10. Click OK to exit the Authentication Methods dialog box, and then
click OK to exit the Properties dialog box and save the changes.
T
EST DAY TIP
You can also restrict authentication methods by changing settings in the
Authentication tab of the Properties dialog box for a Remote Access Policy.
Policies are described in detail later in this chapter.
Using MS-CHAP v2
MS-CHAP v2 is a more secure version of MS-CHAP.This version uses stronger initial
encryption keys, uses different keys for sending and receiving data, and supports mutual
authentication—this means that after the server sends a challenge to the client and the client
responds correctly, proving that it has the correct password, the client sends its own chal-
lenge to the server.The client disconnects immediately if the server responds incorrectly to
this challenge.This enables the client to detect a server attempting to impersonate the legit-
imate server.
MS-CHAP v2 is supported by operating systems as old as Windows NT 4.0 and
Windows 98, and is even supported by Windows 95 if the Dial-Up Networking upgrade is
installed.This means that unless you are supporting very old computers, there is no need to
risk security by supporting MS-CHAP v1.
Using EAP
EAP (Extensible Authentication Protocol) is not itself an authentication protocol, but pro-
vides a framework that enables authentication using a variety of different methods, known
as EAP types.The following are the EAP types supported by Windows Server 2003:
■ EAP-MD5 A challenge-response protocol similar to CHAP.This method uses
reversible encryption to store passwords, and is thus vulnerable to the same secu-
rity problems as CHAP.
■ EAP-TLS (Transport Level Security) A high-security protocol based on the
SSL (Secure Sockets Layer) system used for Web server security. EAP-TLS uses
encrypted certificates for authentication. It also supports mutual authentication,
similar to MS-CHAP v2.This is considered the most secure authentication pro-
tocol supported by Windows Server 2003.

www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 511
255_70_293_07.qxd 9/10/03 10:33 AM Page 511
TEST DAY TIP
EAP-TLS is the most secure authentication method, but is not supported by all
clients. Only Windows 2000, Windows XP, and Windows Server 2003 clients sup-
port this authentication method.
Using RADIUS/IAS vs.Windows Authentication
Windows Server 2003 supports RADIUS, an Internet standard for a centralized server to
handle a network’s authentication and accounting needs. Internet Access Server (IAS) is
Microsoft’s implementation of a RADIUS server, and is included with Windows Server
2003 but is not installed by default.You can install it through the Add/Remove
Programs applet in Control Panel as a Windows component.When you configure an
RRAS server, you can choose one of two authentication methods:
■ Windows Authentication: The traditional method. Each RRAS server handles
authentication itself, and you can configure the authentication methods supported
in the Remote Access Policy section of the Routing and Remote Access MMC
snap-in. Policies you create for one RRAS server apply only to that server.
■ RADIUS Authentication: The RRAS server acts as a RADIUS client and con-
tacts an IAS (or RADIUS) server to authenticate users.When RADIUS is in use,
you configure authentication methods and other remote access security settings
from the Remote Access Policy section of the Internet Access Server MMC snap-
in.The policies you create for the IAS server apply to any RRAS server that
authenticates using that server.
TEST DAY TIP
EAP supports an authentication type called EAP Over RADIUS. This is not an
authentication method itself; instead, authentication requests are forwarded to a
RADIUS server for processing. This enables you to install and configure EAP types
on the RADIUS server and use them from any remote access server, without
installing the types on each RRAS server.

Selecting the Data Encryption Level
In a VPN, you can control the level of encryption that is allowed for access. By disallowing
unencrypted connections or those that use less-secure encryption, you can decrease the risk
of network snooping.You can enable or disable the following levels of encryption:
■ No encryption: Unencrypted connections, unsuitable for VPN use.
www.syngress.com
512 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy
255_70_293_07.qxd 9/10/03 10:33 AM Page 512
■ Basic encryption: Encryption with a 40-bit key, considered relatively easy to
break.
■ Strong encryption: Encryption with a 56-bit key. In IPSec, this uses the DES
standard for encryption. Although more secure, DES-encrypted data has been
demonstrated to be breakable.
■ Strongest encryption: Encryption with a 128-bit key for MPPE connections, or
triple DES (3DES), which uses a 168-bit key (56-bit times three) for IPSec con-
nections.
The Strongest Encryption option might not be available in international versions of
Windows Server 2003 or US editions without the High Encryption Pack installed.You can
enable or disable these encryption levels using remote access Policies.This process is
described later in this chapter.
Using Callback Security
Callback security is a high-security system used for dial-in connections.When a client con-
nects to a system using callback, the system disconnects and calls the client back at the
client’s phone number.There are two variations of callback:
■ Allowing the user to specify the callback number.This does not provide a
high level of security, but does ensure that the client’s phone number can be
logged and can be used to avoid long-distance charges being incurred by the
client.
■ Using a callback number specified by the administrator.This is very secure
because it is difficult to impersonate a valid client, but it requires that a client

