Remote Assistance

(Note: This topic describes not just Windows XP Professional with Service Pack 2, but also Windows XP Professional with Service Pack 3.)

On This Page

Benefits and Purposes of Remote Assistance
Overview: Using Remote Assistance in a Managed Environment
How Remote Assistance Communicates with Sites on the Internet
Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet
Procedures for Disabling Remote Assistance

Benefits and Purposes of Remote Assistance

With Microsoft Windows XP Professional with Service Pack 2 (SP2), a user or administrator can use Remote Assistance to get help from a member of the organization's support staff. Users or administrators can also collaborate in other ways through screen sharing. Remote Assistance is a convenient way for support professionals to connect to a computer from another computer running a compatible operating system, such as Windows XP, and to show the users or administrators a solution to their problem.

Using Windows Messenger Service or an e-mail program, such as Microsoft Outlook or Outlook Express, you can provide support to users by connecting to their computer. After you are connected, you can view the user’s computer screen, communicate in real time about what you both see on the user’s computer, send files, use voice communication, and use your mouse and keyboard to work on the user’s computer.

Overview: Using Remote Assistance in a Managed Environment

Through Help and Support Center users can access Remote Assistance by default and have someone inside or outside your network connect to their computer. In Help and Support Center, users can click Invite a friend to connect to your computer with Remote Assistance or click Tools\Remote Assistance.

Although a firewall on your organization’s network will likely prevent outsiders from connecting directly to a computer on your intranet, it is possible for users to connect remotely to someone within your intranet or outside your network through Remote Assistance. As an administrator in a highly managed environment, you might want to prevent users from using this feature. You can do this during your deployment of Windows XP with SP2, or post-deployment using Group Policy.

In a domain environment there is also the option of a support person or IT administrator offering unsolicited assistance. From Help and Support Center using Tools\Offer Remote Assistance, an administrator in the domain may offer assistance to users in the same domain or trusted domains without being asked. However, users can decline the invitation. This capability can be strictly controlled with Group Policy. Controlling the use of unsolicited as well as solicited Remote Assistance is described further in the subsection "Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet."

How Remote Assistance Communicates with Sites on the Internet

When a user (referred to as the "novice") initiates a request for assistance through either the e-mail option or the Save invitation as a file option in Remote Assistance, Windows XP starts Help and Support Center. Help and Support Center then passes the information to Remote Assistance.

When the person who is being contacted (the "expert") accepts the invitation from the novice, Remote Assistance calls Help and Support Center application programming interfaces (APIs) to initiate the session. Help and Support Center relies on Terminal Services to negotiate the session. Help and Support Center passes the Remote Assistance invitation (the "ticket") file to Terminal Services. The Remote Assistance session is established using RDP (Remote Desktop Protocol), and uses port 3389 through Terminal Services on the novice computer.

There are safeguards built into the Remote Assistance feature. All sessions are encrypted and can be password-protected. The novice (user soliciting the assistance) sets the maximum time for the duration of the ticket. Also, firewalls on your organization’s network can be configured to prevent communication associated with Remote Assistance, for example, Remote Assistance connections that are inbound to computers behind the firewall. Note that Windows XP with SP2 includes enhancements to the firewall component, now called Windows Firewall. For information about how Windows Firewall interacts with Remote Assistance, see the link to “Deploying Windows Firewall Settings for Windows XP SP2” on the Microsoft TechNet Web site at:

https://go.microsoft.com/fwlink/?LinkId=23354

The following information presents additional details on how information transfer over the Internet takes place when a connection is made:

  • Specific information sent or received: Information that is transmitted in a Remote Assistance ticket includes user name, IP address, and computer name. Information necessary to provide functionality for Remote Assistance (for example, screen sharing, file transfer, and voice) is sent in real time using point-to-point connections.

  • Default and recommended settings: Anyone with access to Help and Support Center can access the Remote Assistance feature. Users can prevent someone from connecting to their computer by declining an invitation. You can also prevent someone from remotely controlling a computer running Windows XP with SP2 by using Control Panel settings or Group Policy.

  • Triggers: A user establishes contact with the expert by sending an invitation through e-mail, instant messaging, or by saving an invitation as a file and transferring it manually, such as on a floppy disk, to the expert. Or, an expert offers unsolicited assistance to a user.

  • User notification: Whether assistance is solicited or unsolicited, the novice is notified of the offer of assistance from the expert. The novice must accept the connection before Remote Assistance begins.

