Windows Server 2008 R2 Unleashed (179 page)

. Securing Remote Desktop

Services

client requires a complete Remote Desktop environment or

just needs to run a single application, the Remote Desktop

. Supporting Remote Desktop

Session Host uses its hardware resources to perform all the

Services

ptg

application processing. In a basic Remote Desktop Services

session, the client sends out only keyboard and mouse

signals and receives screen images, which requires only a

small amount of bandwidth on the network. For a more

robust session that might need access to local resources,

Remote Desktop Services can provide audio, local printer,

COM port, local disk, and Plug and Play Device Redirection

(for media players and digital cameras) to provide ease of

data transfer between the client and server through a single

network port. Remote Desktop Services also provides local

time zone redirection, which allows users to view time

stamps of email and files relative to their location. Lastly,

Remote Desktop Services can also support higher-resolution

desktop computers (up to 4096x2048) and spanning multi-

ple monitors horizontally to form a single, large desktop,

and using the Client Experience feature, users can be given

a Remote Desktop Services desktop experience that feels

and looks like Windows 7.

Remote Desktop Services was first introduced in Windows

NT 4.0 Terminal Server Edition. Through subsequent

versions of Windows, both Remote Desktop Services and its

subject protocol Remote Desktop Protocol (RDP) have been

significantly improved. These improvements have culmi-

922

CHAPTER 25

Remote Desktop Services

nated with the Windows Server 2008 R2 and Windows 7 release rebranding of Terminal

Services to Remote Desktop Services and the introduction of a number of new features,

such as the following:

. Remote Desktop Services management support via Windows PowerShell

. Per-user RemoteApp program filtering for Remote Desktop Web Access

. Remote Desktop Virtualization Host, which is a component of Microsoft’s Virtual

Desktop Infrastructure (VDI) offerings

. The introduction of RemoteApp and Desktop Connection, which is designed to

provide a seamless user experience on Windows 7

. Support for Single Sign-On between RD Session Host and RD Web Access

. Improved audio and video playback support

This chapter reviews features and how to plan, implement, and support a Windows Server

2008 R2 Remote Desktop Services deployment. This chapter addresses not only the new

features added in Windows Server 2008 and Windows Server 2008 R2, but also how these

new technologies can be leveraged to improve remote access services by users and by

network administrators.

ptg

Why Implement Remote Desktop Services

Remote Desktop Services is a versatile product that can be implemented to meet many

different business needs. In some cases, it is implemented to give administrators the

ability to remotely administer a server, group of servers, or applications. Remote Desktop

Services can also be used to allow users access to applications and network resources

through a terminal session. Or, Remote Desktop Services can be implemented by an appli-

cation service provider (ASP) to create managed application services, eliminating the need

for its customers to buy server hardware, software, and support.

Regardless of the reason why Remote Desktop Services is implemented, there are several

benefits to implementing it:

.
Centralized deployment of applications—
By deploying applications using

Remote Desktop Services, those applications reside only on Remote Desktop Services

and can be centrally managed. In addition, deploying applications in this manner

allows them to be rapidly deployed and updated.

.
Remote access to applications—
Remote Desktop Services allows users to access

applications within a local network and remotely. Connections can even be made to

applications in bandwidth-constrained connections, such as dial-up or shared wide

area network (WAN) links, and over Hypertext Transfer Protocol Secure (HTTPS).

.
Windows Anywhere—
Remote Desktop Services allows users to access feature-rich

Windows applications from many different devices. These devices can include

underpowered hardware, non-Windows desktops, thin clients (terminals), and even

mobile devices.

Why Implement Remote Desktop Services

923

.
Virtual desktops—
Using Remote Desktop Services in conjunction with Remote

Desktop Virtualization, users can be allocated their own personal virtual desktop or

given access to a virtual desktop instance within a virtual desktop pool.

NOTE

Windows XP Professional, Windows XP Media Center and Tablet PC Editions, Windows

Vista Ultimate, Enterprise, and Business Editions, and Windows 7 Ultimate, Business,

and Professional include a scaled-down version of Remote Desktop Services that can

be enabled and used for remote administration or remote workstation access.

Remote Desktop for Administration

As a remote administration tool, Remote Desktop Services gives an administrator the

option of performing server administration from a server console or from any other server

or workstation using the Remote Desktop Connection client (previously known as the

Terminal Services Client). Remote Desktop is installed by default, but is not automatically

enabled. Using Remote Desktop can simplify server administration for an IT department

25

by allowing personnel to do their jobs from almost any console on the network. This can

improve IT response times to complete trouble tickets concerning access to network

ptg

resources or user account management. Server maintenance tasks such as reviewing logs or

gathering server performance data can be accomplished through the client.

Applications and updates can be installed through a Remote Desktop session, but should

be done only when the installation does not involve a Windows component installation

or when users are running Remote Desktop server sessions. Installing applications from

the local server console is recommended, but if an application must be installed remotely,

some changes with Session 0 introduced in Windows Vista and Windows Server 2008

make doing so easier. (These changes are explained later in this chapter in the section

“Session 0 Isolation.”)

