compatibility with Windows XP. However, you can configure an option so that invitations will include the user's IP address in encrypted form only (the form used by Windows Vista), and not also in clear text as required for Windows XP. For more information, see "Procedures for Controlling or Disabling Remote Assistance," later in this section.
Access: No information is stored at Microsoft.
Transmission protocol and port: The port is dynamically selected by Remote Assistance, and the protocol is RDP. For Offer Remote Assistance, Distributed Component Object Model (DCOM) is also used.
Ability to disable: Solicited Remote Assistance, Offer Remote Assistance, or both can be disabled by using Group Policy or locally through Control Panel. They can also be disabled by using unattended installation with an answer file. For more information, see "Procedures for Controlling or Disabling Remote Assistance," later in this section.
Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet
When choosing among ways of controlling Remote Assistance, consider the types of assistance included in Remote Assistance in Windows Vista. The following list provides suggestions for using or controlling each type in a managed environment:
Controlling instant-message-based Remote Assistance: This is actually a form of Solicited Remote Assistance, so when you turn off Solicited Remote Assistance, you also turn off instant-message-based Remote Assistance. You can turn this off through Control Panel, through Group Policy, or with unattended installation using an answer file.
As an alternative, you can exclude instant-messaging software from standard corporate computer configurations, and make sure that users do not have administrative accounts, so that they cannot install software on their computers. (This section does not provide details about how to do this.)
Controlling Solicited Remote Assistance where an invitation is sent by e-mail or delivered as a file: You can turn off Solicited Remote Assistance on an individual computer running Windows Vista, through Group Policy, or with unattended installation using an answer file. (This also turns off instant-message-based Remote Assistance, which is a form of Solicited Remote Assistance.)
As an alternative, you can allow Solicited Remote Assistance, but configure it so that the IP address in the invitation is only in encrypted form (such an invitation does not work if it is sent to someone on a computer running Windows XP). Another alternative is to allow Solicited Remote Assistance but allow the helper to view but not change the configuration of the user's computer.
Controlling Offer Remote Assistance: You can turn off Offer Remote Assistance on an individual computer running Windows Vista, through Group Policy, or with unattended installation using an answer file.
However, you might prefer to allow only Offer Remote Assistance and control the list of support professionals who are allowed to offer assistance. You can control this list on an individual computer running Windows Vista or through Group Policy. If you do this, you also need to use Group Policy to enable the Remote Asssistance exception in Windows Firewall.
If you allow Offer Remote Assistance, another alternative is to allow the helper to view but not change the configuration of the user's computer.
The following section provides information about using Group Policy. Later sections provide information about all methods for controlling Remote Assistance.
Using Group Policy to Control Remote Assistance
There are multiple Group Policy settings you can configure to control the use of Remote Assistance, including settings for:
Solicited Remote Assistance
Offer Remote Assistance
Allow only Vista or later connections
These policy settings are located in Computer Configuration\Administrative Templates\System\Remote Assistance. Configuration options for these policy settings are described in the following list.
Solicited Remote Assistance (enabled): When this policy setting is enabled, a user can create a Remote Assistance invitation that a helper can use at another computer to connect to the user’s computer. If given permission, the helper can view the user’s screen, mouse, and keyboard activity in real time.
Additional configuration options are available when you enable this policy setting.
Solicited Remote Assistance (disabled): If the status is set to Disabled, the user at this computer cannot request Remote Assistance.
Solicited Remote Assistance (not configured): If the status is set to Not Configured, the configuration of solicited Remote Assistance is determined by the Control Panel settings.
Offer Remote Assistance (enabled): When this policy setting is enabled, a remote user or administrator can offer Remote Assistance to the computer. When you configure this policy setting, you must also specify the list of users or user groups that will be allowed to offer remote assistance. Administrators of this computer can offer remote assistance by default; they do not need to be added to the list.
Additional configuration options are available when you enable this policy setting.
Offer Remote Assistance (disabled or not configured): If you disable or do not configure this policy setting, a support professional or other helper cannot offer unsolicited remote assistance to this computer.
Allow only Vista or later connections (enabled): When this policy setting is enabled, invitations for Solicited Remote Assistance will include the user's IP address in encrypted form only (the form used by Windows Vista), and not also in clear text as required for Windows XP.
Allow only Vista or later connections (disabled or not configured): If you disable or do not configure this policy setting, for Solicited Remote Assistance, invitations will include the user's IP address in clear text (as required for compatibility with Windows XP), not just in encrypted form as used by Windows Vista.
For additional configuration options, see the Remote Assistance policy settings in Group Policy. To find more information about editing Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows Vista.
Procedures for Controlling or Disabling Remote Assistance
The procedures in this section are grouped according to the method by which you perform them:
Controlling Remote Assistance through Control Panel on an individual computer running Windows Vista
Controlling Remote Assistance by using Group Policy
Controlling Remote Assistance during unattended installation by using an answer file
Controlling Remote Assistance Through Control Panel
This subsection contains procedures for configuring Remote Assistance on an individual computer running Windows Vista.
To Use Control Panel to Maximize the Encryption in Remote Assistance Invitations Sent from this Computer
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Either click System and Maintenance and then click System, or double-click System.
On the left, click Remote settings.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
On the Remote tab, under Remote Assistance, click Advanced.
