Remote Desktop vs. Remote Assistance
The situation: You are a professional who needs to control a computer that is NOT in front of you. Perhaps you are away from your office, and need to access something stored on your office computer. Or maybe you’ve received a call from a troubled user who needs your assistance. The Windows operating systems afford you a few options here. We’ll take a look at the two most common.
Remote desktop is like having a really, really long keyboard, video and mouse cable (kvm) stretching all the way back to the remote machine. You can control the remote machine, but all the processing is happening at the remote machine. If you Open Excel, it’s running on the remote machine. If you open a large spreadsheet, the file is NOT sent to you. It is opened on the remote computer, and processed there. All that is sent to you is screen and audio data. All you’re sending is keyboard and mouse input.
This provides a few key benefits. The software needed is minimal. In fact, it’s usually included in the operating system, even NON-Microsoft computers can probably take advantage of this. Since files aren’t actually sent across the wire, your data is more protected, and the bandwidth requirements are low. Anyone who finds a way to intercept and view the connection will only see what you see on your screen. (This type of interception is possible, but comparatively difficult. We’ll discuss options to further secure the connection later.)
Anyone in your office, watching your screen, will NOT be able to see what you’re doing. The remote screen is locked, and can only be unlocked at the remote computer by someone with administrative rights. Only one person can see the screen at a time with Remote Desktop.
Remote assistance is specifically designed to allow one person to help another. The person needing help, must first request assistance. This is done by creating an invitation. This invitation acts as a sort of passkey, allowing a remote connection to view the shared desktop.
If anyone intercepts this invitation, it could be used to create a connection. To prevent unauthorized access, be sure to apply protections to the invitation, such as a reasonable password.
If necessary, the person offering assistance can take control of the remote computer, but only after that access is granted by the remote user.
The capabilities for both of these features are accessed in the Setting dialogue:
By default, Remote Desktop is disabled. If you enable it, a Network Level Authentication is required, but you can eliminate this for connections with machines outside your Active Directory environment. This creates a connection with inferior authentication, but sometimes you have no choice.
Users attempting to connect must be listed as Remote Users. This can be accessed through “Select Users.”
By default, Remote Assistance is allowed, but there are additional setting available under “Advanced."
If you clear the “Allow this computer to be controlled remotely” checkbox, remote connections can SEE your screen, but NOT take control of the session. You can also set a window of opportunity for the invitation. This way, if someone happens to find an old invitation for remote assistance, it won’t be valid, even if they knew the connection password.
“Create invitations that can only be used from computers running Windows Vista or later,” will require a secure logon session that earlier operating systems cannot create. This will raise the bar for connections, creating a more secure session.
For either Remote Desktop, or Remote Assistance, there is an increased vulnerability. To mitigate this, establish a VPN connection first, then connect to the remote computer. This additional layer of encryption will further protect your data, but will also add latency to the session experience. This added layer is usually only necessary when connecting via a vulnerable network, such as the Internet. For Intranet connections, we usually don’t require the added encryption.