always connect from the same number.
You can configure callback security as part of a remote access profile.This process is
described in the final section of this chapter.
Managed Connections
For a user to connect to a remote access server via dial-in or VPN, the client computer
must have the correct settings configured to match the server. Because this can be a
daunting process for administrators,Windows Server 2003 supports two components to
simplify the process of managing connections:
■ Connection Manager is the client software Windows clients use to make a con-
nection to a dial-in server or VPN server. Current versions of Windows include
Connection Manager.
■ Connection Manager Administration Kit (CMAK) is an administrator’s tool
that enables you to create a customized version of Connection Manager to dis-
www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 513
255_70_293_07.qxd 9/10/03 10:33 AM Page 513
tribute to clients.The customizations are stored in a dial-in profile and can
include settings for your server, phone numbers, and even custom graphics, icons,
and help files.
Connection Manager and CMAK are described in detail in Chapter 5.
Mandating Operating System/File System
Windows Server 2003 supports a new feature called Network Access Quarantine control.
This feature enables you to restrict access to particular operating systems, file systems, and
other aspects of the client’s configuration.You use a script to accomplish this.
When Quarantine control is enabled, clients can connect normally to the RRAS server
and are issued IP addresses. However, when a client first connects, it is put into quarantine
mode and allowed only limited access to network resources.A script is then run through
Connection Manager on the client machine to determine if the client’s configuration
matches the requirements. If it does, the quarantine is released and the client gains full
access to the network.

TEST DAY TIP
Quarantine Control requires an IAS (RADIUS) server, a customized Connection
Manager profile created with CMAK, and a custom script. It also requires that
clients run Windows 98, Windows ME, Windows XP, Windows 2000, or Windows
Server 2003.
Using Smart Cards for Remote Access
A smart card is a credit card-sized device that can store a public/private key pair or certifi-
cate for encryption.To use smart cards, you install card readers on client computers. Clients
can request certificates from a certification authority (CA) and store them on the smart
card. Because the encryption keys are not stored on client computers, this eliminates many
potential security problems.
Smart cards are typically used with the EAP-TLS authentication method. Because
IPSec encryption is used with L2TP VPN connections, smart cards can be used to encrypt
a VPN connection that uses L2TP over IPSec.
Smart cards can store an encryption key with a large number of bits, making for highly
secure communications.Their chief disadvantage is the smart card hardware; if it is dam-
aged, a new card must be configured for the user, and if the card falls into the wrong hands,
it can be used to gain unauthorized access to the network. However, smart cards use a PIN
number to eliminate much of this risk.
www.syngress.com
514 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy
255_70_293_07.qxd 9/10/03 10:33 AM Page 514
Creating Remote Access Policies
You can manage the security of your remote access server by creating one or more Remote
Access Policies. Depending on your configuration, you will need to create policies in one
of these two places:
■ If you are using Windows authentication, use the Remote Access Policies item
under each RRAS server in the Routing and Remote Access MMC snap-in.
■ If you are using RADIUS authentication, use the Remote Access Policies item
under the IAS server in the Internet Authentication Service MMC snap-in.

Regardless of the type of authentication you are using, the policies you create will
work the same way, and the dialog boxes for creating and modifying policies are the same.
TEST DAY TIP
Keep in mind that with RADIUS authentication you have exactly one set of remote
access policies defined for the IAS server. With Windows authentication there is a
separate set of policies for each RRAS server.
Policies and Profiles
Remote access security includes two key components:
■ Remote Access Policies Determine which users can connect remotely and the
connection methods they can use.You can have any number of remote access
policies.
■ Remote Access Profiles Provide further restrictions after the connection is
established. Each policy contains exactly one profile.
Each remote access policy has an order number, or priority.You can define the order by
using the Move Up and Move Down actions in the policy window.The list of policies in a
default Windows Server 2003 RRAS installation is shown in Figure 7.12. Each policy can
have various criteria against which connection attempts are checked.The policy can be set
to either Grant or Deny access for users who match these criteria.
www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 515
EXAM
70-293
OBJECTIVE
3
255_70_293_07.qxd 9/10/03 10:33 AM Page 515
When a user attempts to connect, his or her connection criteria are compared to each
policy’s conditions in order until a policy matches.The Grant or Deny setting of that policy
then determines whether the user is allowed access. If a policy grants access, its associated
profile is used to further restrict the connection.
In the following sections, you will learn how to make practical use of remote access

