Remote Desktop in Windows

Before you start

Objectives: Learn what is Remote Desktop, how to enable it, and what to have in mind when using it.

Prerequisites: no prerequisites.

Key terms: Remote Desktop, Windows, connection, remote management

Remote Desktop

Remote Desktop allows us to remotely log on to a computer running Windows operating system and work with it as if we were sitting right in front of it. Remote Desktop is great when we need to perform our work remotely.

By default, Remote Desktop is not enabled on computers running Windows.  To enable Remote Desktop, we can use the Remote tab in the Advanced System settings properties. After we enable Remote Desktop, we need to choose whether to allow connection from any computer running any versions of Remote Desktop or to restrict connections to computers running Remote Desktop with Network Level Authentication. Only clients running Windows Vista and newer Windows operating systems, support network level authentication. Network level authentication authenticates the connection before the actual session is established. This is the most secure method for Remote Desktop connections. It’s also possible to configure computers running Windows XP with SP3 to support network level authentication, but it’s not enabled by default.

Remote Desktop uses a Remote Desktop Protocol (RDP) which uses TCP port 3389. When we enable Remote Desktop, Windows firewall will update its rules to allow Remote Desktop connections to be made to the computer (it will open port 3389). If we reset Windows firewall to its default settings, we need to reenable the Remote Desktop firewall rules manually. We can also reenable these rules by disabling and then reenabling Remote Desktop. For additional security, we can also change the default port for Remote Desktop connection.

Windows has a built-in default group named Remote Desktop Users. This group is used when we want to allow a standard user to connect remotely using Remote Desktop. We must add their accounts to the local Remote Desktop Users group. By default, only members of the Administrators and Remote Desktop Users local group are able to make connections using Remote Desktop. User account must have a password to use Remote Desktop. User accounts with blank passwords cannot be used for remote access.

We can make Remote Desktop connections from the Internet through NAT or firewall devices to the hosts on the internal private network. This can be accomplished using Terminal Services Gateway, which is available in Windows Server 2008 and later. We can also establish Remote Desktop connections over modems, VPNs, Direct Access using both IP version 4 and IP version 6.

Not every version of Windows supports Remote Desktop connections. For example, we can only can establish Remote Desktop connection to computers running Windows 7 Professional, Enterprise and Ultimate editions. Other version of Windows 7 do not support incoming Remote Desktop connections. However, all versions of Windows include Remote Desktop client software which allows us to establish Remote Desktop connections to another computer.

Remote Desktop is accessible from the Control Panel. We can also run the Remote Desktop connection software using “mstsc” from the command line. Have in mind that while the Remote Desktop session is active, the target screen is locked. We can log on to a computer using Remote Desktop as long as it’s on and no one is currently logged in. If “Wake-on-LAN” is configured for the physical network interface, it is possible for the computer to wake up from sleep and hibernation mode when incoming Remote Desktop session is detected.

When using Remote Desktop, we can disconnect the session and then resume it later on, either directly or remotely again. The disconnected session remains in memory so that the user can reconnect at any time. If another user is logged on when we initiate a Remote Desktop session, he’ll receive a message indicating that the another user wants to log on remotely. The logged on user can deny the remote access request, even if we have administrative privileges and the logged in used doesn’t. So, the the currently logged on user, whether the login is remote or local, is able to deny another user’s logon request. Remote Desktop does not support shadowing, which means that user can’t see the screen and actions performed by a user who is logged on using Remote Desktop and vice versa.

Remote Desktop Services

Windows Server Remote Desktop Services, known as Terminal Services on Windows Server 2008 and prior, allows users to connect using the Remote Desktop connection client to a server on which they can run applications.

One feature of Remote Desktop Services is Remote Desktop Gateway or RD Gateway, known as Terminal Services Gateway prior to Windows Server 2008 R2. RD Gateway is a role service which allows users on the Internet to make Remote Desktop connections to computers on internal networks without having to initiate a VPN connection. Connections can only be made to specifically configured Remote Desktop hosts on the internal network, which prevents users from accessing all resources on network, like as it would be with a traditional VPN or Direct Access. RD Gateway encrypts the Remote Desktop Protocol (RDP) data using SSL over HTTP. This means that Remote Desktop communications use port 443, a port that is already allowed through most firewalls. This enables the remote connection without having to configure a separate VPN connection.

Another great feature of Remote Desktop Services is RemoteApp, formerly known as TS RemoteApp. RemoteApp allows applications to reside on the Remote Desktop Services server and have their display output shown on the Remote Desktop client. This differs from a standard Remote Desktop connection window where the user sees the entire screen in a Remote Desktop window. When it comes to RemoteApp, the user only sees the application on the screen, just as if he would see it if the program was running locally on the machine. The difference between running an app locally and RemoteApp is that the application runs on the Remote Desktop server, while the local application runs on the local machine. Users can launch this kind of application directly from a shortcut on their desktop or through the Web Access interface. RemoteApp feature is great because applications use resources on the server. Because of this we can still run applications even if we have insufficient local system resources. As administrators, using RemoteApp we can make an application available to a user without making the entire server desktop available. This restricts the user to running only the authorized application.


If we cannot connect to the remote computer, there might be a network problem. This could be because of various reasons. We have to ensure that we have a working network connection.
If we get an error that the remote computer cannot be found, we have to make sure that we have the correct computer name. If the computer name doesn’t work, we can try to connect to it using its IP address. If we connect over Internet, we should check if we need an active VPN connection. Also, the Remote Desktop port (3389) might be blocked by a firewall, either on the remote computer or a network firewall in the path. Keep in mind that Remote Desktop connections have to be enabled on the remote computer.
If we can’t log on, we should make sure that the user account is a member of the Remote Desktop Users group and that the user account has a password.