Select the check box labeled Create invitations that can only be used from computers running Windows Vista or later.
Important
When this option is selected, Remote Assistance invitations sent from this computer will contain the IP address in encrypted form only, which prevents the invitation from working if it is received on a computer running Windows XP.
To Use Control Panel to Allow Helpers to View but Not Make Configuration Changes on a User's Computer
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Either click System and Maintenance and then click System, or double-click System.
On the left, click Remote settings.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
On the Remote tab, under Remote Assistance, click Advanced.
Clear the check box labeled Allow this computer to be controlled remotely.
To Use Control Panel to Configure Exclusive "Offer Remote Assistance"
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Either click System and Maintenance and then click System, or double-click System.
On the left, click Remote settings.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
On the Remote tab, under Remote Assistance, clear the check box labeled Allow Remote Assistance connections to this computer, and then click OK. (Clearing this check box disables Solicited Remote Assistance, but does not disable Offer Remote Assistance.)
Click OK.
Click the Back button and then, on the left, click User Accounts.
Click Give other users access to this computer.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Look at the list under Users for this computer and determine if it includes the people who should be able to offer Remote Assistance to this computer. If it does not, use the Add button to add one or more user accounts to the list.
Click the account of a user who you want to allow to offer Remote Assistance to this computer, and then click Properties. Click Other, expand the list, and click Offer Remote Assistance Helpers. (If instead of clicking Other, you click Administrator, the person will have full control on this computer, which includes being able to offer remote assistance.)
Controlling Remote Assistance by Using Group Policy
This subsection contains procedures for controlling Remote Assistance by using Group Policy.
To Use Group Policy to Maximize the Encryption in Remote Assistance Invitations that Are Sent
- See Appendix B: Resources for Learning About Group Policy for Windows Vista for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Vista, open Group Policy Management Console by running gpmc.msc, and then edit an appropriate Group Policy object (GPO).
Note
You must perform this procedure by using GPMC on a computer running Windows Vista (GPMC is included in Windows Vista).
Expand Computer Configuration, expand Administrative Templates, expand System, and then click Remote Assistance.
In the details pane, double-click Allow only Vista or later connections, and then click Enabled.
You can also click the Explain tab to see details about how the setting works.
Important
When this setting is enabled, Remote Assistance invitations sent from this computer will contain the IP address in encrypted form only, which prevents the invitation from working if it is received on a computer running Windows XP.
To Use Group Policy to Allow Helpers to View but Not Make Configuration Changes on Users' Computers
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate GPO.
Expand Computer Configuration, expand Administrative Templates, expand System, and then click Remote Assistance.
If you permit Solicited Remote Assistance, in the details pane, double-click Solicited Remote Assistance, click Enabled, and under Permit remote control of this computer, select Allow helpers to only view the computer, and then click OK.
If you permit Offer Remote Assistance, in the details pane, double-click Offer Remote Assistance, click Enabled, and under Permit remote control of this computer, select Allow helpers to only view the computer. If you have not already clicked Show and used the Add button to add the accounts of support professionals who you want to allow to offer assistance, you must do so before you can click OK.
To Use Group Policy to Configure Exclusive "Offer Remote Assistance"
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate GPO.
Expand Computer Configuration, expand Administrative Templates, expand System, and then click Remote Assistance.
In the details pane, double-click Solicited Remote Assistance, click Disabled, and then click Next Setting.
For the Offer Remote Assistance setting, click Enabled, click Show, and use the Add button to accounts of support professionals who you want to allow to offer assistance.
To Use Group Policy to Disable All Types of Remote Assistance
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate GPO.
Expand Computer Configuration, expand Administrative Templates, expand System, and then click Remote Assistance.
In the details pane, double-click Solicited Remote Assistance, click Disabled, and then click Next Setting.
For the Offer Remote Assistance setting, click Disabled, and then click OK.
Controlling Remote Assistance During Unattended Installation by Using an Answer File
This subsection contains procedures for controlling Remote Assistance by using an answer file with unattended installation.
To Use an Answer File to Control "Solicited Remote Assistance" to Maximize the Encryption in Invitations
Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment for Windows Vista.
Confirm that your answer file includes the following line:
<CreateEncryptedOnlyTickets>true</CreateEncryptedOnlyTickets>
To Use an Answer File to Disable Solicited Remote Assistance
Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment for Windows Vista.
To disable Solicited Remote Assistance, confirm that your answer file includes the following line:
<fAllowToGetHelp>false</fAllowToGetHelp>
Additional References
For basic information about Remote Assistance in Windows Vista, you can view Web-based Help for Windows Vista on the Microsoft Web site at:
If you want to allow users to use instant messaging to invite Remote Assistance (Solicited Remote Assistance), you might want to read information about Windows Live Messenger, the Rendezvous API, Windows Firewall, and Teredo (an IPv6 technology). Teredo is used for communicating with computers where network address translation (NAT) is used. The following links provide more information:
Information about Microsoft Windows Live Messenger, an example of instant-messaging software that can be used to send invitations for Remote Assistance:
Information about the Rendezvous API:
Information about Windows Firewall:
Information about IPv6 and Teredo:
Additional links to information about IPv6 can be found in Internet Protocol Version 6, Teredo, and Related Technologies in Windows Vista in this white paper.