policies and profiles to authorize or restrict remote access, and to control aspects of the
connections using remote access profiles.
Authorizing Remote Access
The simplest use for a remote access policy is to authorize remote access for a particular
user or group.Windows Server 2003 includes a wizard that you can use to quickly create
these types of policies. After you have created a policy, you can modify the properties of the
policy to make more specific settings or restrictions.
Authorizing Access By User
As described earlier in this chapter, you can use the Dial-in Properties page of a user
account’s Properties dialog box to explicitly allow or deny access to the user.This is the
recommended way to authorize access by user.When you use the wizard to create a policy
to authorize by user, it creates a policy that does not include any user restrictions.You can
then use the user properties to allow or deny access. Exercise 7.08 shows you how to create
a policy to authorize by user.
www.syngress.com
516 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy
Figure 7.12 Remote Access Policies
255_70_293_07.qxd 9/10/03 10:33 AM Page 516
E
XERCISE 7.08
AUTHORIZING
REMOTE ACCESS BY USER
Follow these steps to create a policy to authorize access by user:
1. Select Programs | Administrative Tools | Routing and Remote
Access from the Start menu. If you are using RADIUS authentication,
select Internet Authentication Service instead.
2. Click Remote Access Policies in the left-hand column. A list of the cur-
rent policies is displayed in the window.
3. From the menu, select Action | New Remote Access Policy.
4. The wizard displays a welcome message. Click Next to continue.

5. The Policy Configuration Method screen is displayed, as shown in
Figure 7.13. Select the Use the wizard to set up a typical policy
option and enter Allow Dial-up Access in the Policy name field. Click
Next to continue.
6. The Access Method screen is displayed. You can select whether this
policy will apply to Dial-up, VPN, Wireless, or Ethernet access. Select the
Dial-up option and click Next to continue.
7. The User or Group Access dialog box is displayed, as shown in Figure
7.14. Select the User option and click Next to continue.
www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 517
Figure 7.13 Policy Configuration Method
255_70_293_07.qxd 9/10/03 10:33 AM Page 517
8. The Authentication Methods dialog box is displayed. This dialog box
enables you to choose the authentication methods this policy will
accept. Click Next to continue.
9. The Policy Encryption Level screen is displayed. Select the encryption
types to accept and click Next.
10. The wizard displays a completion dialog box. Click Finish to create the
new policy.
11. You are returned to the Remote Access Policies window and your new
policy has been added at the top of the list.
After you have created the policy with the wizard, you can use the Move
Up and Move Down commands in the Action menu to change the policy
order if you wish.
Authorizing Access By Group
Unlike user accounts, security groups do not include dial-in properties. If you wish to
enable access for a group, you can use the wizard to create a remote access policy that
includes a condition to check the user’s group membership. Exercise 7.09 guides you
through this process.

www.syngress.com
518 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy
Figure 7.14 User or Group Access
255_70_293_07.qxd 9/10/03 10:33 AM Page 518
E
XERCISE 7.09
AUTHORIZING
REMOTE ACCESS BY GROUP
Follow these steps to create a policy to authorize access for the Domain
Admins group:
1. Select Programs | Administrative Tools | Routing and Remote
Access from the Start menu. If you are using RADIUS authentication,
select Internet Authentication Service instead.
2. Click Remote Access Policies in the left-hand column. A list of the cur-
rent policies is displayed in the window.
3. From the menu, select Action | New Remote Access Policy.
4. The wizard displays a welcome message. Click Next to continue.
5. The Policy Configuration Method screen is displayed. Select the Use
the wizard to set up a typical policy option and enter Allow Admin
Access in the Policy name field. Click Next to continue.
6. The Access Method screen is displayed, as shown in Figure 7.15. You
can select whether this policy will apply to Dial-up, VPN, Wireless, or
Ethernet access. Select the Dial-up option and click Next to continue.
7. The User or Group Access dialog box is displayed. Select the Group
option and click the Add button to add a group name.
www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 519
Figure 7.15 Access Method
255_70_293_07.qxd 9/10/03 10:33 AM Page 519
8. The Select Groups dialog box is displayed, as shown in Figure 7.16.

