Share via


Remote Assistance and Resulting Internet Communication in Windows Server 2008

Applies To: Windows Server 2008

In This Section

Benefits and Purposes of Remote Assistance

Overview: Using Remote Assistance in a Managed Environment

How Remote Assistance Communicates Through the Internet

Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet

Procedures for Controlling or Disabling Remote Assistance

Additional References

Note that this section describes three different ways that Remote Assistance can work:

  • Remote Assistance through instant messaging. Because this is designed more for a home scenario than an enterprise scenario, it is not described fully in this white paper, but there are links to additional information in Additional References, later in this section.

  • Solicited Remote Assistance (a user sends an invitation, through e-mail or as a file, to a person who can provide assistance).

  • Offer Remote Assistance within a domain setting (a designated set of people, such as support professionals, offer assistance to users).

Benefits and Purposes of Remote Assistance

With Remote Assistance, a support person or helper can offer assistance to users with computer issues or questions. The support person might connect from a computer running Windows Vista or Windows Server 2008.

After the user and helper are connected and the Remote Assistance session begins, both can view the user’s computer screen, communicate in real time about what they see, send files, and use the mouse and keyboard to work on the user’s computer.

Multiple protections are built into Remote Assistance:

  • Remote Assistance is an optional component in Windows Server 2008 and is not installed by default. You must install Remote Assistance before it can be used.

  • Remote Assistance sessions use the Remote Desktop Protocol (RDP) and end-to-end encryption.

  • The person being assisted must consent before the desktop can be viewed remotely, regardless of how the Remote Assistance process begins (through instant messaging, through an invitation sent through e-mail or delivered as a file, or through Offer Remote Assistance).

  • A person requesting assistance (through instant messaging or by sending e-mail or a file) must set up a password of at least six characters that the helper must type before assistance can begin.

  • The person being assisted can stop the Remote Assistance session at any time.

  • Through Remote settings (Advanced button) in Control Panel\System, you can set the maximum amount of time that a Remote Assistance invitation can remain open.

The following sections provide more detail, including information about the three types of Remote Assistance: instant-message-based Remote Assistance, Solicited Remote Assistance where the invitation is sent as an e-mail or delivered as a file, and Offer Remote Assistance (used within a domain).

Overview: Using Remote Assistance in a Managed Environment

On a server running Windows Server 2008, before Remote Assistance can be used, you must install the Remote Assistance feature, then start the Remote Assistance Wizard through Start\All Programs\Maintenance\Windows Remote Assistance. The Remote Assistance Wizard guides you through one of several processes:

  • Creating an e-mail or file invitation for remote assistance, and then setting up a password for the session.

  • Offering remote assistance to a specific computer (identified by name or IP address).

In a managed environment, a firewall on your organization’s network will likely prevent those outside your network from connecting directly to a computer on your network (blocking Remote Assistance connections that are inbound to computers behind the firewall). However, for additional protection, you can also control Remote Assistance, either by disabling all types of Remote Assistance or by allowing only certain types. For example, by allowing only Offer Remote Assistance within your domain, you could specify a list of support professionals in your organization who can offer assistance. Only the people on that list would be able to assist users through Remote Assistance. (Offer Remote Assistance only works within a domain environment.)

For a list of Group Policy settings that are relevant for controlling Remote Assistance in a managed environment, see "Using Group Policy to Control Remote Assistance," later in this section.

The Remote Assistance Invitation and the Remote Assistance Session

There are two stages to the Remote Assistance process:

  • Establishing communication between the two computers: This is when an invitation or "ticket" is sent from one computer to another and the computers establish communication.

    For a description of how communication can be established between the two computers, see "Types of Assistance Included in Remote Assistance," later in this section.

  • Conducting the Remote Assistance session itself: This is when the helper actually views or changes the configuration on another person's computer.

For more information about the communication in these processes, see How Remote Assistance Communicates Through the Internet, later in this section.

