Unattended Remote Access & Remote Support Tools

By Ian Trump

Would you call me a liar if I said that I could provide an unattended remote support solution to any box in your network for a onetime cost of $46.00? I have pondered the situation that most IT Break Fix and Managed Server Business find themselves in; there is a huge need to reduce the costs associated with travel to site. It has become extremely important in the current economic climate, to insure prosperity for your business. I will illustrate how using a single VNC Server in a windows Domain can result in an unattended remote support solution to every desktop in the enterprise.

The original open source VNC provides a single TCP port channel to remotely control a box. More sophisticated commercial VNC products like the one from real VNC (http://www.realvnc.com/index.html) includes encryption and the ability to download and upload files. The more installations of VNC you have the cheaper the licensing is, so plan to have one VNC server for every Windows Domain or Sub net you look after to maximise your per seat savings.

At its most basic level and in the case where the firewall is extremely limited in terms of configuration you will want to open a port to 5900 to internet traffic on the outside and map this port to the server where you have VNC installed I recommend that the VNC server be installed on the Primary Domain Controller. More advanced firewalls can further restrict the range of IP address that are allowed to connect to the exposed port an upgrade in the router/firewall capabilities of a network with “precious” information is advisable.

THE LAYERED APPROACH

When it comes to security I believe in the layered approach and there are three key adjustments you need to make to the VNC server configuration to harden this against attacks. The password for the domain admin (or any windows account should NOT be used) you should choose a decent password easy for you to remember that is hard to crack.

  1. You will set a password on the VNC server

  1. You will need to make sure the two “expert” settings are set, they are critical for the security of the VNC server:

And

 

These setting control the behaviour of VNC and prevent someone from eves dropping on your connection via the always shared parameter and the logoff forces a logoff of the server when the VNC session terminates., This way no one can accidently stumble across a logged in box.

This gives you the first layer of security, even if someone was to brute force the password to the open VNC server port they would then be presented with a windows login and would then have to try and brute force the account and password for a valid user account. An industry best practice is to not allow accounts at the “user” level of permission to login locally to a server box so this configuration is extremely secure.

One of the reasons I enjoy Real VNC is that it encrypts the connection between the client and the server by generating a unique signature; this creates another level of security which prevents any sort of man in the middle or eaves dropping attempt.

Once you have VNC setup you will simply launch your VNC viewer and point it at the external IP address of your client network and after you enter your VNC password you should always be presented with this:

 

By using the F8 key and sending your domain admin account and password you now have encrypted remote access to the desktop of the server hosting your VNC server. You always want to check your settings so that if you disconnect you automatically logout of the box to prevent someone from piggy backing on your connection.

Now we need to talk about AD configuration of terminal services on all the other boxes (including your servers not running VNC in the domain) I edit this at the default domain controllers GPO policy level, the Terminal Services, Sets Rules for Remote Control of Terminal User Sessions flag needs to be set to Full control without users permission as illustrated below:

In Windows XP and generations after Windows XP, Windows Terminal Services is a service that is set to automatic start up. This GPO sets the flag so that you can remotely connect to any box using the Windows Terminal Services client inside the VNC server connection you made. You have to be a domain admin in able to connect this way and TCP port 3389 needs to be opened as a firewall exception port which is also a task that a Windows Active Directory GPO can accomplish. There are a great number of other GPO’s which can help configure terminal services and you should have a look at them to better meet your client’s unique configuration requirements.

PUTTING IT ALL TOGETHER

If all goes well we now can execute the following procedure:  use the VNC client to connect to the external IP address of the server hosting the VNC server and login to the windows desktop. Once you are on the server you can use the Remote Desktop Client on the server to attach to any workstation or laptop running Windows 2K or better.  If you need to interact with the console of the box open a command prompt and type: (for XP SP2 and previous versions) “mstsc  /console”  and if using (XP SP3 or better) “mstc /admin”.

ANOTHER REMOTE ADMIN TIP

By VNC’ing to a server on the domain you can use the Microsoft Management Console and connect to a different box on the domain, this is very handy for starting and stopping Windows Services and examining all the local system logs and other system parameters. You can execute this by right clicking on the Computer Management (Local) and selecting Connect to another computer, a dialogue box will pop allowing you to enter the name or browse to the box you need to look at.

 

As you can see a great deal of remote administration capability is already built into all versions of Windows and with a very minimal investment in VNC and proper configuration of your firewall and network  you can have access to any desktop and have advanced troubleshooting capabilities without ever leaving your home base.

LAST REMOTE ADMIN TIP (I PROMISE)

Built into Windows 2003 and onwards is an amazing utility, again free which allows you to do some phenomenal tasks. It’s called shutdown and you can launch a GUI version by going to run and typing “shutdown –i” You should get a screen like this:

 

It is an extremely useful utility to restart computers remotely.  The shutdown command can be called from scripts as well as invoked by the Windows Task Scheduler and can be used to schedule daily, weekly or monthly reboots.