Remote Assistance and Internet Communication (Windows Server 2003)

  • Article

Applies To: Windows Server 2003 with SP1

This section provides information about:

  • The benefits of Remote Assistance

  • How Remote Assistance communicates with sites on the Internet

  • How to control Remote Assistance to prevent the flow of information to and from the Internet

Benefits and Purposes of Remote Assistance

With operating systems in the Microsoft Windows Server 2003 family, users and administrators in your organization can use Remote Assistance to get help from a member of your support staff. Users or administrators can also collaborate in other ways through screen sharing. Remote Assistance is a convenient way for support professionals to connect to a computer from another computer running a compatible operating system, such as Windows XP, and to show the users or administrators a solution to their problem.

Using Windows Messenger Service or an e-mail program, such as Microsoft Outlook or Outlook Express, you can provide support to users by connecting to their computer. After you are connected you can view their computer screen, communicate with them in real time about what you both see on their computer, send files, use voice communication, and use your mouse and keyboard to work on their computer.

Overview: Using Remote Assistance in a Managed Environment

Remote Assistance is disabled by default. You configure Remote Assistance through Control Panel\System\Remote tab on an individual computer, or through Group Policy for groups of users or computers. When it is enabled users and administrators can access Remote Assistance through Help and Support Center under Support Tasks\Support, or Support Tasks\Tools\Help and Support Center Tools.

While a firewall on your organization’s network will likely prevent outsiders from connecting directly to a computer on your intranet, the potential for users or administrators to connect remotely to someone outside your network is available through Remote Assistance. There is also the option of a support person or IT administrator in your organization offering unsolicited assistance. An administrator in the domain or a user explicitly authorized through Group Policy settings may offer assistance to users in the same domain without being asked; however, users can decline the offer.

As an administrator in a highly managed environment you might want to prevent access for groups of users and administrators to this feature. You can do this through Group Policy. Controlling the use of unsolicited as well as solicited Remote Assistance is described further in the subsection "Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet."

How Remote Assistance Communicates with Sites on the Internet

When a user (referred to as the "novice") initiates a request for assistance through either the e-mail option or the Save invitation as a file option in Remote Assistance, the operating system starts Help and Support Center. Help and Support Center then passes the information to Remote Assistance.

When the person who is being contacted (the "expert") accepts the invitation from the novice, Remote Assistance calls Help and Support Center application programming interfaces (APIs) to initiate the session. Help and Support Center relies on Terminal Services to negotiate the session. Help and Support Center passes the Remote Assistance invitation (the "ticket") file to Terminal Services. The Remote Assistance session is established using RDP (Remote Desktop Protocol) and port 3389 through Terminal Services on the novice and expert computers.

There are safeguards built into the Remote Assistance feature. All sessions are encrypted and can be password-protected. The novice (user soliciting the assistance) sets the maximum time for the duration of the ticket. Also, firewalls on your organization’s network might prevent users from making a connection.

The following information presents additional details on how information transfer over the Internet takes place when a connection is made:

  • Specific information sent or received: Information that is transmitted in a Remote Assistance ticket includes user name, IP address, and computer name. Information necessary to provide functionality for Remote Assistance (for example, screen sharing, file transfer, and voice) is sent in real time using point-to-point connections.

  • Default and recommended settings: Anyone with access to Help and Support Center can access the Remote Assistance feature. Users can prevent someone from connecting to their computer by declining an invitation. You can also prevent someone from remotely controlling a server running one of the Windows Server 2003 family operating systems through Control Panel settings or Group Policy.

  • Triggers: A user or administrator establishes contact with the expert by sending an invitation through e-mail, instant messaging, or by saving an invitation as a file and transferring it manually, such as on a floppy disk, to the expert. Or, an expert offers unsolicited assistance to a user.

  • User notification: The expert is asked through e-mail or instant messaging to provide help to the novice. A connection is not made unless the expert accepts the invitation or opens the ticket. When users are offered unsolicited assistance, they as the novice have to click Yes to start a connection.

  • Logging: Events such as a person initiating a connection or a user or administrator accepting or rejecting an invitation are recorded in the event logs.

  • Encryption: The RDP (Remote Desktop Protocol) encryption algorithm for the main Remote Assistance communication and the RTC (Real-Time Communication) encryption algorithm for voice are used. The RDP encryption algorithm is RC4 128-bit.