Types of Assistance Included in Remote Assistance

When choosing among ways of controlling Remote Assistance, consider the types of assistance included in Remote Assistance in Windows Server 2008. The following list briefly describes each type. Details about controlling them are provided later in this section.

Note

The types of Remote Assistance refer to how the Remote Assistance session is initiated. For all types of Remote Assistance, the person receiving assistance must consent before assistance can begin.

  • Instant-message-based Remote Assistance: Both the person seeking assistance and the person who gives assistance must be using instant-messaging software based on the Rendezvous API (for example, Windows Live Messenger 8.0). A person seeking assistance can select a buddy from his or her list and ask that person to provide Remote Assistance. For information about this approach, see Additional References, later in this section.

  • Solicited Remote Assistance where an invitation is sent by e-mail or delivered as a file: A person sends an invitation, through e-mail or as a file, to a person who can provide assistance.

  • Offer Remote Assistance: For Offer Remote Assistance to work, a certain amount of configuration is necessary, and the computers must be within a domain. This means that you (the system administrator) can determine who can offer remote assistance within the domain.

    Note that a support professional at a computer running Windows XP cannot offer remote assistance to computers running Windows Vista or Windows Server 2008. The support professional must instead have a computer running Windows Vista or Windows Server 2008 (and with either of these operating systems, the support professional can also offer remote assistance to a computer running Windows XP).

For more information, see Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet and Procedures for Controlling or Disabling Remote Assistance, later in this section.

Windows Firewall Settings in Relation to Remote Assistance

Windows Firewall is on by default in Windows Server 2008. Windows Firewall includes a number of exceptions that can be chosen from a list, including an exception for Remote Assistance. Enabling the Remote Assistance exception has different effects, depending on which category of network the computer is using at a given time:

  • Private network: This category is intended for home or small office networks, and it is therefore less restrictive than the public network category. For a private network, network discovery is on by default. Network discovery is the ability of a computer to recognize or be recognized by computers and other devices on the network.

  • Public network: This category is intended for networks in public places (such as coffee shops or airports). The public network category is intended to be more restrictive to help keep the computers secure. For a public network, network discovery is off by default.

  • Domain network: This category is automatically applied when a computer is joined to a domain (and is connected to that domain). For a domain network, network discovery is on by default.

Note

In a domain, if you enable the Windows Firewall exception for Remote Assistance, Port 135 TCP is opened. If you do not want to open this port, you can use a Group Policy setting to allow authenticated traffic protected by Internet Protocol security (IPSec) to bypass Windows Firewall. For more information, see Additional References, later in this section.

The following table lists the network categories and describes how the Remote Assistance exception in Windows Firewall works in each category:

Network Category Remote Assistance Exception in Windows Firewall

Private

Public

Domain

  • Remote Assistance exception is disabled by default.

  • If the exception for Remote Assistance is enabled:

    • Port 135 TCP is opened for Distributed Component Object Model (DCOM) for Offer Remote Assistance. For an alternative approach, see the note that precedes this table.

    • systemroot\System32\msra.exe (for both Offer Remote Assistance and Solicited Remote Assistance) can communicate through the firewall.

    • systemroot\System32\raserver.exe (for Offer Remote Assistance) can communicate through the firewall.

How Remote Assistance Communicates Through the Internet

The following list provides details about how Remote Assistance communicates through the Internet:

  • Specific information sent or received: Information that is transmitted in a Remote Assistance ticket includes user name, IP address, and computer name. Information transmitted during a Remote Assistance session depends on the features being used (for example, screen sharing and file transfer), and it is sent in real time using point-to-point connections.

    Note that in Solicited Remote Assistance, when a user creates an e-mail invitation for Remote Assistance, the e-mail uses the SMAPI (Simple MAPI) standard, which means the invitation is attached to the e-mail message.

  • Default settings: By default, the Remote Assistance feature is not installed on a server running Windows Server 2008. The feature must be installed before a Remote Assistance session (solicited or offered) can begin.

