Here’s a quick one for all of the administrators and security practitioners. There’s no shortage of third-party programs designed to do remote desktop management and support. And while sure, many of them are secure, the ones we find in use most often are not. The reason being, they tend to be low or no cost solutions. Now, I’m not one to say that security should always be spendy, but let’s be honest, a lot of the time tools are an investment that management is not always willing to invest in. More often then not when we hit a business that is using VNC as their de facto remote management and support tool, the reason behind it is; “Well, it’s free, and we can shadow and control other machines with it for support calls.”
And they aren’t wrong. But the follow-up question is one we’re here to answer today. That question being “I mean, what other free tools are there?”.
It may be surprising to know the answer is good ole RDP! RDP, or Remote Desktop Protocol, is the built-in windows standard - that I am sure many of you are already familiar with - tool for remote access with desktop visualization in windows.
I bet many of you are thinking “But that’s for remote access, not support calls. It lacks a ton of features like shadowing, remote control of active sessions without kicking people off…” and so on and so on. Well… yes. However, there are a handful of other tools that rely on the RDP backend protocol, that were designed specifically for remote management. The downside is windows doesn’t really seem to advertise these. And so that’s where our story starts.
There are two alternate tools that we can look at. In this blog we will take a look at MSRA.exe, and leave the second option, MSTSC.exe, for a future blog. However, both of these little wonders can be found in the system32 directory of a standard windows install (windows\system32\). The problem here, again, is there’s little direct documentation on how to implement these as feature sets for remote administration, and even less general industry knowledge that they even exist (at least in my experience). So, let’s dig into MSRA.
MSRA: Microsoft Remote Access
Of the two, this is the more administrative focused tool. The tool provides almost all the features you will need to do general remote assistance within the scope of your daily tasks, and is a fantastic work around for VNC, or other paid tools.
By opening a command prompt, and launching the application with a /h (help) option, (<Dir>:\Windows\System32\msra.exe /h) We will be greeted with the general help and information page for the app.
So… That’s something. While the help prompt does give some fantastic information, it still leaves a lot to be desired in how to functionally deploy something like this tool for general use for your admin staff.
Let’s start with how to set it up and use it, then dig into some of the feature sets.
The real trick for this tool to make it useful, quick, and effective, is to deploy it as a shortcut then modify the launch behavior. This will keep you from having to do a bunch of command line voodoo each time you want to launch a session.
Navigate to your windows\system32\ folder and search our MSRA. Once you have it located, right click and create a desktop shortcut for the application.
Now right click the newly created shortcut and drop into properties. Hop on over to the shortcut tab, and in the field labeled “target”, add the following to the end of the string “/offerra”. Looks like this:
Apply and close. From here double click on the newly edited shortcut…. And…. MAGIC!
Ok well… not magic yet. But here is the foundation of what the quick access ‘portal’ if you will, of Remote management built into Windows is. Computer name or IP is just that, the machine you are looking to connect to. It’s pretty straight forward.
Endpoint set up
So, there’s some additional setup that is required on the endpoint side to make sure everything plays well. I’ll show where the configurations are on the endpoints first, and then we can walk through how to set it up through GPO push so all things are covered, rather than setting up each machine individually.
In computer settings, we can see on the left-hand side Remote settings, dropping into this menu we can get an idea of what the general remote desktop settings are.
You will want to enable remote assistance on the endpoint machine; However, you should not need to allow remote connections to this computer.
With the Offer RA tag, you are allowing your administrators to send out a remote assistance request, rather than having the end user generate one, which is also an option, just depends on your internal workflow.
So now that you have the ability to generate the assistance request mechanism, lets take a look at the GPO (Group Policy Object) settings that we can push out to the endpoint machines to allow the settings that enable the offer RA to work.
In creating our GPO, navigate to Computer Configuration - Administrative Templates - System - Remote Assistance. Like so:
From here you can double click on the configure offer remote assistance, and you will get the following details screen:
Now here’s the tricky part, enabling the remote acceptance is all well and good, but you will also need to select what helping members can utilize this feature. Suffice it to say every environment is different, so the best broad spectrum weed killing advice I can give you here, is use targeted user groups and implement proper ACL controls. As with opening any remote access, there’s always an inherent risk. So, the access controls are your most effective defense here (outside of not turning it on of course…). That seemed sufficiently vague right?
Once the GPO is set up and pushed out to the endpoints, you should be able to send remote assistance requests to your end users, which will allow them to accept, giving an initial point of shadowed visibility for them to show you whatever issues they are having. And from there if the need to escalate to controlling the system is required, you can request control and take over driving. There’s even a little chat feature included! Do watch out for little configuration gotchas like windows firewall blocking incoming connections from MSRA.
In closing, shout out to Microsoft for deploying this wonderful little tool. Of course, shame on them for not telling everyone from the mountain tops, and letting businesses rely on things like VNC… I say that because a form of MSRA has been around since server 2003… Right!?
Either way this little tip should help to close out some security gaps or open up some administrative capabilities within your infrastructure.
Have questions or want more information?