  • Access: No information is stored at Microsoft.

  • Transmission protocol and port: The port is 3389 and the transmission protocols are RDP and RTC.

  • Ability to disable: Yes, using Group Policy, and locally through Control Panel.

  • Firewall protection: Any firewall that blocks port 3389 should not allow a connection to users outside the firewall. This does not prevent users from within the network protected by the firewall from connecting to each other. If you close port 3389, you will block all Remote Desktop and Terminal Services events through it as well. If you want to allow these services but want to limit Remote Assistance requests, use Group Policy. If the port is opened only for outbound traffic, a user can request Remote Assistance by using Windows Messenger.

For more information about the Remote Assistance connection process, see article 300692, "Description of the Remote Assistance Connection Process," in the Microsoft Knowledge Base at:

https://go.microsoft.com/fwlink/?LinkId=29212

Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet

Administrators can control the use of Remote Assistance in the following ways:

  • Group Policy to disable users or administrators from soliciting or offering Remote Assistance

  • Local controls of Remote Assistance through Control Panel

Group Policy settings are described in detail in this subsection. Procedures for disabling Remote Assistance are presented in the next subsection.

There are two Group Policy settings you can configure to control the use of Remote Assistance:

  • Solicited Remote Assistance

    Use this policy setting to determine whether or not solicited remote assistance is allowed from a computer. In Solicited Remote Assistance the user of a computer explicitly requests help from another party.

  • Offer Remote Assistance

    Use this policy setting to determine whether a support person or IT administrator (expert) can offer remote assistance to a computer without a user explicitly requesting it first, through e-mail, a file, or instant messaging.

These policy settings are located in Computer Configuration\Administrative Templates\System\Remote Assistance. Configuration options for these policy settings are described in the following table.

Group Policy settings for controlling Remote Assistance

Policy setting Description

Solicited Remote Assistance (enabled)

When this policy setting is enabled, a user can create a Remote Assistance invitation that a person (“expert”) can use at another computer to connect to the user’s computer. If given permission, the expert can view the user’s screen, mouse, and keyboard activity in real time.

Additional configuration options are available when you enable this policy setting.

Solicited Remote Assistance (disabled)

If the status is set to Disabled, users cannot request Remote Assistance and this computer cannot be controlled from another computer. If this policy setting is disabled, the Offer Remote Assistance policy setting is also disabled.

Solicited Remote Assistance (not configured)

If the status is set to Not Configured, all additional configuration is determined by the Control Panel settings.

Offer Remote Assistance (enabled)

When this policy setting is enabled, a remote user or administrator can offer Remote Assistance to the computer. When you configure this policy setting, you have two choices: you can select either "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." In addition to making this selection, when you configure this policy setting you also specify the list of users or user groups that will be allowed to offer remote assistance. Administrators can offer remote assistance by default; they do not need to be added to the list.

Offer Remote Assistance (disabled or not configured)

If you disable or do not configure this policy setting, users or groups cannot offer unsolicited remote assistance to this computer.

For additional configuration options see the Remote Assistance policy settings in Group Policy. To find more information about editing Group Policy, see Appendix B: Resources for Learning About Group Policy (Windows Server 2003).

Procedures for Disabling Remote Assistance

This subsection presents procedures administrators can use for disabling Remote Assistance through Group Policy or Control Panel.

To disable the use of Remote Assistance using Group Policy

  1. Use the resources described in Appendix B: Resources for Learning About Group Policy (Windows Server 2003) to learn about Group Policy and the Group Policy Management Console. Apply Group Policy objects (GPOs) to an organizational unit, a domain, or a site, as appropriate for your situation.

  2. Click Computer Configuration, click Administrative Templates, click System, and then click Remote Assistance.

  3. In the details pane, double-click Solicited Remote Assistance, and then select Disabled.

    Note

noteNote
When you disable this policy setting, Offer Remote Assistance is also disabled.
</div></td>
</tr>
</tbody>
</table>

To disable the use of Remote Assistance through Control Panel

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click System.

  3. In System Properties, click the Remote tab.

  4. Under Remote Assistance, clear the check box labeled Turn on Remote Assistance and allow invitations to be sent from this computer.