Windows Server 8: Remote Desktop Services with RemoteFX, more than a word!

3,552 views
3,305 views

Published on

More info on http://www.techdays.be.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,552
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
89
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 1 DC3 member servers1 client
  • V4.0 (1998) Windows NT 4.0 Server, Terminal Server Edition (required Citrix MultiWin Technology)V5.0 (2000) Windows 2000 Server => TS is part of the core OSV5.1 (2001) Windows XP Professinoal => added 24-bit colorV5.2 => (2003) Windows 2003 => console, session directory, local resource mapping, Translport layer Security TLS, V6.0 => (2007) Windows Vista => Support for WPF, NLA, multi-monitor,V6.1 => (2008) Windows 2008 => new console connect, seamless windows, easy print, RDP gatewayV7.0 => (2009) Windows 2008 R2 => media player redirect, bidirectional audio, better multi monitor support, Aero glass support, bitmap accceleration, language bar dockingV7.1 => (2010) Windows 2008 R2 SP1 => Remote FX
  • 8 steps to protect Win systems against pass-the-hash attacks:1. Prevent dependency of higher sec system on low sec system, or even maximally isolate sec systems (network segmentation as part of security solution).2. Enforce LUA – least user access – minimum rights to user.3. Avoid using LM & NTLM in your network:– via GP: computer security – security settings – local policy – security options – Network security: LANManagerauth level – set to Send NTLMv2 responses only/refuse LM andNTLM– via Regedit: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LMCompatibilityLevel – set to 3 on client, 5 on server.4. Limit login creds cache. till win2k8 it by default 10, since w2k8 it 25 by default. change over regedit:HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsNT\\Current Version\\Winlogon\\ add REG_SZ value “CachedLogonsCount” – 0-505. Disable “Debug programs” user right. by default part of local admin rights only.GP: in Computer Policy – Security Settings – Local Policies – User Right Assignment – Debug Programms – remove all users.6. Use token-based auth (money consuming feature).7. Use Kerberos with Smart cards as auth solution – prevent password attackas (keylog, capturing etc), but bring another set of attacks (card stealing, copy etc) and in practice not prevent pass-the-hash attacks.8. Implement regular monitor of systems for newrly created accs, audit change of previligies etc.Some trivial, some new steps, but for those who interested – read the full article.
  • Get-WmiObject -Class Win32_ComputerSystem 
  • RemoteFX For WAN => Full rich desktop over WAN networksRemoteFX Adaptive Graphics => Rich content and features that take Wan and CPU into accountRemoteFX Media Remoting => Remote more types of content using standard codec’s H264 (block-oriented motion-compensation-based codec )RemoteFX Multi Touch => mouse + keyboard + multi TouchRemoteFX USB Redirection => Metro Style Remote Desktop App => easy to interface end-user orientedChoice of Software or Physical GPU, vGPU for VM => no hardware required but Physical GPU can still helpAvailable for Sessions, VM’s and Physical Machines => All types of RDP servers have the same capabilitiesBroad Range of Clients Supported => FAT and thin client all have the same possibilities.
  • TCP is chosen because of policy / port blocking / .... => even this TCP only system in win8 will be better than win7
  • Here is the improved RemoteFX for WAN.  It isolates traffic to the optimal transport.Note the UDP / TCP split on the traffic.  This segments text vs. audio (etc).UDP => recovers from loss where needed, security,...
  • Take the applications on the server => optimize delivery for the network to the clientMedia remoting => application specifice => Windows media player / realy playerCalista codec => application genericRIGHT TYPE OF CODEC FOR EACH TYPE OF CONTENT
  • Has been used in browsers for very long now also in RDP and on pictures only
  • Direct TCP 3389 + UDP 3389GW TCP 433 + UDP 3391
  • Remote actions App barCharmsSnap
  • Last desktop preview can be turned off
  • Get out of the RDP screen and move in at the bottom left
  • Right click at the very top of the screen
  • Windows Server 8: Remote Desktop Services with RemoteFX, more than a word!

