Windows Remote Assistance is a powerful tool In the wrong hands, it's also potentially dangerous because it allows a remote user to install software and tamper with a system configuration In a worst-case scenario, someone could trick an unsuspecting novice into allowing access to his or her machine and then plant a Trojan horse application or gain access to sensitive files
Windows Remote Assistance was designed and built with security in mind, and several enhancements were introduced with the Windows Vista version For example:
• A password is required for all connections, whether by Easy Connect, invitation file, or instant messenger
• The novice must agree to accept each incoming connection and must approve each request to share control.
• Invitation files expire six hours after they're created or when the Windows Remote Assistance session is closed.
• Windows Remote Assistance uses a dynamic port assignment.
• By default, the Windows Firewall exception for Remote Assistance is enabled only on private networks.
For these reasons and more, Windows Remote Assistance is sufficiently secure out of the box. You can take the following additional precautions to completely slam the door on Windows Remote Assistance-related security breaches:
• Set a short expiration time on Windows Remote Assistance invitations sent via e-mail. An expiration time of one hour should be sufficient for most requests . (Note that the invitation must be accepted within the specified time; you don't need to specify the length of the Windows Remote Assistance session .) An expired RA ticket file is worthless to a potential hacker.
• Because e-mail is fundamentally insecure, do not send a password with an invitation . Instead, communicate the password by telephone or in a separate e-mail message .
• Manually expire an invitation when it's no longer needed. To do so, simply close the Windows Remote Assistance screen .
• If both the expert and novice use Windows Vista or Windows 7, use encrypted invitation files . Open System in Control Panel. In the Tasks list, click Remote Settings . On the Remote tab, click Advanced. Then select Create Invitations That Can Only Be Used From Computers Running Windows Vista Or Later. (See Figure 3-6.)
• Disable Remote Assistance on any machine where the possible benefits of a Windows Remote Assistance session are outweighed by potential security risks. To completely disable Remote Assistance on a given machine, open System, click Remote Settings, click the Remote tab, and then clear Allow Remote Assistance Connections To This Computer. If that step seems too drastic, you can limit Remote Assistance capabilities so that an expert cannot take control of the remote machine. On the Remote tab, click Advanced and then clear Allow This Computer To Be Controlled Remotely.
Was this article helpful?