The Desktop Files
Getting to Know RDP
Wes Miller
The Remote Desktop Protocol, or RDP, allows you to access machines remotely. It's a very useful piece of technology that has undoubtedly saved more than a few system admins over the years. RDP has a long history of providing better and better remote access support. It was introduced in 1998 for Windows NT 4.0 Terminal Server
Edition (TSE) and has evolved in almost every release of Windows® since.
Beginning with Windows 2000, almost anyone could easily access a server system remotely because Terminal Services was introduced as an optional Windows component and could be configured so you could use the system either as an actual Terminal Server or for what we call Remote Desktop today. Windows Server® 2003 and Windows XP delivered native Remote Desktop functionality, allowing you to control the system as if you were there locally. Today, I use Remote Desktop every day to access my home PC and server remotely, and to use my Media Center Extender.
Windows XP and later versions of Windows added Remote Assistance, which provides an experience that is similar to Remote Desktop but designed for a local user to request assistance from a remote user. Continuing the evolution of remote access support, Windows Vista® now allows remote users to offer Remote Assistance, if permitted by Group Policy.
As you will see, Remote Desktop takes this powerful functionality to a whole new level, and you'll appreciate all it has to offer. Of course there are some limitations to Remote Desktop, but there are many benefits as well. Let's take a look at both.
The Good, the Bad, and the Fantastic
On Windows XP (with the exception of Media Center Edition), the key limitation is that only one interactive user can be logged on at a time. While Fast User Switching in Windows XP allows for more than one user to be logged on, only one user can be interactive using the mouse or keyboard—whether they are local to the PC or remote. With Windows Server versions (not running as Terminal Servers), two Remote Desktop sessions can connect at once. To connect via Remote Desktop to the actual console session in Windows Server 2003, you launch the Terminal Services client application (MSTSC.exe) with the optional parameter /console. The console session is very important because some older applications, which were not designed properly to take Terminal Services sessions into account, will often pop up dialogs only on the console session (Session 0). Figure 1 shows a user logged into the console session on Windows Server 2003. Windows XP and Windows Server 2003 Remote Desktop will enforce licensing to ensure that only the number of permitted users are logged on interactively.
.gif)
Figure 1 Logged into Session 0 (Click the image for a larger view)
Additionally, both network bandwidth and Group Policy can affect the Remote Desktop experience. Windows XP is capable of delivering up to 24-bit resolution as well as redirection of sound, local printers, disks, and the clipboard for cutting and pasting. Because of the way Remote Desktop works to draw the screen, removing graphic elements from the remote session (themes, backgrounds, and so on) improves the available network bandwidth dramatically and, as a result, the session is much more responsive to the user. Windows Vista builds upon this by adding 32-bit resolution and additional device redirection.
Note that some things, such as graphically intensive operations, can be challenging over even the best Remote Desktop sessions if there is insufficient bandwidth, so plan accordingly.
New Functionality in Windows Vista
Windows Vista delivered very significant changes to Remote Desktop. As I mentioned, 32-bit display resolution as well as font smoothing are some of the most visible changes. A related enhancement is the ability to run Windows Vista sessions across multiple monitors—by launching the Terminal Services client with the /span command. Note that /span only works with Windows Vista remote host systems, requires the same resolution on the client across the monitors, and requires that the monitors are aligned. Spanning works by treating the remote system (the client) as one large display. This means that maximizing an application may result in effects you may not expect, including inconveniently placed dialogs that must be moved by the user.
Additionally, if the client you are connecting from is a Windows Vista client, and the remote system is a Windows Vista system, you can run the remote session's user interface in Windows Aero™ Glass mode (as long as the local system supports Aero Glass, even if the remote system doesn't). This is a result of the re-architecture of Windows Remote Desktop to perform much of the window management operations on the client system if the client is Windows Vista, improving the user experience while reducing bandwidth usage.