Enter Domain Admins in the Enter the object names to select field
and click OK.
9. You are returned to the User or Group Access dialog box. Click Next
to continue.
10. The Authentication Methods dialog box is displayed. Click Next to
continue.
11. The Policy Encryption Level dialog box is displayed. Click Next to con-
tinue.
12. The wizard displays the completion dialog box. Click Finish to create
the policy.
Restricting Remote Access
You can add any number of conditions to a remote access policy to restrict the users, con-
nection types, and other criteria that can match the policy. Each policy can be configured
to either allow access or deny access based on those criteria.
To restrict access, you can create a policy that denies access based on a set of criteria.
Because each connection will use the first policy that it matches, be sure your policies for
denying access are placed early in the list, before any other policy that might match the
same users.
The current conditions for a policy are listed in its Properties dialog box.You can use
the Add button to add a condition.There are a variety of attributes you can test to create a
condition. For example, Figure 7.17 shows the Properties dialog box for a policy that
checks the connection type and group membership.
www.syngress.com
520 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy
Figure 7.16 Select Groups
255_70_293_07.qxd 9/10/03 10:33 AM Page 520
Restricting by User/Group Membership
You already used the wizard to create a simple policy to restrict by group membership ear-
lier in this section.You can also add this condition manually to any policy using its proper-
ties.The attribute for group membership is Windows-Groups.You can specify one or

more group memberships to match and set the policy to either grant or deny access.
TEST
DAY TIP
You can restrict by user name using the Dial-in tab of the user’s Properties dialog
box, as described earlier in this chapter. Remote Access Policies do not include an
option to restrict access by user name.
Restricting by Type of Connection
You can use the NAS-Port-Type attribute to restrict a remote access Policy to a particular
type of connection. Connection types include modem, ISDN, wireless,VPN, and other net-
work connections that can be used for remote access.
www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 521
Figure 7.17 Policy Properties
255_70_293_07.qxd 9/10/03 10:33 AM Page 521
For example, suppose you were discontinuing the use of dial-in remote access and want
to add a policy to prevent dial-in access.You would create a policy to deny access when the
NAS-Port-Type attribute indicates a modem connection and place it at the top of the list
to override other policies. Exercise 7.10 guides you through this process.
EXERCISE 7.10
RESTRICTING A
CCESS BY CONNECTION
TYPE
Follow these steps to create a policy that denies access to modem users:
1. Select Programs | Administrative Tools | Routing and Remote
Access from the Start menu.
2. Click to highlight Remote Access Policies in the left-hand column.
3. Select Action | New Remote Access Policy from the menu.
4. A welcome message is displayed. Click Next to continue.
5. The Policy Configuration Method dialog box is displayed. Select Set
up a custom policy and enter Deny modem access in the Policy

name field.
6. The Policy Conditions dialog box is displayed. Click Add to add a con-
dition.
7. The Select Attribute dialog box lists the available attributes, as shown
in Figure 7.18. Select NAS-Port-Type and click Add.
www.syngress.com
522 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy
Figure 7.18 Select Attribute
255_70_293_07.qxd 9/10/03 10:33 AM Page 522
8. The available port types are listed in a dialog box. Select Async
(Modem) and click Add; then click OK.
9. You are returned to the Policy Conditions dialog box. Click Next to
continue.
10. The Permissions dialog box is displayed. Select Deny remote access
permission and click Next.
11. The Profile dialog box is displayed. You can use the Edit button to
make changes to the profile if you wish. Click Next to continue.
12. A completion message is displayed. Click Finish to create your policy.
Your new policy should appear at the top of the list by default and will pre-
vent access by modem users regardless of other policies they may match.
Restricting by Time
You can use the Day-and-Time-Restrictions attribute to control the day of the week
and times of day that a policy will be effective.You can use this feature to deny access at a
specific time or day or to explicitly grant access at a certain time.To use this feature, use the
Add button in the Properties dialog box to add a condition to a policy, and then select
Day-and-Time-Restrictions.The Time of day Constraints dialog box, shown in
Figure 7.19, enables you to allow or deny access for each hour of the day and each day of
the week.
www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 523

Figure 7.19 Time of Day Constraints
255_70_293_07.qxd 9/10/03 10:33 AM Page 523
Restricting by Client Configuration
As mentioned earlier in this chapter, you can use the Network Access Quarantine Control
(NAQC) feature to restrict connections based on aspects of a client’s configuration: the
operating system, file system, and even details of which security updates have been installed.
You need to create a custom script or program to check the client’s configuration to imple-
ment this feature.
NAQC is included with the Windows Server 2003 Resource Kit. It includes several
components:
■ The Remote Access Quarantine Agent service (RQS.EXE) runs on the RRAS
servers.
■ A custom script to check the configuration.The script can use RQC.EXE,
included in the Resource Kit, to notify the quarantine agent whether the client
passed its tests.
■ Connection Manager, using a custom profile and a post-connect action to run the
script.
■ A RADIUS (IAS) server to manage authentication.
■ A remote access Policy that uses the quarantine attributes, installed with the quar-
antine agent, to determine whether the connection has been authorized by the
script.
NAQC is supported by Windows 98 SE and later clients that support Connection
Manager. For details on implementing a quarantine script, consult Microsoft’s TechNet site.
Restricting Authentication Methods
You can use the Authentication-Type attribute to restrict a policy to certain authentica-
tion types.When you add this attribute, you can use the Authentication-Type dialog box
to add one or more of the possible authentication types, as shown in Figure 7.20.
www.syngress.com
524 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy
Figure 7.20 Restricting by Authentication Method

