Microsoft Pre-Release Software WinFX Runtime Components - Beta2

Overview
"Windows Presentation Foundation", "Windows Communication Foundation", and "Windows Workflow Foundation" are the names for three strategic developer technologies that Microsoft plans to ship in 2006 as part of the Windows Vista operating system. In addition, Microsoft is making these technologies available on Windows XP and Windows Server 2003. The WinFX Runtime Components Beta 2 enables developers to continue experimenting with early builds of these technologies, get acquainted with the development experience, and provide Microsoft with feedback. More details about these technologies are below.

Please note that the License Agreement in this pre-release version of WinFX Runtime Components does not allow usage in a live operating environment. Information about Go-Live possibilities for WinFX Runtime Components can be found here.

Note: This is a beta release. Therefore, do not install these builds on machines you depend on. If you have a previous version of Avalon ("Windows Presentation Foundation"), Indigo ("Windows Communication Foundation"), or pre-released versions of .NET Framework 2.0 installed you must read this before download.

"Windows Communication Foundation" is the name for Microsoft’s unified programming model for building connected systems, formerly known as code-name "Indigo". It extends the .NET Framework 2.0 with additional APIs for building secure, reliable, transacted Web services that interoperate with non-Microsoft platforms and integrate with existing investments. By combining the functionality of existing Microsoft distributed application technologies (ASMX, .NET Remoting, .NET Enterprise Services, Web Services Enhancements, and System.Messaging), Indigo delivers a single development framework that improves developer productivity and reduces organizations’ time to market.

"Windows Presentation Foundation" is the name for Microsoft's unified presentation subsystem for Windows, formerly known as "Avalon". It consists of a display engine and a managed-code framework. "Windows Presentation Foundation" unifies how Windows creates, displays, and manipulates documents, media, and user interface. This enables developers and designers to create visually-stunning, differentiated user experiences that improve customer connection. When delivered, "Windows Presentation Foundation" will become Microsoft's strategic user interface (UI) technology.

"Windows Workflow Foundation" is the name for Microsoft's strategic programming model for building workflow enabled applications. It consists of a managed-code framework and designers for Visual Studio .NET. Windows Workflow Foundation includes both system workflow and human workflow. It supports a wide range of scenarios including: workflow within line of business applications, page-flow, document-centric workflow, workflow for service oriented applications and workflow for systems management. The Windows Workflow Foundation developer experience is consistent with existing WinFX technologies and includes support for VB and C#, debugging, a graphical workflow designer and the ability to write your workflow completely in code. Windows Workflow Foundation also provides an extensible model and designer to build custom activities which encapsulate workflow functionality for end-users or for re-use across multiple projects. Windows Workflow Foundation will be used across many future Microsoft products including Office “12”, BizTalk Server and the Microsoft Business Solutions. Most applications can benefit from the asynchronous state management features of the workflow model, the rapid development features of the designer, the potential for end-user flexibility, and the increased visibility into run-time code execution.

To start the installation process, you will need to run the download file; this will initiate the installation of the WinFX Runtime Components Beta 2; If you have troubles with the download manager, you can download the entire package for x86 or for x64 which are both .EXE files.

This Beta release supports Visual Studio 2005 RTM and the .NET Framework 2.0 RTM. The Microsoft® WinFX® SDK contains documentation, samples, and tools designed to help you develop managed applications and libraries using WinFX. You can install the SDK that corresponds to this release here.

Are Terminal Services Vulnerable?

Are Terminal Services Vulnerable?

Access and security are always at odds in the networking world. Any feature or technology that provides a new way for authorized users to access a system remotely will also present a potential way for unauthorized users to gain access. Because Terminal Services is used in administrative mode in Windows 2000 (and Remote Desktop is used in Windows Server 2003) to allow administrators to perform such tasks as creating user accounts and setting permissions, changing system configurations, and other highly sensitive tasks, it is logical to question the security of a terminal services session.

Your terminal server is vulnerable to the same exploits that can be used against any Windows server, so it is important first to ensure that all current security updates and patches have been applied. Security vulnerabilities specifically related to Windows 2000 Terminal Services have also been reported. For example, SecuriTeam describes a vulnerability that can cause Group Policy to not be applied to terminal users if the number of user licenses installed is less than the number of current connections. See http://www.securiteam.com/windowsntfocus/5QP0D006US.html for more details.

Using terminal services across the Internet will require that you open port 3389, used by the Remote Desktop Protocol (RDP), on your firewall. Every additional port that is opened exposes the network to the possibility of exploit. An RDP-TCP connection is configured for the terminal server’s network adapter, to allow users to connect.

Securing Terminal Services CommunicationsHow, then, can you take advantage of the convenience of Windows Terminal Services and still protect your systems? First, make sure that terminal services is not installed (or enabled) on systems if you don’t want those systems to be accessed remotely. This includes Remote Desktop on Windows XP Professional computers. On Windows 2000 Server and Server 2003, TS is not installed by default. The Remote Desktop feature is installed on Windows XP Pro and Windows Server 2003, but is disabled by default (Windows XP Home and Windows 2000 Pro do not include the Remote Desktop service). It’s still a good idea to check, especially if you were not the one who installed the operating system, to make sure these services are not enabled on machines that don’t need them.

