Enabling Remote Desktop for Administration in Windows Server 2008
Most IT administrators want to get busy configuring their servers once they have finished doing the initial deployment of the operating system onto the bare metal box in order to do this from their cubes or offices instead of the cold data center environment and standing for hours at a time in front of a server rack they enable remote desktop for administration. To enable remote desktop for administration in Windows Server 2008 it’s quite straight forward, but to some it could be a tad complicated due to the unfamiliarity with the new server manager administration console.
To do this you need to click Enable remote desktop link that appears in the ICT screen, if you’ve closed this screen remember you can bring it up using the oobe command from the run box in the start menu, however this task can also be done more conveniently from server manager that opens every time you log into your box and also provides access to the firewall controls you might need to review in order to ensure you can establish a successful RDP connection to your fresh install of Windows Server 2008.
To enable remote desktop for administration simply hit the configure remote desktop link in the root of the server manager interface and in the system properties window that appear select either the “Allow connections from computers running any version remote desktop (less secure)” or the “Allow connections only from computers running remote desktop with Network Level Authentication (more secure)“.
Now what do these 2 options really mean? With Windows Server 2008 and Windows Vista a new remote desktop protocol was developed RDP 6.0 which brings some interesting features to the table such as:
- Maximum screen resolution of 4096×2048
- Maximum color depth increase to 32-bit color
- Support for ClearType fonts
- Support for connected USB and other peripheral devices
- Support for spanning multiple horizontally-connected monitors using the “/span” switch
- Ability to use client-side themes in remote sessions
The first option “Allow connections from computers running any version remote desktop (less secure)” allows computers with previous versions of the RDP client to connect to the server for administration however this is less secure since you can’t authenticate that you are connecting to the correct server from the client since DNS name or IP spoofing could have occurred in your network, the other option “Allow connections only from computers running remote desktop with Network Level Authentication (more secure)” allows newer RDP clients such as the one bundled with Windows Vista or Server 2008 to authenticate the identity of the server to where they are connecting to avoid any type of spoofing and having someone capture your credentials.
For more information on Network Level Authentication please refer to the post titled WS2008: Network Level Authentication and Encryption on the blog for the Enterprise Platforms Windows Server Performance Team.
If you have a system that has a legacy version of the RDP software such as the one that is bundled by default with Windows XP you can update your software to the latest version of the RDP client that benefits from Network Level Authentication by downloading it directly from Microsoft.
Once we’ve enabled remote desktop with the desired settings we can select the Windows Firewall with Advanced Security node under the configuration branch of the Server Manager utility to review the state of the firewall and ensure we can connect via RDP to our server selecting Properties from the Actions pane.
The default state for the firewall in the Windows Server 2008 family of products is On and for good reason, since statistically speaking the majority of attacks on server operating systems occurs out of the box exploiting unpatched vulnerabilities or improperly configured services. Once we’ve reviewed the state of our firewall we open up the branch titled Windows Firewall with Advanced Security and select the Inbound Rules node, under this node we will search for the Remote Desktop (TCP-in) rule and ensure that the action chosen in this rule reads “Allow the connection”, this might also be a good moment to remind you that the port on which RDP works it’s still 3389 in case you have other network considerations such as ACL’s in place in your switching and routing infrastructure that you might need to take a look at.
After this is done you can remote into your fresh install of Windows Server 2008 to do further configuration tasks.
For further information on how to configure the Windows Server 2008 firewall with the new MMC tool in server manager please refer to the article titled How to configure the new Windows Server 2008 advanced firewall MMC snap-in from one of my favorite sites Windows Networking or review the TechNet article titled Getting Started with Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008.