    Default settings for Windows Firewall also have important effects on Remote Assistance as described in "Windows Firewall Settings in Relation to Remote Assistance," earlier in this section. However, note that the Remote Assistance Wizard senses whether the local Windows Firewall is using settings that block Remote Assistance. If this is the case, the Remote Assistance Wizard allows you to begin selecting options, but then displays a notification that Windows Firewall is blocking it and provides you with information about unblocking (opening Windows Firewall and selecting Remote Assistance as an exception). With this notification, in many cases, it is easy to tell if Windows Firewall is blocking your attempted actions. However, if you, as a support professional, try to use Offer Remote Assistance for a computer on which Windows Firewall is blocking the session, the session will not be established and no notification will appear on either computer.

    Regardless of any other settings, users can always prevent someone from connecting to their computers by declining prompts to begin a Remote Assistance session.

    For additional information about a default setting, see "Encryption" in this list.

  • Triggers: With Solicited Remote Assistance, you establish contact with the helper by sending an invitation through e-mail, by saving an invitation as a file and transferring it manually (such as on a floppy disk), or through compatible instant-messaging software. To be compatible, instant-messaging software must use the Rendezvous API (an example is Windows Live Messenger 8.0).

    With Offer Remote Assistance, you offer unsolicited assistance to a user (which the user can decline). To do this, you must be an administrator on the user's computer or must be on an Offer Remote Assistance list configured for the user's computer.

  • User notification: When you are at a server running Windows Server 2008, you are notified of an offer of assistance (solicited or unsolicited) from another person. You must accept the invitation before the other person can see your server. Then, before the other person can take control of your server, you are asked whether to allow this. (Remote Assistance can also be configured to allow the other person to view but not take control of your server.)

  • Logging: On the computer running Windows Server 2008, Remote Assistance records events in the System log in Event Viewer and in files in the path \Users\user name\Documents\Remote Assistance Logs.

    Events such as a person initiating a connection or a person accepting or rejecting an invitation are recorded in the Remote Assistance logs, and the details include taking and releasing control, sending and accepting files, and ticket creation and deletion. Remote Assistance also records details such as whether assistance is solicited or unsolicited as well as detailed user name and IP address information.

  • Encryption: The Remote Desktop Protocol (RDP) encryption algorithm is used. The RDP encryption algorithm is RC4 128-bit.

Note

One item in the Remote Assistance invitation (for Solicited Remote Assistance) that is not encrypted in some cases is a clear-text IP address. This clear-text IP address is included by default, for compatibility with Windows XP and Windows 2003. However, you can configure an option so that invitations will include the user's IP address in encrypted form only (the form used by Windows Server 2008 and Windows Vista), without the address also being in clear text as required for Windows XP and Windows 2003. For more information, see Procedures for Controlling or Disabling Remote Assistance, later in this section.

  • Access: No information is stored at Microsoft.

  • Transmission protocol and port: The port is dynamically selected by Remote Assistance, and the protocol is RDP. For Offer Remote Assistance, DCOM is also used.

  • Ability to disable: Solicited Remote Assistance, Offer Remote Assistance, or both can be disabled by using Group Policy or locally through Control Panel. They can also be disabled by using unattended installation with an answer file. For more information, see Procedures for Controlling or Disabling Remote Assistance, later in this section.

Controlling Remote Assistance to Prevent the Flow of Information to and from the Internet

When choosing among ways of controlling Remote Assistance, consider the types of assistance included in Remote Assistance in Windows Server 2008. The following list provides suggestions for using or controlling each type in a managed environment:

  • Controlling instant-message-based Remote Assistance: This is actually a form of Solicited Remote Assistance, so when you turn off Solicited Remote Assistance, you also turn off instant-message-based Remote Assistance. You can turn this off through Control Panel, through Group Policy, or with unattended installation using an answer file.

