| Remote Desktop Services | |
|---|---|
| Other names | Terminal Services |
| Developer | Microsoft |
| Operating system | Microsoft Windows |
| Service name | TermService |
| Type | Remote desktop software |
| Website | docs |
Remote Desktop Services (RDS), known asTerminal Services inWindows Server 2008 and earlier,[1] is one of the components ofMicrosoft Windows that allow a user to initiate and control an interactive session[2] on aremote computer orvirtual machine over anetwork connection.
RDS isMicrosoft's implementation ofthin client architecture, where Windows software, and the entire desktop of the computer running RDS, are made accessible to any remote client machine that supportsRemote Desktop Protocol (RDP).User interfaces are displayed from the server onto the client system and input from the client system is transmitted to the server – where software execution takes place.[3] This is in contrast toapplication streaming systems, likeMicrosoft App-V, in which computer programs are streamed to the client on-demand and executed on the client machine.
RDS was first released in 1998 asTerminal Server inWindows NT 4.0 Terminal Server Edition, a stand-alone edition ofWindows NT 4.0 Server that allowed users to log in remotely. Starting withWindows 2000, it was integrated under the name ofTerminal Services as an optional component in the server editions of theWindows NT family of operating systems,[4] receiving updates and improvements with each version of Windows.[5] Terminal Services were then renamed toRemote Desktop Services withWindows Server 2008 R2[6] in 2009.RemoteFX was added to RDS as part ofWindows Server 2008 R2 Service Pack 1.
Windows includes four client components that use RDS:
The first two are individual utilities that allow a user to operate an interactive session on a remote computer over the network. In case of Remote Assistance, the remote user needs to receive an invitation and the control is cooperative. In case of RDC, however, the remote user opens a new session on the remote computer and has every power granted by its user account's rights and restrictions.[3][7][8] Fast User Switching allows users to switch between user accounts on the local computer without quitting software and logging out. Fast User Switching is part ofWinlogon and uses RDS to accomplish its switching feature.[9][10] Third-party developers have also created client software for RDS. For example,rdesktop supportsUnix platforms.
Although RDS is shipped with most editions of Windows since Windows XP,[4] its functionality differs in each version.Windows XP Home Edition (and later Home SKUs of Windows) does not accept any RDC connections at all, reserving RDS for Fast User Switching and Remote Assistance only. Other client versions of Windows only allow a maximum of one remote user to connect to the system at the cost of the user who has logged onto the console being disconnected.Windows Server allows two users to connect at the same time. This licensing scheme, called "Remote Desktop for Administration", facilitatesadministration of unattended orheadless computers. Only by acquiring additional licenses (in addition to that of Windows) can a computer runningWindows Server service multiple remote users at one time and achievevirtual desktop infrastructure.[6][9]
For an organization, RDS allows the IT department to install applications on a central server instead of multiple computers.[11] Remote users can log on and use those applications over the network. Such centralization can make maintenance and troubleshooting easier. RDS and Windows authentication systems prevent unauthorized users from accessing apps or data.