255_70_293_07.qxd 9/10/03 10:33 AM Page 524
EXAM WARNING
You can also restrict authentication methods in the Security tab of the RRAS
server’s Properties dialog box, as described earlier in this chapter. If a method is
disabled in the server’s properties, it will not be used even if it is enabled for a
remote access Policy.
Restricting by Phone Number or MAC Address
You can use the following two attributes to add a phone number condition to a remote
access Policy:
■ Called-Station-ID: The phone number the user called.
■ Calling-Station-ID: The phone number the call originated from (Caller ID).
Controlling Remote Connections
After a connection is established by matching a remote access Policy, the profile associated
with the policy is used to control what the user can do with the connection. Some of the
most useful profile settings include the following:
■ The amount of time the user is allowed to remain connected or remain idle
■ The encryption methods that will be allowed
■ Which traffic will be filtered using packet filters
■ The client IP address.
Controlling Idle Timeout
The idle timeout is the amount of time the RRAS server will keep a session connected
when there has not been any traffic to or from the remote access server.You can use this
setting to ensure that clients who finish using their remote connection but fail to discon-
nect are disconnected automatically.
The idle timeout is part of a remote access profile.You can change the timeout on the
Dial-in Constraints tab of the Edit Dial-in Profile dialog box. Exercise 7.11 describes
how to change this setting.
Controlling Maximum Session Time
Along with the idle timeout, you can define a maximum amount of time a client can
remain connected to the server whether they use the connection or not.When your supply

of incoming ports is limited, this is one way to ensure that ports are opened up to enable
other users to connect.
www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 525
255_70_293_07.qxd 9/10/03 10:33 AM Page 525
The maximum session time is also defined in the Dial-in Constraints tab of a profile.
Exercise 7.11 demonstrates how to change the idle timeout and session time for a profile.
EXERCISE 7.11
CONTROLLING I
DLE AND SESSION T
IMES
Follow these steps to modify the idle and session times for a remote access
policy’s profile.
1. From the Routing and Remote Access console, select Remote Access
Policies in the left-hand column. A list of the current policies is dis-
played in the window.
2. Click one of the policies in the window to highlight it. Select Action |
Properties from the menu.
3. The Policy Properties dialog box is displayed. Click the Edit Profile
button.
4. The Edit Dial-in Profile dialog box is displayed, as shown in Figure
7.21. Check the box next to Minutes server can remain idle before it
is disconnected and select a number of minutes.
www.syngress.com
526 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy
Figure 7.21 Edit Dial-in Profile
255_70_293_07.qxd 9/10/03 10:33 AM Page 526
5. Check the box next to Minutes the client can be connected and select
a number of minutes.
6. Click OK to return to the Policy Properties dialog box.

7. Click OK to save your changes and return to the RRAS console.
Controlling Encryption Strength
You can use the settings in the Encryption tab of a remote access profile’s Properties
dialog box to allow or disallow particular types of encryption for a VPN connection.
Encryption types include the following:
■ Basic encryption (MPPE 40-bit)
■ Strong encryption (MPPE 56-bit)
■ Strongest encryption (MPPE 128-bit)
Which encryption type is used depends on what the server and the client support, but
you can use this setting to prevent access with inadequate encryption.The Encryption tab
of the Properties dialog box is shown in Figure 7.22.
www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 527
Figure 7.22 Encryption Properties
255_70_293_07.qxd 9/10/03 10:33 AM Page 527
Controlling IP Packet Filters
You can use IP packet filters to filter incoming or outgoing traffic for connections that
match a particular remote access profile.You might find this useful for denying access to a
VPN from particular locations, or only allowing access from a particular address.You can
manage outgoing and incoming packet filters from the IP settings tab of the Profile
Properties dialog box, as shown in Figure 7.23.
Controlling IP Address for PPP Connections
You can also use the IP settings to control IP address assignment for PPP (dial-in) con-
nections.The following options are available:
■ Server must supply an IP address
■ Client may request an IP address
■ Server settings determine IP address assignment
■ Assign a static IP address
The last option enables you to specify a single IP address to be a assigned to clients that
match this profile. If you use this feature, be sure that only one client at a time will match