    As an alternative, you can exclude instant-messaging software from standard corporate computer configurations, and make sure that users do not have administrative accounts, so that they cannot install software on their computers. (This section does not provide details about how to do this.)

  • Controlling Solicited Remote Assistance where an invitation is sent by e-mail or delivered as a file: On a computer running Windows Server 2008, you can avoid installing Remote Assistance, which turns off all forms of Remote Assistance. If you install Remote Assistance, you can turn off Solicited Remote Assistance through Group Policy, or with unattended installation using an answer file. (This also turns off instant-message-based Remote Assistance, which is a form of Solicited Remote Assistance.)

    As a way to limit but not turn off Solicited Remote Assistance, you can configure it so that the IP address in the invitation is only in encrypted form (such an invitation does not work if it is sent to someone on a computer running Windows XP or Windows 2003). Another alternative is to allow Solicited Remote Assistance but allow the helper to view but not take control of the user's computer.

  • Controlling Offer Remote Assistance: On a computer running Windows Server 2008, you can avoid installing Remote Assistance, which turns off all forms of Remote Assistance. If you install Remote Assistance, you can turn off Offer Remote Assistance through Group Policy, or with unattended installation using an answer file.

    However, you might prefer to allow only Offer Remote Assistance and control the list of support professionals who are allowed to offer assistance. For Windows Server 2008 (and several earlier operating systems), you can control this list on an individual computer, or through Group Policy. If you do this, you also need to use Group Policy to enable the Remote Assistance exception in Windows Firewall.

    If you allow Offer Remote Assistance, another alternative is to allow the helper to view but not take control of the user's computer.

The following section provides information about using Group Policy. Later sections provide information about all methods for controlling Remote Assistance.

Using Group Policy to Limit Communication Through Remote Assistance

There are multiple Group Policy settings you can configure to control the use of Remote Assistance, including settings for:

  • Solicited Remote Assistance

  • Offer Remote Assistance

  • Allow only Vista or later connections

These policy settings are located in Computer Configuration under Policies (if present), in Administrative Templates\System\Remote Assistance. Configuration options for these policy settings are described in the following list.

  • Solicited Remote Assistance

    • Solicited Remote Assistance (enabled): When this policy setting is enabled, a person can create a Remote Assistance invitation that a helper at another computer can use to connect to computer of the person requesting assistance. If given permission, the helper can view the screen, mouse, and keyboard activity in real time.

      Additional configuration options are available when you enable this policy setting.

    • Solicited Remote Assistance (disabled): If the status is set to Disabled, the person at this computer cannot request Remote Assistance.

    • Solicited Remote Assistance (not configured): If the status is set to Not Configured, the configuration of solicited Remote Assistance is determined by the Control Panel settings.

  • Offer Remote Assistance

    • Offer Remote Assistance (enabled): When this policy setting is enabled, a remote user or administrator can offer Remote Assistance to a computer affected by the setting. When you configure this policy setting, you must also specify the list of users or user groups that will be allowed to offer remote assistance. Administrators of a given computer can offer remote assistance by default; they do not need to be added to the list.

      Additional configuration options are available when you enable this policy setting.

    • Offer Remote Assistance (disabled or not configured): If you disable or do not configure this policy setting, a support professional or other helper cannot offer unsolicited remote assistance to a computer affected by the setting.

  • Allow only Vista or later connections

    • Allow only Vista or later connections (enabled): If you enable this policy setting, when an invitation for Solicited Remote Assistance is sent from a computer running Windows Vista or Windows Server 2008, the invitation will include the user's IP address in encrypted form only (the form used by Windows Vista and Windows Server 2008), and not also in clear text as required by Windows XP and Windows Server 2003.

    • Allow only Vista or later connections (disabled or not configured): If you disable or do not configure this policy setting, for Solicited Remote Assistance, invitations will include the user's IP address in clear text (as required for compatibility with Windows XP and Windows Server 2003), not just in encrypted form as used by Windows Vista and Windows Server 2008.

