Offer Remote Assistance in Windows XP Professional
I’ve spent a few hours this morning investigating Remote Assistance in Windows XP Professional. At first glance it looks like a potential VNC killer for the enterprise. Unfortunately, if you don’t look closely enough you’ll quickly dismiss it, most likely by seeing these initial limitations.
- It requires the user to know how to ask for Remote Assistance. Explaining to each user how to open Help Center, click Ask for remote assistance, type in the email address of the person they want to ask for assistance and set limitations such as validity periods is likely to take more time than actually fixing the problem. – Not good.
- Once the user has sent the invitation and the recipient has opened the attachment, the user is prompted to allow the connection to their machine. – Once again, a user being security conscious will likely click No, or worse yet, call the IT department to check that the message is kosher. Two things here; the user might just click No, making a hash of the whole process or they’ll create another support request to check that the message on their screen is OK. Bad, bad, bad.
- Once you’ve managed to connect you have to again ask if you’re allowed to take control of the user’s machine. Again, the user could click No and it slows the process of giving assistance.
These are all viable reasons for ignoring Remote Assistance for consideration in the Enterprise but, little did I know before I started looking under the hood, you can also offer assistance to users. Great! That scratches out the first point but doesn’t alleviate the second two. The downside to this “fix” for the first point is that you’ve got some work to do with Group Policy before you can implement this.
You’ll need to implement a policy, either directly on the target machines or using Active Directory Users & Computers. (GPMC is a better idea if you have it).
Drill down to: Computer Configuration > Administrative Templates > System > Remote Assistance and make the relevant changes in there. Microsoft’s Knowledge Base details all the technical points in this article No. 301527. The article seems to be targeted more at single systems rather than an enterprise rollout. One important note from the article suggests extreme caution due to the difficulty in verifying domain accounts and groups given authority to Offer Remote Assistance.
OK great…. but how the hell do I Offer Remote Assistance? Again, Microsoft don’t let us down and have this article No. 308013 on the subject.
There is a quicker way to get to the Offer Remote Assistance Screen though. Copy the following in to the Run dialog box and click OK.
Right, we’ve implemented our policy and we now know how to offer assistance. Do I HAVE to get the user to accept my connection request AND accept my request to take control of their desktop?
A lot of people would have answered: “Yes, you do!”
The good news is that the answer is: “No, you don’t!”
I’m sure you know that there’s bad news coming from this so I’m not going to say it. Needless to say, get your best HTML editor out, we’re about to go hacking!
The first hurdle is automating the acceptance of the offer in the first place. If the user refuses the offer, then we’re wasting our time or we’ve got to spend more of it (time) by phoning them up and telling them to accept it. On the target system, locate the following file and open it up in your HTML editor:
Notepad is perfectly sufficient but I’m going to be referring to line numbers so something a little more advanced might be a good idea.
At line 158 where it says:
Add another line below that and type in the following:
So that lines 158 and 159 look like this:
You can test this now if you wish by connecting to the target machine and offering assistance. Remember that the target machine MUST have the relevant policy settings in place before this will work at all! Making that change should now allow you to connect to the target machine and automatically be accepted but….
…initially you are placed in to Screen View Only which kind of makes it a little difficult to actually assist the user unless you’re on the end of a phone or typing away like a lunatic in the rather useful but watered-down messaging client provided by Remote Assistance. Fortunately for us we can take control AND automatically be accepted by making a few more edits to another HTML & JScript file buried a little further in the file system.
Open up this file:
from the target computer in your favourite HTML editor and look for line 44, Change that line to look like the following
Now that we have made this alteration, whenever we click “Take Control”, we are automatically given full control of the user’s computer, without having to ask them for permission! The box does pop up but because it gets its answer so quickly, the user is only likely to see a quick flash. Obviously this doesn’t stop the user from disconnecting you. A quick flick of the escape button will have you disconnected in no time but that doesn’t mean you can’t take control again!
For network admins looking to implement the changes I have spoken about, please be aware that if you make changes to the two files, this affects all remote assistance connections to the computer that you changed the files on. Fortunately Microsoft did give us some control over who can initiate unsolicited remote assistance connections so we’re safe from initiated attacks. (I use the word “safe” cautiously of course!)
The problems begin if a malicious person intercepts a remote assistance request (initiated from the user through Help and Support Center), should they respond to it, they will automatically be given both access AND control (if they request it) of the hapless user’s machine. This is obviously a major security hole so I would suggest that you use your own scripting prowess to write a VBSCript which only alters the files when you want to connect and changes them back once you’ve done.
I would envisage it working like this:
See if the machine is available on the network (ping?), connect to the target machine, make backups of the target files, alter the target files, intitiate a connection (and have it automatically accepted). Once finished and disconnected, replace the altered files with the backed up files.
Any questions please let me know. If anyone fancies having a pop at the VBScript I’ve suggested, please feel free to share your results here!