Enhance Remote Access: Introducing Remote Desktop Connection 6.1 Client Update for Windows Server
This article delves into the Remote Desktop Connection (RDC) 6.1 client update and its impact on Terminal Services within Windows Vista SP1, Windows XP SP3, and Windows Server 2008 environments. This update introduced several key features designed to improve the functionality, security, and user experience of remote desktop sessions. Prior to this update, remote connections often faced limitations regarding application access, printing, security, and network traversal. RDC 6.1 aimed to address these challenges by integrating tighter with the features introduced in Windows Vista and Windows Server 2008.
While the RDC 6.1 client maintains compatibility with connecting to older terminal servers and remote desktops, the advanced functionalities discussed herein are specifically unlocked when connecting to a remote machine operating on Windows Vista or Windows Server 2008. This requirement highlights the dependency on the newer operating systems to fully leverage the enhancements provided by the updated client. The client update was a crucial step in evolving the remote access landscape within the Microsoft ecosystem, paving the way for more robust and versatile remote computing scenarios.
The RDC 6.1 client update delivers a suite of powerful features aimed at modernizing remote access and terminal services. Each feature contributes significantly to enhancing the remote computing experience, whether for individual users connecting to their office machines or for organizations providing centralized applications via terminal servers. These features represent a substantial leap forward from previous iterations of the Remote Desktop Connection client, offering improved security, better usability, and enhanced administrative control. Understanding these features is essential for leveraging the full potential of remote desktops and terminal services in compatible environments.
Key Features of Remote Desktop Connection 6.1¶
The RDC 6.1 client update brought several notable capabilities to the forefront of remote access technology. These features were designed in conjunction with the server-side enhancements in Windows Vista and Windows Server 2008 to create a more seamless and secure remote environment. Below is a detailed look at the principal features included in this update and their significance for both users and IT professionals.
Terminal Services Web Access¶
Terminal Services Web Access (TS Web Access) emerges as a pivotal service within Terminal Services in Windows Server 2008. This feature empowers administrators to publish Terminal Services RemoteApp (TS RemoteApp) programs directly to users through a standard web browser interface. Instead of connecting to a full desktop, users can access specific applications as if they were installed locally on their machines.
TS Web Access simplifies application deployment and access, offering users a familiar web-based portal from which they can launch necessary applications. It also provides options to publish a link to the full terminal server desktop or allow connections to the remote desktop of any server or client computer, provided the user possesses the appropriate access rights. This flexibility makes TS Web Access a versatile tool for delivering applications and remote desktops securely over the corporate network or even the internet.
Remote Desktop Protocol (RDP) Signing¶
RDP Signing is a crucial security feature introduced to bolster the integrity of remote connections initiated via TS Web Access. It enables the signing of RDP files and the connections that originate from them, assuring users that the connection parameters have not been tampered with by malicious entities. This helps mitigate the risk of users being tricked into connecting to potentially hostile terminal servers using compromised RDP configuration files.
Administrators can further strengthen security postures by utilizing Group Policy settings to mandate that users can only open RDP files that have been digitally signed by a trusted source. This policy enforcement provides a robust layer of defense, ensuring that users connect exclusively to validated and known remote resources, thereby significantly reducing the attack surface associated with remote access. RDP signing contributes to a safer remote environment for both individual users and the organization as a whole.
Terminal Services EasyPrint¶
Terminal Services Easy Print represents a revolutionary approach to printer redirection within remote sessions, first introduced with Windows Server 2008. This feature drastically simplifies the process of making client-side printers available within a remote desktop session, eliminating the need for administrators to install specific printer drivers on the terminal server itself. This resolves longstanding issues related to driver compatibility, conflicts, and the administrative burden of managing a multitude of printer drivers on servers hosting numerous user sessions.
Easy Print ensures that client printers are reliably mapped and accessible within the remote session by leveraging the XML Paper Specification (XPS) print path, which is part of the .NET Framework 3.0 with SP1. This new architecture means that print queues are now enumerated per session, improving clarity and management. Crucially, all client printer properties become fully available within the remote session, offering users the complete printing experience they would expect locally. Furthermore, administrators gain granular control, including the ability to use policy settings to redirect only the default printer, streamlining options for users if desired. Terminal Services Easy Print became the default printer redirection method, signifying its importance and effectiveness; it typically requires no explicit configuration beyond having the necessary components installed.
Requirements for Terminal Services Easy Print¶
To successfully utilize the benefits of Terminal Services Easy Print, specific software components must be present on both the server and client sides. On the server hosting the Terminal Services role, Windows Server 2008 or a later compatible version is required. No special printer drivers need to be installed on the server for client printers. The heavy lifting for compatibility is managed by the new architecture.