NOTE: It’s important to distinguish between the Remote Desktop Service and the Remote Desktop Connection client software. The latter is included on XP Home and Windows 2000 Pro and can be installed on Windows 9x and NT computers and some third party operating systems, as well. The client software does not present a security risk.

To disable or enable the Remote Desktop service on a Windows XP Pro or Windows Server 2003 computer, perform the following steps:

Click Start | Control Panel and select the System applet.
Click the Remote tab.
Under Remote Desktop, make sure the Allow users to connect remotely to this computer checkbox is unchecked.
What if you do want to make a system available for remote access through terminal services/Remote Desktop? What can you do to secure that system as much as possible? In the next sections, we will show you some ways.

Configuring the Terminal ServerThere are some major differences between Windows 2000 and Windows Server 2003 when it comes to terminal services. In this article, we will focus on Windows 2000 terminal services, with some references to Server 2003 and Windows XP/2003’s Remote Desktop service.

A Windows 2000 terminal server can be installed in one of two modes: administrative or application server. In administrative mode, only users with administrative accounts can access the terminal server and only two such connections are allowed simultaneously. Such users will be able to make configuration changes to the terminal server, so it’s absolutely imperative that you start your security plan by ensuring that administrative rights are not given to users who should not have them.

If you want regular users to access the terminal server to run applications (a “thin client” solution), then you must install terminal services in application server mode. You can then assign terminal services permissions to users and groups to control how they are able to access the terminal server.

Securing the RDP-TCP ConnectionYou can configure the properties of the terminal server’s RDP-TCP connection to provide better protection. For example:

Restrict the number of client sessions that can remain active on the server (making it easier to keep track of who is connected) Set session time limits (helping to ensure that sessions are not left unattended and active for long periods) Restrict reconnections of a disconnected session to the client computer from which the user originally connected, if the Citrix ICA client software is used Configure encryption levels Set permissions for users and groups on the terminal server

Using EncryptionYou can use encryption to protect the data that travels between the terminal server and the terminal services client. If you fear unauthorized interception of the data as it travels between the two, you should enable encryption. RSA RC4 encryption is used; encryption can be set to one of the following three levels:

High: encrypts both the data sent from client to server and the data sent from server to client using a 128 bit key. Medium: encrypts both the data sent from client to server and the data sent from server to client using a 56 bit key if the client is a Windows 2000 or above client, or a 40 bit key if the client is an earlier version. Low: encrypts only the data sent from client to server, using either a 56 or 40 bit key, depending on the client version. Useful to protect usernames and passwords sent from client to server. To change the encryption level, you must be an administrator. In Programs | Administrative Tools, select Terminal Services Configuration and perform these steps:

In the left console pane, select Connections.
In the right details pane, right click RDP-TCP and select Properties.
Click the General tab.
Under Encryption level, select the desired level in the drop down box and click OK.
Rights and PermissionsNow let’s look at rights and permissions in regard to using Windows 2000 terminal services. Users, groups and computers can be added to the permissions list via the Permissions tab of the RDP-TCP connection’s properties. Click Add and select the user, group or computer name.

There are three basic permissions that can be granted:

Full Control (given to administrators and the system; allows logging on the terminal server, modifying the connection parameters, connecting to a session, getting session info, resetting or ending a session, logging off other users, remotely controlling other users’ sessions, sending messages to other users, and disconnecting sessions. User Access (given to ordinary users; allows logging onto the terminal server, getting session info, connecting to a session or sending messages to other user sessions). Guest Access (for restricted users; allows logging onto the terminal server).

Per-User Terminal Services SettingsYou can configure a number of per-user terminal services settings for each user via Active Directory Users and Computers. You need to be a domain administrator; open the ADUC administrative tool and perform the following:

In the left pane, expand the domain name and click the Users folder.
In the right pane, right click the name of the user and select Properties.
Click the Terminal Services Profile tab.
Check or uncheck the Allow logon to terminal server checkbox at the bottom to control whether or not the user can access the terminal server.
You can create a profile and set a path to a terminal services home directory using this tab.

Using the Sessions tab, you can set terminal session timeout limits for a particular user, control what happens when the session limit is reached or the connection is broken, and determine whether the user can reconnect to a session via any client computer or only the original one.

The Remote Control tab is used to configure whether a user’s sessions can be viewed and controlled remotely by administrators and if so, whether the user’s permission will be required.

The Environment tab can be used to set a startup environment for the user. A particular program can be started when the user logs onto the terminal server, and you can specify whether client devices will be connected at logon.

SummaryAny remote connection opens up a system to some vulnerabilities, but Windows terminal services includes configuration options that give administrators the ability to better secure terminal sessions. In this article, we have discussed several methods by which you can make terminal services available to users without compromising your network’s or system’s security.