    1. 1. tom@decaluwe.eu
    2. 2. What are we going to cover Install Experience End-user application
    3. 3. Demonet.localTS_WIN8_DC TS_WIN8_BR_LC TS_WIN8_GW_AP TS_WIN8_SH 10.10.10.50/24 10.10.10.40/24 10.10.10.30/24 10.10.10.20/24 10.10.10.5/24
    4. 4. Brief history
    5. 5. Support FX part of edition OS Remote is WPF MediaTS forMedia the core NewCitrix MultiWin Technology added player connect console redirect Console 24-bit color Network Levelaudio Bi-directional Authentication Seamless windows Session directory multi-monitor mapping Betterresource Easy print monitor support Local multi Aero glasslayer RDP gateway Security TLS Transport support Bitmap accceleration Language bar docking R2 SP1Push to the Cloud
    6. 6. http://blogs.msdn.com/b/rds/archive/2008/07/21/configuring-terminal-servers-for-server-authentication-to-prevent-man-in-the-middle-attacks.aspxhttp://www.sans.org/reading_room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation_33283http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A
    7. 7. Not For Remote Management => server manager
    8. 8. Direct HIGH Confidential access Business Intelligence Managed clients Windows 7 (payroll, Finance) sensetivity SSLTRUST gateway MEDIUM Medium level Windows Line of , MAC, Linux TMG/UAG business RDGW < > Slates and Low level tablets, smartp HTTP (s) / LOW hones, etc. APP Remote Line of business Desktop publish Email / files read only TMG
    9. 9. Managed clients Windows 7 Who DeviceTRUST Windows , MAC, Linux Slates and tablets, smartp Where hones, etc.
    10. 10. HIGH Confidential Business Intelligence (payroll, Finance) sensetivity MEDIUMData Medium level Line of business Low level LOW Line of business Email / files read only
    11. 11. Direct HIGH Confidential access Business Intelligence Managed clients Windows 7 (payroll, Finance) sensetivity SSL / VPNTRUST gateway MEDIUM Medium level Windows Line of , MAC, Linux TMG/UAG business RDGW < > Slates and Low level tablets, smartp HTTP (s) / LOW hones, etc. APP Remote Line of business Desktop publish Email / files read only TMG
    12. 12. Trust is a combination of Managed clients Windows 7 Idendity + Device and Health + LocationTRUST Windows , MAC, Linux How sure are you the + What device is being used + How confident are we about person telling you who and how sure are we of the the physical and logical location they are are actually who health of the user. Slates and they are + RBAC model tablets, smartp Increase by: hones, etc. Increase by: - Changing physical location Increase by: - Health inspection - Logical network - Complex password - Device jump - Call and enable - ... - Multi account - Multi factor auth - ....
    13. 13. No DMZ. RDG in the LAN RDG in the DMZ. No Active Directory Dual auth. requiredRDG in the DMZ, with Active Reverse Proxy in the DMZ.Directory RDG in the LAN TMG / UAG
    14. 14. No DMZ. RDG in the LAN RDG in the DMZ. No Active Directory Dual auth. requiredRDG in the DMZ, with Active Reverse Proxy in the DMZ.Directory RDG in the LAN TMG / UAG
    15. 15. Server Manager“One stop shop”
    16. 16. Demo
    17. 17. You are installing from a technical viewpoint
    18. 18. Demo
    19. 19. You are installing with the eye to reach a specific goal
    20. 20. Currently supported roles
    21. 21. Demo
    22. 22. Demo
    23. 23. Remote FX
    24. 24. Wide range of New client Fast and fluid network devices & form graphics conditions factorsWindows Metro style Mobile devices, WAN Touch, Slatesuser interface
    25. 25. RemoteFX RemoteFX RemoteFX Adaptive Media For WAN Graphics RemotingRemote FX RemoteFX Metro Style RemoteFX USB Remote Multi Touch Redirection Desktop App Choice of Available for Software or Sessions, VM Broad Range Physical ’s and of Clients GPU, vGPU Physical Supported for VM Machines
    26. 26. NetworkRemote FX
    27. 27. Auto-tuning
    28. 28. Limited Latency Packet Loss bandwidthEnd to end delay/ping (e.g. 100ms) Burst or Random E.g. <2 Mbps vs 100Mbps for LAN
    29. 29. RemoteFX Video Encode Input Control Devices Adaptive Audio Plugins Plugins Graphics RemoteFX Graphics RemoteFX VC VC VC RemoteFX Audio Dynamic Virtual Media Remoting Channel Networkautodetect Dynamic Virtual Channel Management RemoteFX TCP Transport NETWORK (TCP Packets)
    30. 30. RemoteFX Video Encode Input Control Devices Adaptive Audio Plugins Plugins Graphics RemoteFX Graphics RemoteFX VC VC VC RemoteFX Audio Dynamic Virtual Media Remoting Channel Networkautodetect Dynamic Virtual Channel Management RemoteFX TCP Transport RemoteFX UDP transport NETWORK (TCP & UDP Packets)
    31. 31. Demo
    32. 32. Remote FX
    33. 33. Windows Metro style UI and Applications (HTML, XAML, Native, etc..) RemoteFX Intelligent CachingRemoteFX RemoteFX RemoteFX RemoteFX Media Progressive Optimized Text Calista CodecRemoting Rendering Codecs RemoteFX Protocol Encoding RemoteFX for WAN Transports RIGHT TYPE OF CODEC FOR EACH TYPE OF CONTENT
    34. 34. • Text is sent as text and always sharp => think of pinch zoom blurring
    35. 35. Remote Desktop Server andnetwork side
    36. 36. Remote desktop WebAccess
    37. 37. Demo
    38. 38. TS GatewayRemote Desktop Server andnetwork side
    39. 39. Remote desktop Gateway
    40. 40. Demo
    41. 41. End-user application
    42. 42. Both support RDP 8.0 <>
    43. 43. =>
    44. 44. =>
    45. 45. =>
    46. 46. Remote actions - App bar - Charms - Snap=>
    47. 47. Demo
    48. 48. RDP Autodiscover
    49. 49. Demo
    50. 50. Wrap up1. Brief history2. Installation Experience3. Remote Desktop Server and network side4. End-user application
    51. 51. Want more:MVP Freek Berson:http://microsoftplatform.blogspot.comRemote desktop team blog:http://blogs.msdn.com/b/rds/

    ×