  • Logging: Events such as a user initiating a connection or a user accepting or rejecting an invitation are recorded in the event logs. Windows XP Service Pack 2 (SP2) records more details than were recorded in the previous service pack, including events such as taking and releasing control. sending and accepting files, and ticket creation and deletion. SP2 also records details such as whether assistance is solicited or unsolicited as well as more detailed user name and IP address information.

  • Encryption: The RDP (Remote Desktop Protocol) encryption algorithm for the main Remote Assistance communication and the RTC (Real-Time Communication) encryption algorithm for voice are used. The RDP encryption algorithm is RC4 128-bit.

  • Access: No information is stored at Microsoft.

  • Transmission protocol and port: The port is 3389 and the transmission protocols are RDP and RTC. For Offer Remote Assistance, Distributed Component Object Model (DCOM) is also used.

  • Ability to disable: This component can be disabled by using Group Policy or locally through Control Panel.

  • Firewall protection: Any firewall that blocks port 3389 will not allow a Remote Assistance connection to users outside the firewall. This does not prevent users from within the network protected by the firewall from connecting to each other. If you close port 3389, you will block all Remote Desktop and Terminal Services events through it as well. If you want to allow these services but want to limit Remote Assistance requests, use Group Policy. If the port is opened only for outbound traffic, a user can request Remote Assistance by using Windows Messenger.

For more information about the Remote Assistance connection process, see article 300692, "Description of the Remote Assistance Connection Process" in the Microsoft Knowledge Base at:

https://go.microsoft.com/fwlink/?LinkId=29212

Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet

Administrators can control the use of Remote Assistance in the following ways:

  • Group Policy to prevent Remote Assistance from being solicited from this computer

  • Group Policy to prevent unsolicited Remote Assistance from being offered to this computer

  • Local control of Remote Assistance through Control Panel

Group Policy settings are described in detail in this subsection. Procedures for disabling Remote Assistance are presented in the next subsection.

Using Group Policy

There are two Group Policy settings you can configure to control the use of Remote Assistance:

  • Solicited Remote Assistance

    Use this policy setting to determine whether Remote Assistance can be solicited from a given computer. In Solicited Remote Assistance the user of a computer explicitly requests help from another party.

  • Offer Remote Assistance

    Use this policy setting to determine whether a support person or IT administrator (expert) can offer remote assistance to a computer without a user explicitly requesting it first through e-mail, a file, or instant messaging.

These policy settings are located in Computer Configuration\Administrative Templates\System\Remote Assistance. Configuration options for these policy settings are described in the following table.

Group Policy Settings for Controlling Remote Assistance

Policy Setting

Description

Solicited Remote Assistance (enabled)

When this policy setting is enabled, a user can create a Remote Assistance invitation that a person (“expert”) can use at another computer to connect to the user’s computer. If given permission, the expert can view the user’s screen, mouse, and keyboard activity in real time.

Additional configuration options are available when you enable this policy setting.

Solicited Remote Assistance (disabled)

If the status is set to Disabled, users cannot request Remote Assistance and this computer cannot be controlled from another computer.

Solicited Remote Assistance (not configured)

If the status is set to Not Configured, the configuration of solicited Remote Assistance is determined by the Control Panel settings.

Offer Remote Assistance (enabled)

When this policy setting is enabled, a remote user or administrator can offer Remote Assistance to the computer. When you configure this policy setting, you have two choices: you can select either Allow helpers to only view the computer or Allow helpers to remotely control the computer. In addition to making this selection, when you configure this policy setting, you also specify the list of users or user groups that will be allowed to offer remote assistance. Administrators of this computer can offer remote assistance to it by default. They do not need to be added to the list.

Offer Remote Assistance (disabled or not configured)

If you disable or do not configure this policy setting, users or groups cannot offer unsolicited remote assistance to this computer.

For additional configuration options, see the Remote Assistance policy settings in Group Policy. To find more information about editing Group Policy, see Appendix B, "Learning About Group Policy and Updating Administrative Templates."

Procedures for Disabling Remote Assistance

This section presents procedures administrators can use for disabling Remote Assistance through Group Policy or Control Panel.

To Disable the Use of Remote Assistance Using Group Policy

  1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO.

  2. Click Computer Configuration, click Administrative Templates, click System, and then click Remote Assistance.

  3. In the details pane, double-click Solicited Remote Assistance, click Disabled, and then click OK.

  4. In the details pane, double-click Offer Remote Assistance, click Disabled, and then click OK.

To Disable the Use of Remote Assistance Through Control Panel

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click System.

  3. In System Properties, click the Remote tab.

  4. Under Remote Assistance, clear the check box labeled Allow Remote Assistance invitations to be sent from this computer.