Remote Desktop for Administration Best practices
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Add yourself to the Remote Desktop Users group for your computer.
When you do this, you do not have to log on as an administrator to access your computer remotely. You should not add yourself to the Administrators group, and you should avoid running your computer while you are logged on as an administrator unless you are doing tasks that are restricted to administrators. For most computer activity, log on as a member of the Users or Power Users group. If you need to perform an administrator-only task, log on as an administrator, perform the task, and then log off. For more information, see Why you should not run your computer as an administrator.
Require all members of the Remote Desktop Users group to log on with a strong password.
This is especially important if your computer is connected directly to the Internet. For more information, see Strong passwords.
Install the latest version of Remote Desktop Connection.
If you are using the Windows 2000 32-bit Terminal Services Client, you should upgrade to the Windows Server 2003 Remote Desktop Connection.
For more information, see Install Remote Desktop Connection (32-bit computers).
Review general security considerations.
For more information, see Best practices for security.
Coordinate Remote Administration Tasks with Other Administrators
The Remote Desktop feature of Windows Server 2003 family operating systems is not meant to provide a managed multiuser experience. Using the two remote connections plus the console can implement a collaborative operation, but it is not designed to support general access by multiple simultaneous administrators. In particular, ensure that administrators do not run potentially destructive applications at the same time. For example, two administrators trying to reconfigure the disk subsystem can undermine each other's work, or even worse, destroy data. Use the Terminal Services Manager tool or the Query user command line utility to check for the presence of other administrators.
To open Terminal Services Manager, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Services Manager.
Remote Administration Is Not Application Serving
Many general office applications require special installation, install scripts, or environment management to perform well in a remote session. Terminal Services provides these when you install Terminal Server, but they are not available for Remote Desktop for Administration. For general desktop and application remote access requirements, use a dedicated server with Terminal Server installed.
For more information, see Terminal Server.
Configure the Remote Desktop Session to Disconnect When Connection is Broken
This is the default setting, and is especially important if you perform system updates over unreliable network connections. If a session is interrupted due to a network problem, the session goes into a disconnected state and continues executing the processes that were running before the interruption occurred. If the session is configured to reset when the connection breaks, all processes running in that session will stop, which is similar to stopping an application by using End Task.
Configure Disconnect and Reset Timeouts
Because it is not possible to have more than two remote sessions, remote administrators might be locked out of a server if two remote sessions (using different user accounts) are in either an active or disconnected state. When configuring disconnect timeouts, it is critical that sessions that are disconnected do not get reset prematurely. For this reason, it may be useful to perform remote administration tasks that should not be accidentally reset using a shared administrator account, such as a local machine account. You can use the account Properties tab to configure this account not to reset after it is disconnected.
Group Policy settings may override settings in the user account Properties tab.
Using a shared administrator account will not allow you to track individual administrators using the computer.
- Group Policy settings may override settings in the user account Properties tab.
Avoid Tasks that Require Reboots
Some tasks, for example system upgrades and domain controller promotion, require reboots at their completion. These tasks work correctly from within a Remote Desktop session, but you should be aware that something as simple as a floppy disk in the drive or a bad boot sector on the disk could prevent the server from restarting. Therefore, it is advisable not to remotely reboot mission-critical servers unless you have the ability to physically intervene at the server if a problem occurs.
Avoid relying on Server Console Messages
It is not possible to see server console messages when logging on using Terminal Services unless you are connected to the console session. Therefore, it is good practice to check the Server event logs, rather than relying on a system pop-up.
Using the Terminal Services Manager, you can control another Terminal Services session remotely. However, you cannot interact with the console from the Terminal Services Manager.
For more information, see Remotely control a session.