NOTE

With the release of the Terminal Services Client 6.0, the client was renamed Remote

Desktop Connection.

Remote Desktop for Users

There are many benefits of making Remote Desktop available to users. For example,

company hardware costs can be reduced, application availability and licensing manage-

ment can be simplified, and network performance can increase.

Because a Remote Desktop session is really a remote session running on the Remote

Desktop Session Host, all Remote Desktop users run applications on a Windows server,

utilizing the processing power of the server while reducing the load on the local worksta-

tion. This can extend the life of an underpowered machine whose deficient resources

might impede workflow through high processor, memory, or disk utilization.

924

CHAPTER 25

Remote Desktop Services

From a desktop support perspective, a Remote Desktop Session Host can be put in place

and used as a secondary means of providing users access to their applications if problems

are encountered with the applications on their local workstations. Although this approach

might seem to be overkill, providing a secondary means of application access can be vital

to user productivity and company revenue when support personnel might not be readily

available to fix end-user application issues.

Providing centralized applications for users though Remote Desktop Services can also

simplify application management by reducing the number of machines on which applica-

tion upgrades, security updates, and fixes need to be installed. Because all the applications

run on the Remote Desktop Session Host, only the server itself needs to be updated, and

the entire user base benefits from the change immediately. This way, the updates can be

performed for all Remote Desktop Session Host users at one time.

Remote Desktop for Remote User Support

Remote Desktop can be used to provide application support for end users within a Remote

Desktop session. When users are running in a Remote Desktop session, an administrator

can configure remote control or shadowing functionality to view or completely interact

with a user’s session. This feature can be used to train users, provide application support,

ptg

or create configuration changes, such as installing a printer or connecting to a network

file share. This capability can greatly reduce the number of administrators needed during

the regular workday because multiple users can be assisted from one location.

NOTE

To comply with many organizations’ security and privacy policies, Remote Desktop

Services provides an option for the remote control function to be completely disabled.

Alternatively, rather than completely disabling the function for all users, Remote

Desktop Services can be configured to give users the ability to choose whether to

allow an administrator to interact with their Remote Desktop session.

Remote Desktop for Application Service Providers

Installing the Remote Desktop Services role service allows applications and services to be

made available to users in any location. Companies that provide services to businesses

through proprietary applications can standardize and provide their applications exclu-

sively through Remote Desktop Services and gain all the benefits outlined in the preceding

sections. An added bonus for these companies is that Remote Desktop Services reduces the

need to send application media out to each client, and end-user support can be provided

in a way never before possible.

Application service providers that make several applications available to clients can use

Remote Desktop Services to service hundreds or thousands of users from different organi-

zations while charging a fee for application usage or terminal session time usage.

How Remote Desktop Works

925

NOTE

Windows Server 2008 R2 does not provide a standard reporting mechanism to present

Remote Desktop session data. However, some valuable information can be gathered by

filtering the security event log for user logon and logoff events, using the Remote

Desktop Licensing Manager tool, as well as teaming this information with data gath-

ered by creating performance logs configured to monitor Terminal Services (an item not

renamed) session counters using the Performance Monitor Microsoft Management

Console (MMC) snap-in or through information provided by Windows System Resource

Manager (WSRM), included with Windows Server 2008 R2. It is also important to note

that System Center Operations Manager 2007 and some third-party solutions for

Remote Desktop Services provide exceptional reporting functionality.

How Remote Desktop Works

Remote Desktop allows users to connect to a remote machine and access applications or

an entire desktop. To establish their client/server session, users utilize the Remote Desktop

25

Connection client. The RDC client, in turn, uses a multichannel protocol called the

Remote Desktop Protocol (RDP), which is an extension of the ITU T.120 family of proto-

ptg

cols. By default, RDP-based connections are made over TCP 3389, or if Remote Desktop

Gateway is used, then the connections are made over TCP 443 (HTTPS).

When a user uses RDP, client mouse and keyboard events are redirected from the client to

the remote machine. On the remote machine, RDP uses its own onscreen keyboard and

mouse driver to receive these keyboard and mouse events from RDC clients. Then to

render a user’s actions, RDP uses its own video driver. Using this video driver, RDP

constructs the display output into network packets, which are then redirected back to the

RDC client. On the client, the rendering data is received and translated into correspond-

ing Microsoft Win32 graphics device interface (GDI) application programming interface

(API) calls.

Because RDP is multiple-channel capable, separate virtual channels are used for carrying

device communication, presentation data, and encrypted client mouse and keyboard data

between the RDC client and a remote machine. RDP’s virtual channel base is extensible and

supports up to 64,000 separate channels for data transmissions or multipoint transmissions.

NOTE

Using a multipoint transmission data from an application can be sent to multiple

clients in real time without sending the same data to each session individually (for

example, virtual whiteboards).

Modes of Operation

Remote Desktop can be run in two different modes of operation. The first mode is called

the Remote Desktop for Administration and the other is called Remote Desktop Services.

926

CHAPTER 25

Remote Desktop Services