Microsoft has a long-standing agreement withCitrix to facilitate sharing of technologies andpatentlicensing between Microsoft Terminal Services andCitrix XenApp (formerly Citrix MetaFrame andCitrix Presentation Server). In this arrangement, Citrix has access to keysource code for the Windows platform, enabling its developers to improve the security and performance of the Terminal Services platform. In late December 2004 the two companies announced a five-year renewal of this arrangement to coverWindows Vista.[12]
The key server component of RDS isTerminal Server (termdd.sys), which listens onTCP port 3389. When aRemote Desktop Protocol (RDP) client connects to this port, it is tagged with a uniqueSessionID and associated with a freshly spawned console session (Session 0, keyboard, mouse and character mode UI only). The login subsystem (winlogon.exe) and theGDI graphics subsystem is then initiated, which handles the job of authenticating the user and presenting the GUI. These executables are loaded in a new session, rather than the console session. When creating the new session, the graphics and keyboard/mouse device drivers are replaced with RDP-specific drivers:RdpDD.sys andRdpWD.sys. TheRdpDD.sys is the device driver and it captures the UI rendering calls into a format that is transmittable over RDP.RdpWD.sys acts as keyboard and mouse driver; it receives keyboard and mouse input over the TCP connection and presents them as keyboard or mouse inputs. It also allows creation ofvirtual channels, which allow other devices, such as disc, audio, printers, and COM ports to be redirected, i.e., the channels act as replacement for these devices. The channels connect to the client over the TCP connection; as the channels are accessed for data, the client is informed of the request, which is then transferred over the TCP connection to the application. This entire procedure is done by the terminal server and the client, with the RDP mediating the correct transfer, and is entirely transparent to the applications.[13] RDP communications are encrypted using 128-bitRC4 encryption. From Windows Server 2003 onwards, it can use aFIPS 140 compliant encryption scheme, or encrypt communications using theTransport Layer Security standard.[3][14]
Once a client initiates a connection and is informed of a successful invocation of the terminal services stack at the server, it loads up the device as well as the keyboard/mouse drivers. The UI data received over RDP is decoded and rendered as UI, whereas the keyboard and mouse inputs to the Window hosting the UI is intercepted by the drivers, and transmitted over RDP to the server. It also creates the other virtual channels and sets up the redirection. RDP communication can be encrypted; using either low, medium or high encryption. With low encryption, user input (outgoing data) is encrypted using a weak (40-bit RC4) cipher. With medium encryption, UI packets (incoming data) are encrypted using this weak cipher as well. The setting "High encryption (Non-export)" uses 128-bit RC4 encryption and "High encryption (Export)" uses 40-bit RC4 encryption.[15] When setting the Security Layer to 'SSL (TLS 1.0)',Transport Layer Security up to version 1.2 is available.[16]
Terminal Server is the server component of Terminal services. It handles the job of authenticating clients, as well as making the applications available remotely. It is also entrusted with the job of restricting the clients according to the level of access they have. The Terminal Server respects the configured software restriction policies, so as to restrict the availability of certain software to only a certain group of users. The remote session information is stored in specialized directories, calledSession Directory which is stored at the server. Session directories are used to store state information about a session, and can be used to resume interrupted sessions. The terminal server also has to manage these directories. Terminal Servers can be used in acluster as well.[3]
InWindows Server 2008, it has been significantly overhauled. While logging in, if the user logged on to the local system using aWindows Server Domain account, the credentials from the same sign-on can be used to authenticate the remote session. However, this requires Windows Server 2008 to be the terminal server OS, while the client OS is limited to Windows Server 2008, Windows Vista andWindows 7. In addition, the terminal server may be configured to allow connection to individual programs, rather than the entire desktop, by means of a feature namedRemoteApp. Terminal Services Web Access (TS Web Access) makes a RemoteApp session invocable from theweb browser. It includes the TS Web Access Web Part control which maintains the list of RemoteApps deployed on the server and keeps the list up to date. Terminal Server can also integrate withWindows System Resource Manager to throttle resource usage of remote applications.[5]
Terminal Server is managed by theTerminal Server ManagerMicrosoft Management Console snap-in. It can be used to configure the sign in requirements, as well as to enforce a single instance of remote session. It can also be configured by usingGroup Policy orWindows Management Instrumentation. It is, however, not available in client versions of Windows OS, where the server is pre-configured to allow only one session and enforce the rights of the user account on the remote session, without any customization.[3]
TheRemote Desktop Gateway service component, also known asRD Gateway, cantunnel the RDP session using aHTTPS channel.[17] This increases the security of RDS byencapsulating the session withTransport Layer Security (TLS).[18] This also allows the option to useInternet Explorer as the RDP client. The official MS RDP client formacOS supports RD Gateway as of version 8. This is also available for iOS and Android.
This feature was introduced in the Windows Server 2008 andWindows Home Server products.