Windows Vista also brings with it a key security enhancement, Network Level Authentication (NLA). NLA can help you prevent man-in-the-middle attacks in which a rogue user spoofs the server you believe you are connecting to. NLA also improves the authentication experience by not launching the full Windows user interface for authentication—minimizing impact on the remote system and reducing the susceptibility to denial-of-service attacks. NLA requires Windows Vista on both the client and remote system. Figure 2 shows how to specify via the RDP 6.0 client whether to enforce authentication, whether to warn, or whether to require it at all. Note that if you are connecting to a remote system that is running a version of Windows older than Windows Vista, you will want to ensure that it is set to at least warn for that connection; otherwise it will fail to connect.
.gif)
Figure 2 Advanced connection preferences (Click the image for a larger view)
Improved resource redirection (more than just drives and printers) is another key RDP enhancement in Windows Vista. As long as the drivers are present on the remote system and the device supports redirection, you can redirect numerous new types of devices including smart cards. Additional device types can be supported by their vendors.
Windows Vista also supports gateway servers via the RDP 6.0 client. This allows users to connect to systems at work seamlessly over the Internet without requiring a VPN connection or any third-party software. Figure 3 shows the Terminal Services Gateway server settings. You can think of a gateway server as similar to VPN, without requiring any specific client software other than the RDP 6.0 client software (no VPN settings or proprietary software needed).
.gif)
Figure 3 Terminal Services Gateway server settings (Click the image for a larger view)
Windows Vista also includes the infrastructure for a new feature called RemoteApp™. Here's what RemoteApp does for you. Remote Desktop generally allows you to connect to an entire Windows session. But suppose you were only interested in running Microsoft® Word or Microsoft PowerPoint®. RemoteApp provides the capability to do just that. Scenarios for enabling robust application sharing will be enabled in Windows Server 2008 as well.
Additionally, new support has been added in Windows Vista for the Windows Desktop Sharing API, which allows for the publishing of shared, collaborative applications. A sample application made available by the Microsoft Terminal Server team at
blogs.msdn.com/ts/
archive/2007/03/23/writing-a-desktop-sharing-application.aspx demonstrates how the Windows Desktop Sharing API works.
A key change to bear in mind in Windows Vista and beyond is that Session 0 (classically the console session—where legacy applications will pop up dialog messages) is not generally accessible to the user. This reduces interactivity between system services (which run in Session 0, albeit non-interactively) and interactive users. It also allows for a reduction in the attack surface posed by overly privileged services and interactive users in Windows Vista where the focus has been on the reduction of privilege (via User Account Control and other security enhancements). This isn't generally something you have to be concerned with, unless you are running legacy software on Windows Vista and it is misbehaving either when being installed or when the application is running.
Terminal Services Client
You can find the new RDP 6.0 client at
go.microsoft.com/fwlink/?LinkId=91612. As mentioned above, the client includes all the functionality necessary to connect to an RDP 6.0 (Windows Vista or Windows Server 2008) system.
Figure 4 shows the RDP 6.0 client. One significant improvement in MSTSC is the ability to cache credentials—and if connecting from Windows Vista to Windows Vista or Windows Server 2008, even single sign-on (SSO) is
supported via Group Policy.
.gif)
Figure 4 RDP 6.0 client (Click the image for a larger view)
Version 6.0 of MSTSC.exe has numerous command-line parameters, listed below. Let's take a look at each one in turn.
mstsc [<connection file>] [/v:<server[:port]>]
[/console] [/f[ullscreen]] [/w:<width>] [/h:<height>]
[/public] | [/span] [/edit "connection file"] [/migrate] [/?]
/v:<server[:port]> specifies the remote computer you want to connect to as well as an optional port value (port 3389 is the default; it can be changed on all versions of Windows).
/console allows you to connect to the console session of older versions of Windows. This setting does not work with Windows Vista or Windows Server 2008.
/f starts Remote Desktop Connection in full-screen mode.
/w:<width> specifies the width of the Remote Desktop Connection window.