On the client computer initiating the connection, the user must be running the Remote Desktop Connection 6.1 client or a newer version that supports this feature. Additionally, the client machine must have Microsoft .NET Framework 3.0 with Service Pack 1 (SP1) installed. This component provides the necessary XPS print capabilities that Easy Print relies upon. Meeting these requirements ensures a smooth and driverless printer redirection experience.
Network Level Authentication¶
Network Level Authentication (NLA) is a significant security enhancement included in RDC 6.1, particularly noteworthy for its inclusion in Windows XP SP3. NLA performs user authentication before a full Remote Desktop session is established and the logon screen appears. This is a critical difference from older methods where the server would allocate resources and present a login screen even before the user’s credentials were verified, making servers vulnerable to denial-of-service attacks targeting the RDP service itself.
By requiring authentication at the network layer, NLA drastically reduces the load on the remote computer, as it consumes significantly fewer resources before authenticating the user compared to initiating a full session. This pre-authentication step provides enhanced security by mitigating the risk of malicious attacks designed to overload the remote computer’s resources. Moreover, NLA incorporates server authentication, helping to protect users from inadvertently connecting to fraudulent or malicious remote computers set up to capture credentials or distribute malware. NLA is considered a best practice for securing RDP connections due to its efficiency and robust pre-authentication capabilities.
Server Authentication¶
Server authentication, integrated into RDC 6.1, plays a vital role in establishing trust and preventing potential security breaches like Man-in-the-Middle attacks. When you attempt to connect to a remote computer or server, RDC 6.1 can verify the identity of the destination server using security certificates. This verification process helps ensure that you are connecting to the legitimate server you intended to reach, rather than a rogue machine impersonating your target. Connecting to an unverified server could expose sensitive information or compromise your client machine.
By default, RDC 6.1 enforces server authentication to protect users. However, users can adjust this behavior based on their security needs and the trustworthiness of their connections. The options for server authentication provide flexibility:
1. Always connect, even if authentication fails: This setting allows connections even if the client cannot verify the server’s identity. This is the least secure option and should be used with extreme caution, typically only in trusted, isolated network environments.
2. Warn me if authentication fails: This is the default setting and offers a balance between security and usability. If RDC 6.1 cannot verify the server’s identity, it will present a warning to the user, allowing them to decide whether to proceed with the potentially insecure connection.
3. Do not connect if authentication fails: This is the most secure setting. If RDC 6.1 fails to verify the server’s identity, the connection will be terminated automatically, preventing any data exchange with the potentially untrusted server. Choosing this option ensures that connections are only made to verified destinations.
Users can configure these options via the Remote Desktop Connection client interface under the Advanced tab, providing control over their connection security posture.
Resource Redirection¶
Resource redirection capabilities were enhanced in RDC 6.1, offering users more granular control over which local devices and resources are made available within the remote session. Beyond standard redirection of drives, printers (though EasyPrint changes this landscape), and audio, RDC 6.1 introduced improved support for redirecting Plug and Play devices. This means that certain locally connected devices that support redirection can be made available for use within the remote desktop session.
This expanded redirection capability is particularly useful for devices such as webcams, scanners, or other specialized USB devices that might be needed for tasks performed within the remote environment. By enabling the redirection of supported Plug and Play devices, users can leverage their local peripherals without needing them to be physically connected to the remote machine or terminal server. This enhances the flexibility and functionality of the remote desktop session, making it more closely resemble the local computing experience. The option to redirect these devices is typically found within the Local Resources tab of the RDC client options.
Terminal Server Gateway Servers¶
Terminal Server Gateway (TS Gateway), a role service in Windows Server 2008, provides a secure and efficient way for authorized users to connect to internal network resources (like terminal servers or remote desktops) from outside the corporate firewall, often over the internet. It eliminates the need for a Virtual Private Network (VPN) connection, simplifying remote access for users and reducing the overhead for IT.
TS Gateway works by tunneling the standard Remote Desktop Protocol (RDP), which typically uses port 3389, over the HTTPS protocol (port 443). Port 443 is commonly open on firewalls to allow secure web traffic (SSL/TLS), making it an ideal conduit for RDP connections that would otherwise be blocked. The TS Gateway server acts as a proxy, receiving the encrypted RDP traffic over HTTPS, authenticating the user and authorizing the connection based on policies, and then forwarding the decrypted RDP traffic to the target internal resource. This method provides an encrypted connection from the client to the gateway and often from the gateway to the internal resource, enhancing security significantly compared to direct RDP connections over the internet.
Benefits of using a TS Gateway server include simplifying external access without VPN infrastructure, enabling connections across firewalls and Network Address Translators (NATs), and potentially optimizing bandwidth by sharing the user’s existing internet connection. Configuring a TS Gateway server in the RDC client involves specifying the gateway server name and selecting an authentication method (such as password or smart card), along with the option to bypass the gateway for local network addresses to ensure faster connections when inside the corporate network.