For information about additional configuration options, including a setting called Customize Warning Messages, see the Remote Assistance policy settings in Group Policy. To find more information about editing Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008.

Note

You can also use Group Policy to specifically control the way that Remote Assistance interacts with User Account Control (in Windows Vista or Windows Server 2008) in cases where the user does not have administrative credentials but the support professional does. In such instances, a user who is presented with a User Account Control prompt might be unable to click Continue without administrative credentials, while the support professional will be presented only with a blank screen. In other words, when the prompt occurs, the desktop becomes "the secure desktop" and cannot be viewed remotely. To prevent this from occurring, in Group Policy, in Computer Configuration under Policies (if present), in Windows Settings\Security Settings\Local Policies\Security Options, find the setting called User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. To see more information about the setting before enabling it, view the description included with the setting.

Procedures for Controlling or Disabling Remote Assistance

The procedures in this section are grouped according to the method by which you perform them:

  • Controlling Remote Assistance on an individual computer running Windows Server 2008

  • Controlling Remote Assistance by using Group Policy

  • Controlling Remote Assistance during unattended installation by using an answer file

Controlling Remote Assistance on an Individual Computer Running Windows Server 2008

This subsection contains procedures for configuring Remote Assistance on an individual computer running Windows Server 2008.

To Install Remote Assistance on a Computer Running Windows Server 2008

  1. If you recently installed Windows Server 2008, and the Initial Configuration Tasks interface is displayed, under Customize This Server, click Add features. Then skip to step 3.

  2. If the Initial Configuration Tasks interface is not displayed and Server Manager is not running, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)

    Then, in Server Manager, under Features Summary, click Add Features.

  3. In the Add Features Wizard, select the check box for Remote Assistance.

  4. Follow the instructions in the wizard to complete the installation.

To Uninstall Remote Assistance on a Computer Running Windows Server 2008

  1. If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)

  2. In Server Manager, under Features Summary, click Remove Features.

  3. In the Remove Features Wizard, clear the check box for Remote Assistance.

    In this wizard, you remove a feature by clearing a check box (not checking a check box).

  4. Follow the instructions in the wizard to complete the removal.

To Use Control Panel to Maximize the Encryption in Remote Assistance Invitations Sent from this Computer

Note

You can perform this procedure only if Remote Assistance is installed. For information about installing and uninstalling Remote Assistance, see the previous procedures.

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click System.

  3. On the left, click Remote settings.

  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  5. On the Remote tab, under Remote Assistance, click Advanced.

  6. Select the check box labeled Create invitations that can only be used from computers running Windows Vista or later.

Important

When this option is selected, Remote Assistance invitations sent from this computer will contain the IP address in encrypted form only, which prevents the invitation from working if it is received on a computer running Windows XP or Windows Server 2003.

For information about a Group Policy setting that overrides this Control Panel setting, see "To Use Group Policy to Maximize the Encryption in Remote Assistance Invitations that Are Sent," later in this section.

To Use Control Panel to Allow Helpers to View but Not Take Control of this Computer

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click System.

  3. On the left, click Remote settings.

  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  5. On the Remote tab, under Remote Assistance, click Advanced.

  6. Clear the check box labeled Allow this computer to be controlled remotely.

For information about a Group Policy setting that overrides this Control Panel setting, see "To Use Group Policy to Allow Helpers to View but Not Take Control of Users' Computers," later in this section.

To Use Control Panel to Configure Exclusive "Offer Remote Assistance"

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click System.

  3. On the left, click Remote settings.

  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  5. On the Remote tab, under Remote Assistance, clear the check box labeled Allow Remote Assistance connections to this computer. (Clearing this check box disables Solicited Remote Assistance, but does not disable Offer Remote Assistance.)