the profile, because the IP address can only be assigned to one client.
www.syngress.com
528 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy
Figure 7.23 IP Settings
255_70_293_07.qxd 9/10/03 10:33 AM Page 528
Creating a Plan to Offer Remote
Assistance to Client Computers
Remote Assistance is a new feature that’s designed to allow Windows XP Professional and
Windows Server 2003 users to request help from another user.The user requesting help
typically sends an request for assistance using Windows Messenger or e-mail via the Help
and Support Center.The request includes an attachment that contains details of how to
connect to the user’s PC that the recipient will double-click to begin a Remote Assistance
session with the requesting user’s PC. Once connected, the helper can view the desktop of
the requesting user and chat online with him or her.The helper can also, with the user’s
permission, take control of his desktop.
How Remote Assistance Works
Remote Assistance (RA) enables a user at one computer, referred to as the “Novice”, to
request help from a user at another computer, called the “Expert”.The underlying tech-
nologies at work with RA are Windows Terminal Services, and the RDP protocol.
Although these are the same technologies that were originally developed for thin client
computing and that are used for RDA and terminal server, Remote Assistance is not
designed to be a thin client solution, but rather a support and troubleshooting tool only.
Another difference between RA and traditional Terminal Services is that typically a session
will be initiated when a Novice sends an invitation to a Expert, soliciting their assistance.
The Novice must typically be present at the machine that needs assistance in order to allow
the Expert to access his or her system after the Expert receives and accepts the invitation.
A Remote Assistance request can optionally include an “expiry” (expiration) date, after
which the Remote Assistance request is no longer valid.This is used to reduce the risk of
unauthorized access to the user’s computer.The user requesting help can also require the
helper to use a password to connect to his or her computer.The user must communicate

this password to the helper. Users can review their invitations in the Help and Support
Center. Figure 7.24 shows a summary of invitations that have been sent from a particular
computer. Using RA, the Expert actually views and interacts with the same desktop and
applications that the Novice is using, at the same time that the Novice is using it.This is
very different from the other forms of Terminal Services, in which a connection is estab-
lished to a unique session on the Terminal Services computer. During an RA session, both
the Novice sitting at the keyboard and the remote assistant (Expert) can control the com-
puter at the same time.With Remote Desktop for Administration or the terminal server
role, a user can connect from a wide range of client systems without permission, provided
the user has a valid username and password.
Just as with any form of Terminal Services, Remote Assistance uses the RDP protocol
so that only screen updates are sent to the client (in this case, the Expert) while keystrokes
and mouse movements are sent back to the server (in this case, the Novice). In this way, RA
provides remote support and control of client desktops while involving very little use of
bandwidth.
www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 529
EXAM
70-293
OBJECTIVE
3
5.4.1
255_70_293_07.qxd 9/10/03 10:33 AM Page 529
Using Remote Assistance
As with Remote Desktop for Administration, the Remote Assistance (RA) components of
Windows 2003 are installed with the operating system. And, just as Remote Desktop for
Administration needs to be enabled and configured before you can use the feature, the same
is true for RA.
Two major components comprise the default RA installation: the Terminal Services
service and the Remote Desktop Help Session Manager service. In addition to installing

these two components, Microsoft also creates a special user account for connections
involving RA, called HelpAssistant_XXXXXX. On your system, the X’s will be replaced
with a unique alphanumeric code, and the account name will appear as something similar
to this: HelpAssistant_e4bb43.This account will be disabled until you enable RA.As we’ve
mentioned, although RA is based on and uses Terminal Services, it works very differently
from Remote Desktop for Administration or the terminal server role. Let’s take a closer
look at how RA works.
TEST DAY TIP
Be sure that you are familiar with Remote Assistance (RA). As a new component in
the Windows server family, and one that relates directly to test objectives, it is
likely to be featured in one or more exam questions.
Configuring Remote Assistance for Use
RA is relatively easy to configure; you use the same tab that is used to configure Remote
Desktop for Administration.To enable RA, go to Control Panel and select the Remote
tab in the System properties. Select the check box next to Turn on Remote Assistance
www.syngress.com
530 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy
Figure 7.24 Summary of Remote Assistance Invitations
255_70_293_07.qxd 9/10/03 10:33 AM Page 530
and allow invitations to be sent from this computer, located in the Remote
Assistance section of the tab.
Invitations do not stay valid indefinitely.They have an expiration time of one hour by
default, but the Novice can alter the expiration time of the invitations he or she sends, from
0 minutes to 99 days.The acceptance and opening of a session in response to an invitation
does not cause it to expire; it is good until it reaches the specified expiration time. In other
words, if you save an invitation to a file with an expiration time of 30 days, that invitation
can be used to establish RA connections as many times as desired within that 30-day time-
frame.To modify the default expiration time, perform the following steps:
1. Click Start | Control Panel | System.
2. Click the Remote tab.

