Information Technology Reference
In-Depth Information
Table 3-20.
Configure Remote Assistance Exception—Standard Profile
Computer Configuration\Administrative Templates\Network\
Network Connections\Windows Firewall\Standard Profile
Path
Policy name
Windows Firewall: Allow remote desktop exception
Enabled
to allow incoming remote desktop traffic.
Disabled
to prevent it.
Value
Using VBScript
This code allows Remote Assistance to traverse the Windows Firewall.
Set Firewall = CreateObject("HNetCfg.FwMgr")
Set Policy = Firewall.LocalPolicy.CurrentProfile
Set Port = CreateObject("HNetCfg.FwOpenPort")
Port.Port = 3389
Port.Name = "Remote Desktop"
Port.Protocol = NET_FW_IP_PROTOCOL_TCP
Port.Enabled = TRUE
set Ports = Policy.GloballyOpenPorts
addedPorts = Ports.Add(Port)
WScript.Echo "Ports configured."
How It Works
Remote Assistance is a feature in Windows XP and Windows Server 2003 that lets you share
control of your computer with another user. Unlike a Terminal Services session, this grants you
direct access to view and manipulate a user's desktop to offer them support. Creating a Remote
Assistance connection requires the permission of the user to whose computer you're trying to
connect.
To enable Remote Assistance connections prior to Windows Server 2003 Service Pack 1,
you needed to manually configure the following program exceptions:
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
• %WINDIR%\SYSTEM32\Sessmgr.exe
Additionally, you needed to enable access to TCP port 135.
On Windows Server 2003 computers with Service Pack 1 installed, you simply need to
enable the preconfigured Allow Remote Desktop Exception setting; there is not a separate
exception to enable for Remote Assistance. As with other exceptions, you should restrict the
scope of this exception to protect your systems against attacks targeted at the well-known
Remote Procedure Call (RPC) port, TCP 135.