Terminal Services RemoteApp¶
Terminal Services RemoteApp, often utilized in conjunction with TS Web Access, is a powerful feature of Windows Server Terminal Services that allows administrators to make individual programs installed on a terminal server available to users on client computers. Instead of connecting to a full desktop session, the user sees only the application window, which behaves as if it were running locally. The application is displayed in its own resizable window, has its own entry in the taskbar, and can even interact with local programs and devices.
RemoteApp significantly improves the user experience by making remote applications feel integrated into the local desktop environment. From an administrative perspective, it simplifies application deployment and management. Instead of installing, updating, and patching applications on numerous individual user machines, IT departments only need to manage a single installation (or a few, in a farm environment) on the terminal server(s). This centralization leads to reduced maintenance costs, improved compliance, and faster deployment of updates. RemoteApp is particularly valuable for delivering line-of-business applications or applications that require significant server resources to a wide user base.
Monitor Spanning¶
For users with multi-monitor setups, RDC 6.1 introduced enhanced support for spanning the remote desktop across multiple displays. This feature significantly improves productivity for tasks requiring large screen real estate, such as working with spreadsheets, complex diagrams, or multiple application windows simultaneously. The remote desktop session can effectively utilize the combined resolution of several monitors, creating a vast virtual workspace.
There are specific requirements and limitations for monitor spanning in RDC 6.1. The total combined resolution of all monitors must not exceed 4096 x 2048 pixels. Additionally, the monitors must all have the same screen resolution and must be physically aligned side-by-side in a horizontal arrangement. The primary way to enable monitor spanning in RDC 6.1 is by launching the client from the command prompt using the command Mstsc /span. This command instructs the RDC client to attempt to span the remote session across all available monitors that meet the specified criteria.
Visual Improvements¶
RDC 6.1 brought welcome enhancements to the visual fidelity of the remote desktop experience, making it more appealing and comfortable for extended use. Notably, support for 32-bit color depth was introduced. Previously, RDP sessions might have been limited to 16-bit or 24-bit color, which could result in banding or less accurate color representation. 32-bit color allows for a much richer and more detailed visual experience, better displaying gradients, images, and user interface elements with transparency effects.
Another significant visual improvement is the support for font smoothing (often referred to as ClearType). Font smoothing renders text more smoothly on the screen, reducing the pixelated appearance that can occur with smaller font sizes or specific font styles in remote sessions. Enabling font smoothing dramatically improves the readability of text within the remote desktop environment, reducing eye strain and making the remote experience feel much closer to working directly on the local machine. Both 32-bit color and font smoothing can be enabled via the Display tab and Experience tab respectively within the RDC client options.
These visual enhancements, while seemingly minor, contribute significantly to the overall user experience, making remote work more comfortable and productive, especially for users who spend extensive periods connected to remote desktops.
Summary of Key Features and Benefits¶
| Feature | Description | Primary Benefit |
|---|---|---|
| Terminal Services Web Access | Access remote programs/desktops via a web browser. | Simplified application access, central management. |
| RDP Signing | Digital signature verification for RDP files and connections. | Enhanced security against malicious connection attempts. |
| Terminal Services EasyPrint | Driverless printer redirection using XPS path. | Simplified printer management, improved reliability and compatibility. |
| Network Level Authentication | Authentication occurs before full session is established. | Improved security (mitigates DoS), reduced server resource usage. |
| Server Authentication | Verifies the identity of the remote server. | Prevents connections to fraudulent servers, protects sensitive data. |
| Resource Redirection | Enhanced support for redirecting Plug and Play devices. | Increased flexibility, allowing use of local peripherals in remote session. |
| Terminal Server Gateway | Secure connection to internal network over the internet using HTTPS. | Remote access without VPN, bypasses firewalls, enhances security via encryption. |
| Terminal Services RemoteApp | Run remote programs in seamless windows on the local desktop. | Centralized application management, improved user experience. |
| Monitor Spanning | Extend remote desktop across multiple monitors. | Increased productivity for multi-monitor users. |
| Visual Improvements | Support for 32-bit color and font smoothing. | More realistic and comfortable visual experience, improved text readability. |
The Remote Desktop Connection 6.1 client update provided a significant upgrade path for users and administrators looking to leverage the new capabilities offered by Windows Vista and Windows Server 2008 Terminal Services. Its features addressed long-standing limitations of remote access, making connections more secure, easier to manage, and providing a more user-friendly experience. From simplified application delivery with RemoteApp and Web Access to robust security features like NLA and RDP Signing, RDC 6.1 laid the groundwork for modern remote computing environments.
What are your thoughts on the impact of the RDC 6.1 update when it was released? Did you find any of these features particularly useful in your environment? Share your experiences and perspectives in the comments below!
Post a Comment