3. Click the Advanced… button.
4. Choose the desired number (0 to 99) and interval (minutes, hours, or days) under
the Invitations section in the Remote Assistance Settings dialog box, as
shown in Figure 7.25.
In addition to modifying the expiration time, the Remote Assistance Settings dialog
box can be used to enable the Expert to control the Novice’s desktop and applications
during an RA session, or alternately prevent them from doing so.When the Allow this
computer to be controlled remotely box is checked, the Expert will be allowed to
send mouse and keyboard input to the Novice’s system and interact directly with his or her
desktop and applications.When it is unchecked, the Expert will be able to see the Novice’s
desktop and any actions the Novice performs, but cannot control the cursor or send key-
board commands.
www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 531
Figure 7.25 The Remote Assistance Settings Dialog Box
255_70_293_07.qxd 9/10/03 10:33 AM Page 531
NOTE
It is important to be aware that, when you enable Remote Assistance (RA), the
Allow this computer to be controlled remotely checkbox is enabled by default.
Asking for Assistance
A Novice can use a variety of methods to send an invitation using Remote Assistance:
■
The request can be sent using Windows Messenger.
■
The request can be sent via e-mail.
■
The request can be saved to a file.
To create an invitation, open Help and Support from the Windows Start menu. On
the right side of the Help and Support Center utility, click Remote Assistance under
the Support heading. In the next screen, click the Invite someone to help you link.You

will then be able to select the method that you want to use in asking for assistance, as
shown in Figure 7.26.
EXAM WARNING
Although a Remote Assistance (RA) session can be solicited using an invitation sent
in a file or via e-mail, Microsoft emphasizes sending an invitation using Windows
Messaging. You should make sure you are familiar with all of the details of this
method of solicitation.
www.syngress.com
532 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy
Figure 7.26 The “Pick how you want to contact your assistant” Screen in
Remote Assistance
255_70_293_07.qxd 9/10/03 10:33 AM Page 532
Using Windows Messenger to Request Help
Windows Messenger is a chat program available from Microsoft and installed in Windows
XP by default that is similar to ICQ and AOL Instant Messenger. (MSN Messenger is a
separate but related application; both use the .NET Messenger Service).When you use
Windows Messenger for RA, the invitation travels through a messaging server infrastructure
that can include the Internet, or can work with Microsoft Exchange Server within the
LAN. Expert and Novice ”tickets” (data packets) that contain connection information are
exchanged through this infrastructure. However, after these have been exchanged, the actual
RDP connection attempt and subsequent session take place directly between the Novice
and Expert computers.
Windows Server 2003 does not install Windows Messenger by default. If you have not
installed it prior to arriving at the Remote Connection screen, you will only see a link
notifying you that it is not installed and prompting you to download and install it. If
Messenger is installed, the user from whom you wish to solicit help must be on the net-
work and logged on to his or her Windows Messenger client. If this is the case, you can
click the name of the contact from whom you want to solicit assistance, followed by the
Invite this person link.The person you invited can then accept the invitation.A Remote
Assistance dialog box will display on your screen until the person accepts, or until you click

the cancel button on the dialog box.
You can also request assistance from within the Windows Messenger application, by
double-clicking a contact to establish a conversation with him or her and then selecting the
Ask for Remote Assistance link on the right side of the conversation window.This will
add a notification to your conversation window, with a link on which you can click to
cancel the request.You will also be notified in the conversation window when the person
receives and accepts your request.
Remember that Remote Assistance only works on computers running Windows XP
and 2003. If your invitation is sent to a person at a computer running the Windows 2000
or earlier operating system, or a non-Microsoft operating system, it will not be received.
Responding to a Request for Help Using Windows Messenger
If the Expert to whom an invitation is sent has the Windows Messaging application running,
a request from a Novice for assistance will be displayed in a Conversation window on the
Expert’s system.The Expert can click the Accept link in the window (or use the key combi-
nation Alt + T) to initiate the connection, or click the Decline link (or use the key combi-
nation Alt + D) to reject it. If it is neither accepted nor declined before the invitation
expires, the Expert will be unable to establish a connection in response to that invitation.
Using E-Mail to Request Help
To use e-mail to send an RA invitation, you must first have a default mail client configured
on the Windows Server 2003 computer.This mail client can be Microsoft Outlook Express,
which is installed with Windows, Outlook (installed as a separate application or with
www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 533
255_70_293_07.qxd 9/10/03 10:33 AM Page 533
Microsoft Office), or a third-party mail application.To create an RA invitation using e-
mail, follow these steps:
1. Open the Help and Support utility from the Window’s Start menu.
2. On the right side of the Help and Support Center screen, click Remote
Assistance under the Support heading.
3. On the next screen that is displayed, click the Invite someone to help you link.