In October 2021, Thincast, the main contributor of the FreeRDP project, published the first Remote Desktop Gateway solution running natively on Linux.[19]
RemoteApp (orTS RemoteApp) is a special mode of RDS, available in Windows Server 2008 R2 and later, where remote session configuration is integrated into the client operating system. The RDP 6.1 client ships with Windows XP SP3, KB952155 for Windows XP SP2 users,[21] Windows Vista SP1 and Windows Server 2008. The UI for the RemoteApp is rendered in a window over the local desktop, and is managed like any other window for local applications. The end result of this is that remote applications behave largely like local applications. The task of establishing the remote session, as well as redirecting local resources to the remote application, is transparent to the end user.[22] Multiple applications can be started in a single RemoteApp session, each with their own windows.[23]
A RemoteApp can be packaged either as a.rdp file or distributed via an.msiWindows Installer package. When packaged as an.rdp file (which contains the address of the RemoteApp server, authentication schemes to be used, and other settings), a RemoteApp can be launched by double clicking the file. It will invoke the Remote Desktop Connection client, which will connect to the server and render the UI. The RemoteApp can also be packaged in aWindows Installer database, installing which can register the RemoteApp in theStart menu as well as create shortcuts to launch it. A RemoteApp can also be registered as handler for file types or URIs. Opening a file registered with RemoteApp will first invoke Remote Desktop Connection, which will connect to the terminal server and then open the file. Any application which can be accessed over Remote Desktop can be served as a RemoteApp.[22][24]
Windows 7 includes built-in support for RemoteApp publishing, but it has to be enabled manually in registry, since there is no RemoteApp management console in client versions of Microsoft Windows.[25]
InWindows Vista onwards, Terminal Services also includes a multi-party desktop sharing capability known asWindows Desktop Sharing. Unlike Terminal Services, which creates a new user session for every RDP connection, Windows Desktop Sharing can host the remote session in the context of the currently logged in user without creating a new session, and make the Desktop, or a subset of it, available over RDP.[26] Windows Desktop Sharing can be used to share the entire desktop, a specific region, or a particular application.[27] Windows Desktop Sharing can also be used to share multi-monitor desktops. When sharing applications individually (rather than the entire desktop), the windows are managed (whether they are minimized or maximized) independently at the server and the client side.[27]
The functionality is only provided via a publicAPI, which can be used by any application to provide screen sharing functionality. Windows Desktop Sharing API exposes two objects:RDPSession for the sharing session andRDPViewer for the viewer. Multiple viewer objects can be instantiated for one Session object. A viewer can either be a passive viewer, who is just able to watch the application like ascreencast, or an interactive viewer, who is able to interact in real time with the remote application.[26] TheRDPSession object contains all the shared applications, represented asApplication objects, each withWindow objects representing their on-screen windows. Per-application filters capture the application Windows and package them asWindow objects.[28] A viewer must authenticate itself before it can connect to a sharing session. This is done by generating anInvitation using theRDPSession. It contains an authentication ticket and password. The object isserialized and sent to the viewers, who need to present theInvitation when connecting.[26][28]
Windows Desktop Sharing API is used byWindows Meeting Space andWindows Remote Assistance for providing application sharing functionality amongnetwork peers.[27]
Network Level Authentication (NLA) is a feature of RDP Server orRemote Desktop Connection (RDP Client) that requires the connecting user to authenticate themselves before a session is established with the server.
Originally, if a user opened an RDP (remote desktop) session to a server it would load the login screen from the server for the user. This would use up resources on the server, and was a potential area fordenial of service attacks as well asremote code execution attacks (seeBlueKeep). Network Level Authentication delegates the user's credentials from the client through a client-sideSecurity Support Provider and prompts the user to authenticate before establishing a session on the server.
Network Level Authentication was introduced in RDP 6.0 and supported initially inWindows Vista. It uses the new Security Support Provider, CredSSP, which is available throughSSPI in Windows Vista. WithWindows XP Service Pack 3, CredSSP was introduced on that platform and the included RDP 6.1 Client supports NLA; however CredSSP must be enabled in the registry first.[29][30]
The advantages of Network Level Authentication are:
Remote Desktop Connection is a primary client for Remote Desktop Services. RDC presents the desktop interface (or application GUI) of the remote system, as if it were accessed locally.[34]Microsoft Remote Desktop was created in 2012 by Microsoft as a client with a touch-friendly interface. Additionally,several non-Microsoft clients exist.
{{cite web}}: CS1 maint: url-status (link)
