Remote Desktop is basically like a remote control program. It lets you connect to your XP desktop over any TCP/IP network and control programs--including Windows itself--remotely. As you interact with the client system, keystrokes and mouse events are sent over the connection to the remote system, which sends back screen information for the client program to display.
Remote Desktop's feature set is limited compared to most commercial remote control programs, which brings me to one of the most common criticisms I received: "[My favorite remote control program, e.g. pcAnywhere] is much better, so why should anyone use Remote Desktop?" You won't get an argument from me about the first part. Most commercial remote control programs are better and more flexible than Remote Desktop. For example, many of them have direct-dial connection features and support network protocols other than TCP/IP. Some integrate into larger network management systems. They also cost money: A one-user version of pcAnywhere lists at $179.95. Many people will find cause to spend the extra bucks for the many extra features, but basic remote control functionality is now built into the Windows OS.
For those of you familiar with Terminal Server, Remote Desktop is roughly a one-user version of that remote access facility, which has been available for many years on Windows NT4 Server and Windows 2000 Server, and it has a very good security record. Remote Desktop uses the same Remote Desktop Protocol (RDP) as Terminal Server (known in Windows 2000 as Terminal Services) and they use the same client software. RDP, incidentally, is an RC4-encrypted protocol.
Since Windows 2000 was released about two years ago, there have been two or three security-related issues raised at respectable security sites, such as NTBugtraq. Two are denial of service attack vulnerabilities, which were revealed and patched before they were exploited. Another allows a client to spoof its IP address. This is bad I suppose, and Microsoft says that it will issue a fix in the next service pack, but that it doesn't really constitute a breach of Terminal Server or Remote Desktop security because the user still needs to have a proper login. This looks like a very good security record to me, much better than most other remote access methods.
Many of the claims about Remote Desktop reflect simple ignorance about how it works. It is turned off by default, so I expect that comparatively few XP systems will have it enabled. When you turn it on, by default only the Administrator has access, but you can grant access to less-privileged users, which is a way of restricting what remote users can do.
Many other claims assumed that every clown with a Windows system would from now on have this Remote Desktop security "problem," but, in fact, it's more complicated than that. Windows XP Home, which almost all consumer users will likely buy or receive preloaded, does not include Remote Desktop. No doubt many of those who expressed fear of Remote Desktop will now criticize Microsoft for ripping off Home users by not including it. (It's like the old Woody Allen joke about the bad restaurant: The food was terrible! And the portions were so small!)
Most criticism of Remote Desktop is so irrational that I suspect it's actually just an expression of fear from those who wish Microsoft ill. But the worst part of it is that some people out there seem to assume that Microsoft software is insecure until proven otherwise. This is not a rational basis on which to judge products.
What's your experience with security and Remote Desktop? E-mail Larry or post your thoughts in our Talkback forum below.