  6. Click OK.

  7. Click the Back button and then double-click User Accounts.

  8. Click Manage User Accounts.

  9. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  10. Look at the list under Users for this computer and determine if it includes the people who should be able to offer Remote Assistance to this computer. If it does not, use the Add button to add one or more user accounts to the list.

  11. Click the account of a user who you want to allow to offer Remote Assistance to this computer, click Properties, and make sure the Group Membership tab is selected. Click Other, expand the list, and click Offer Remote Assistance Helpers. (If instead of clicking Other, you click Administrator, the person will have full control on this computer, which includes being able to offer remote assistance.)

For information about a Group Policy setting that overrides this Control Panel setting, see "To Use Group Policy to Configure Exclusive "Offer Remote Assistance"," later in this section.

Controlling Remote Assistance by Using Group Policy

This subsection contains procedures for controlling Remote Assistance by using Group Policy. For information about an additional Group Policy setting, which affects the way Remote Assistance interacts with User Account Control in cases where the user (the person receiving assistance) does not have administrative credentials, see the note just before Procedures for Controlling or Disabling Remote Assistance, earlier in this section.

To Use Group Policy to Maximize the Encryption in Remote Assistance Invitations that Are Sent

  1. See Appendix B: Resources for Learning About Group Policy for Windows Server 2008 for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Server 2008 (with the Group Policy Management feature installed) or Windows Vista. Then open Group Policy Management Console (GPMC) by running gpmc.msc and edit an appropriate Group Policy object (GPO).

Note

You must perform this procedure by using GPMC on a computer running Windows Server 2008 or Windows Vista.

  1. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, and then click Remote Assistance.

  2. In the details pane, double-click Allow only Vista or later connections, and then click Enabled.

    You can also click the Explain tab to see details about how the setting works.

Important

When this setting is enabled, Remote Assistance invitations sent from computers affected by this policy setting will contain the IP address in encrypted form only, which prevents the invitation from working if it is received on a computer running Windows XP or Windows Server 2003.

To Use Group Policy to Allow Helpers to View but Not Take Control of Users' Computers

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate GPO.

  2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, and then click Remote Assistance.

  3. If you permit Solicited Remote Assistance, in the details pane, double-click Solicited Remote Assistance, click Enabled, and under Permit remote control of this computer, select Allow helpers to only view the computer, and then click OK.

  4. If you permit Offer Remote Assistance, in the details pane, double-click Offer Remote Assistance, click Enabled, and under Permit remote control of this computer, select Allow helpers to only view the computer. If you have not already clicked Show and used the Add button to add the accounts of support professionals who you want to allow to offer assistance, you must do so before you can click OK.

To Use Group Policy to Configure Exclusive "Offer Remote Assistance"

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate GPO.

  2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, and then click Remote Assistance.

  3. In the details pane, double-click Solicited Remote Assistance, click Disabled, and then click Next Setting.

  4. For the Offer Remote Assistance setting, click Enabled, click Show, and use the Add button to add accounts of support professionals who you want to allow to offer assistance.

To Use Group Policy to Disable All Types of Remote Assistance

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate GPO.

  2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, and then click Remote Assistance.

  3. In the details pane, double-click Solicited Remote Assistance, click Disabled, and then click Next Setting.

  4. For the Offer Remote Assistance setting, click Disabled, and then click OK.

Controlling Remote Assistance During Unattended Installation by Using an Answer File

This subsection contains procedures for controlling Remote Assistance by using an answer file with unattended installation.

To Use an Answer File to Control "Solicited Remote Assistance" to Maximize the Encryption in Invitations

  1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment for Windows Server 2008.

  2. Confirm that your answer file includes the following line:

    <CreateEncryptedOnlyTickets>true</CreateEncryptedOnlyTickets>
    

To Use an Answer File to Disable Solicited Remote Assistance

  1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment for Windows Server 2008.

  2. To disable Solicited Remote Assistance, confirm that your answer file includes the following line:

    <fAllowToGetHelp>false</fAllowToGetHelp>
    

Additional References