Check out MSTerminalServices.org, a new resource for Windows Terminal Services and Citrix focusing on all aspects of server based computing and thin client computing.

How to change the listening port for Remote Desktop

How to change the listening port for Remote Desktop



Note The Remote Desktop Connection Client for the Mac supports only port 3389. 3389 is the default port.
MORE INFORMATION

You can use the Remote Desktop feature in Microsoft Windows XP Professional to connect to your computer from another remote computer.

Warning The Remote Assistance feature in Microsoft Windows XP may not work correctly if you change the listening port.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
307711 (http://support.microsoft.com/kb/307711/) Remote Assistance invitation file does not contain correct port number
To change the port that Remote Desktop listens on, follow these steps.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.1. Start Registry Editor.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\ControlTerminalServer\WinStations\RDP-Tcp\PortNumber
3. On the Edit menu, click Modify, and then click Decimal.
4. Type the new port number, and then click OK.
5. Quit Registry Editor.
Note When you try to connect to this computer by using the Remote Desktop connection, you must type the new port.
304304 (http://support.microsoft.com/kb/304304/) How to configure the Remote Desktop client to connect to a specific port when you use Windows XP

The Windows Server 2003 R2 optional components

Important Installation Information
Before you install Windows Server 2003 R2, consider the following:

• The Windows Server 2003 R2 optional components are not installed automatically. When you complete the installation of Disc 2, you are not installing the Windows Server 2003 R2 optional components. After Setup is complete, you can install the optional components by using Add/Remove Windows Components in Control Panel. You also have the option to add or upgrade server roles by using Manage Your Server.


Note:
Microsoft Management Console (MMC) 3.0 is installed automatically when you install Windows Server 2003 R2.


• You may need to upgrade a component. If Active Directory Application Mode (ADAM) or Windows SharePoint Services is already installed on your computer, you can upgrade to the new version that is included in Windows Server 2003 R2. For more information about upgrading one of these components, see the Help for the component on the Windows Server 2003 R2 TechCenter Web site (http://go.microsoft.com/fwlink/?LinkId=45560).

• You cannot uninstall Windows Server 2003 R2. The Windows Server 2003 R2 source files are permanent, but you will be able to uninstall any optional components that you install.

• You cannot uninstall Windows Server 2003 Service Pack 1 (SP1). If SP1 is installed on your computer by using the stand-alone service pack (for example, if you downloaded from the Web), you will not be able to uninstall SP1 after you upgrade the computer to Windows Server 2003 R2 (Disc 2). This is because having SP1 installed is a requirement for installing Windows Server 2003 R2.

• If you reinstall SP1 on top of your existing Windows Server 2003 R2 installation using Disc 1, you will need to reinstall Disc 2.

• Important information for 64-bit versions. You can only install 64-bit versions of Windows Server 2003 R2 (Disc 2) on computers running the 64-bit versions of SP1 (Disc 1). In other words, you cannot install the 32-bit version of Windows Server 2003 R2 on a computer running the 64-bit version of SP1.

rdesktop: A Remote Desktop Protocol Client

rdesktop: A Remote Desktop Protocol Client
for accessing Windows NT Terminal Server



Documentation Overview
rdesktop is an open source client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services, capable of natively speaking Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required.
rdesktop currently runs on most UNIX based platforms with the X Window System, and other ports should be fairly straightforward.

rdesktop was initially written by Matthew Chapman based on various scarce documentation, wire sniffs, and trial-and-error. It is released under the GNU Public Licence (GPL). Please send feedback, bug reports and patches to the appropriate mailing list. Patches can also be submitted to the SF patch tracker.

Managing Terminal Services users

Managing Terminal Services users


Managing Terminal Services Users
Each user who logs on to a Terminal Services session must have a user account either on the server or in a domain on the network that the server is on. The Terminal Services user account contains additional information about the user that determines when users log on, under what conditions, and how specific desktop settings are stored. Windows Server 2003 family operating systems contain a built-in User group called Remote Desktop Users, which is used to manage Terminal Services users.

Top of page
About the Remote Desktop Users group
When you install one of the Windows Server 2003 family operating systems, the Remote Desktop Users group is one of the built-in user groups on your computer. Members of this group have the same access as members of the Users group, but they have the additional ability to log on remotely to the computer.

By default, this group is not populated when you install Terminal Server on your computer. You must choose the users and groups that you want to have permission to log on remotely to the terminal server, and manually add them to the Remote Desktop Users group. This increases the security of remote connections, and also allows you to install any required programs before users start connecting to the terminal server.

The Select Remote Users button on the Remote tab of the System Properties dialog box allows you to add users to the Remote Desktop Users group. However, if a server running a Windows Server 2003 family operating system is being used as a domain controller in a Windows 2000 domain, this button is disabled. This domain controller can have domain groups, but not local groups, so in this situation you cannot use this button to add users to the Remote Desktop Users group.

Terminal server role: Configuring a terminal server

Configuring a terminal server