/h:<height> specifies the height of the Remote Desktop window.
/public runs Remote Desktop Connection in public mode. In public mode, the RDP client does not cache any data to the local system. Use public mode, for example, when connecting to a business server from a system in a conference center.
/span matches the remote desktop width and height with the local virtual desktop, spanning across multiple monitors if necessary. Note that the monitors must all be the same height and aligned side-by-side.
/edit opens the specified .rdp connection file for editing. RDP files are used to store connection information for a specific remote system.
/migrate moves older connection files that were created with Client Connection Manager to new .rdp connection files.
Many of the enhancements in the MSTSC client are also available when using the Terminal Services ActiveX® control, as well as using TSMMC.msc, described below, to connect to multiple systems from the same console.
New Functionality in Windows Server 2008
In addition to all of the functionality and changes already mentioned for Windows Vista, Windows Server 2008 includes Remote Desktop functions of its own: Terminal Services Web Access and Terminal Services Easy Print.
TS Web Access allows someone using a Web browser to view a list of programs that have been enabled on the remote server as RemoteApps, and easily launch them in a single click via the Remote Desktop ActiveX control. In some senses, you can think of this as an experience similar to the SoftGrid Application Virtualization experience I mentioned in last month's column on the Microsoft Desktop Optimization Pack, where a remote user easily launches an application without requiring any locally installed software. It will be interesting to watch over the next few years to see how the scenarios for using SoftGrid versus Terminal Services technologies compare.
TS Easy Print allows all printer tasks that occur on the remote (host) system to be redirected to the local (client) system. You may be thinking that printer redirection already does that, but it doesn't. Easy Print works without requiring any additional printer drivers on the host system or any user interactivity to get the device installed. If there is a local printer, it works the same on the remote system as it does locally. In order for Easy Print to work, the remote system must be running Windows Server 2008 and the client and server systems must all be running the Terminal Services 6.1 client and have the Microsoft .NET Framework 3.0 SP1 installed. Both of those are scheduled to ship near the time when Windows Server 2008 is released.
Tips for Using Remote Desktop
As I mentioned earlier, I use Remote Desktop every day—the Remote Desktop Microsoft Management Console (MMC) to be exact. By adding remote systems as nodes here, you can quickly and easily switch between multiple systems from the same user interface.
Figure 5 shows what the MMC experience looks like. The MMC snap-in is part of the Windows Server 2003 Administration Tools Pack, the latest version of which is available at
go.microsoft.com/fwlink/?LinkId=91685.
.gif)
Figure 5 MMC page (Click the image for a larger view)
Another fun tip I stumbled upon involves cut and paste. Cut and paste across client and server was new with Windows XP. In order for it to work, the client and the server must both be running Windows XP and the clipboard must be redirected (see Figure 6). Windows Vista clients also support cut and paste when clipboard redirection is enabled for the connection.
.gif)
Figure 6 Local Resources settings (Click the image for a larger view)
Also important to note is that keyboard shortcuts you may need, such as Ctrl+Alt+Delete, do not get transmitted over the wire to the remote system—they always act on the local system. To send Ctrl+Alt+Delete to the remote system, press Ctrl+Alt+End on the client.
Finally, I would like to recommend that you regularly visit the Microsoft Terminal Services Team blog at
blogs.msdn.com/ts. I do.
Personally, I find that Remote Desktop and Terminal Services make my life so much easier that it's hard to imagine life without them. I hope this article has provided some insight into the new functionality in the RDP 6.0 client and Windows Vista and Windows Server 2008.
I'd like to thank Nelly Porter, Senior Program Manager Lead from the Terminal Services team, for her help in researching this column.
Wes Miller is a Development Manager at Pluck (www.pluck.com) in Austin, Texas. Previously, he worked at Winternals Software in Austin and at Microsoft as a Program Manager and Product Manager for Windows. Wes can be reached at technet@getwired.com.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.