4. On the next screen, under the or prepare an e-mail invitation section, type
the first name of the person you want to use as an Expert in the Type your
assistant’s first name: text box and click the Continue link.
5. The next screen contains two sections.The first is entitled Set the invitation to
expire and contains a drop-down box for specifying a number between 0 and 99
and an interval drop-down box with selections for minutes, hours, or days.This
means the possible time period during which the invitation is valid ranges from 0
minutes to 99 days.
6. The second section of this screen is entitled Require the recipient to use a
password and is enabled by a check box.The check box is selected and this sec-
tion is enabled by default.The intent is that, should the invitation accidentally fall
into the wrong hands, a password would still be required to use it. Obviously, you
should not include the password in the e-mailed invitation. Instead, you should
communicate it to the person in some other manner (for example, by telephone).
The password is entered twice, once in the Type password: text box and again
in the Confirm password: text box.
7. After the password had been entered into each box, the Create Email
Invitation button at the bottom of the screen activates and can be clicked.
8. The final screen is entitled Was the e-mail invitation successfully sent? When
you clicked the Create Email Invitation button on the previous screen, your
default e-mail program should have launched, with an e-mail created and ready to
be sent to the person whose assistance you are requesting.This final screen alerts
you to this and gives you the option to recreate the mail message in case you
accidentally closed the window when it popped open. At the bottom of the
screen are links to manage your outstanding invitation requests and create addi-
tional invitations. After you send the e-mail, you’ve finished the process of asking
for remote assistance using the e-mail method.
Responding to a Request for Help From an E-Mail Request
When e-mail has been used to send you an invitation for remote assistance, a short e-mail
message entitled “YOU HAVE RECEIVED A REMOTE ASSISTANCE INVITATION”

will show up in your inbox.The message will contain a link to click, which will look
something like this:
www.syngress.com
534 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy
255_70_293_07.qxd 9/10/03 10:33 AM Page 534
https://www
.microsoft.com/remoteassistance/s.asp#1AjK8A2TD,4H8SQYYfvIpQF5prHY
ajrReyrAd2j6oHb4Qe/Eo1Ahs=,zb2.0RJ81UIfxb4Xfkp8thzdy8A=Z.
When you click the link, your browser will open to a page on Microsoft’s Web site.The
entire process of the two computers finding each other using this method takes place
through Microsoft’s Web site. In addition, email-based Remote Assistance depends on a
downloaded control.
When you visit the site, a Security Warning dialog box will appear and you will be
prompted to specify whether you wish to install the Remote Assistance Server Control.
If you select Ye s , the control will download and the page will load. If you are not accessing
the page from a Windows XP or Server 2003 computer, a message will display, informing
you that you must be running one of these operating systems to complete the connection.
If you are accessing the Web page from a Windows XP or 2003 computer, you will see a
button entitled Start Remote Assistance in the middle of the Web page.When you click
this button, a small Remote Assistance dialog box appears, prompting you to enter the pass-
word associated with the invitation (if one was used).After you have typed in the password,
click the Ye s button to begin the connection.
Using a Saved File to Request Help
The third and final way of requesting assistance is to use a saved file. Obviously, if you use
this method, you need to somehow transfer the file containing the invitation to the Expert.
This can be done in one of several ways:
■
You can e-mail the file.
■
You can save the file to a share on the network.

■
You can create a link to the file on a Web page.
■
You can save the file on a floppy diskette and hand it to the person.
To create an RA invitation using a saved file, open the Help and Support utility from
the Windows Start menu. On the right side of the Help and Support Center screen,
click Remote Assistance under the Support heading. In the next screen that is displayed,
click the Invite someone to help you link.
At the bottom of the next screen, click the Save invitation as a file (Advanced)
link.This leads to a screen that contains two parts.The first is entitled Enter your name
and it contains a text box into which you type your name.When you send someone a
request using Windows Messenger or e-mail, the recipient can easily see who sent the
request.This is not true with a file-based request, so this dialog box is used to embed that
information into the request and make it readily available to the Expert.
The second portion of this screen is entitled Set the invitation to expire and con-
tains a drop-down box that enables you to specify a number between 0 and 99, and an
interval drop-down box with selections for minutes, hours, or days.The possible range for
the duration of a valid invitation is from 0 minutes to 99 days.
www.syngress.com
Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 535
255_70_293_07.qxd 9/10/03 10:33 AM Page 535