Remote Desktop Services


Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection.
RDS is Microsoft's implementation of thin client architecture, where Windows software, and the entire desktop of the computer running RDS, are made accessible to any remote client machine that supports Remote Desktop Protocol. User interfaces are displayed from the server onto the client system and input from the client system is transmitted to the server – where software execution takes place. This is in contrast to application streaming systems, like Microsoft App-V, in which computer programs are streamed to the client on-demand and executed on the client machine.
RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.
RemoteFX was added to RDS as part of Windows Server 2008 R2 Service Pack 1.

Overview

Windows includes four client components that use RDS:
  1. Quick Assist and Windows Remote Assistance
  2. Remote Desktop Connection
  3. Fast user switching
  4. Windows Subsystem for Linux
The first two are individual utilities that allow a user to operate an interactive session on a remote computer over the network. In case of Remote Assistance, the remote user needs to receive an invitation and the control is cooperative. In case of RDC, however, the remote user opens a new session on the remote computer and has every power granted by its user account's rights and restrictions. Fast User Switching allows users to switch between user accounts on the local computer without quitting software and logging out. Fast User Switching is part of Winlogon and uses RDS to accomplish its switching feature. Third-party developers have also created client software for RDS. For example, rdesktop supports Unix platforms.
Although RDS is shipped with most editions of Windows since Windows XP, its functionality differs in each version. Windows XP Home Edition does not accept any RDC connections at all, reserving RDS for Fast User Switching and Remote Assistance only. Other client versions of Windows only allow a maximum of one remote user to connect to the system at the cost of the user who has logged onto the console being disconnected. Windows Server allows two users to connect at the same time. This licensing scheme, called "Remote Desktop for Administration", facilitates administration of unattended or headless computers. Only by acquiring additional licenses can a computer running Windows Server service multiple remote users at one time and achieve virtual desktop infrastructure.
For an organization, RDS allows the IT department to install applications on a central server instead of multiple computers. Remote users can log on and use those applications over the network. Such centralization can make maintenance and troubleshooting easier. RDS and Windows authentication systems prevent unauthorized users from accessing apps or data.
Microsoft has a long-standing agreement with Citrix to facilitate sharing of technologies and patent licensing between Microsoft Terminal Services and Citrix XenApp. In this arrangement, Citrix has access to key source code for the Windows platform, enabling its developers to improve the security and performance of the Terminal Services platform. In late December 2004 the two companies announced a five-year renewal of this arrangement to cover Windows Vista.

Server components

The key server component of RDS is Terminal Server, which listens on TCP port 3389. When a Remote Desktop Protocol client connects to this port, it is tagged with a unique SessionID and associated with a freshly spawned console session. The login subsystem and the GDI graphics subsystem is then initiated, which handles the job of authenticating the user and presenting the GUI. These executables are loaded in a new session, rather than the console session. When creating the new session, the graphics and keyboard/mouse device drivers are replaced with RDP-specific drivers: RdpDD.sys and RdpWD.sys. The RdpDD.sys is the device driver and it captures the UI rendering calls into a format that is transmittable over RDP. RdpWD.sys acts as keyboard and mouse driver; it receives keyboard and mouse input over the TCP connection and presents them as keyboard or mouse inputs. It also allows creation of virtual channels, which allow other devices, such as disc, audio, printers, and COM ports to be redirected, i.e., the channels act as replacement for these devices. The channels connect to the client over the TCP connection; as the channels are accessed for data, the client is informed of the request, which is then transferred over the TCP connection to the application. This entire procedure is done by the terminal server and the client, with the RDP mediating the correct transfer, and is entirely transparent to the applications. RDP communications are encrypted using 128-bit RC4 encryption. From Windows Server 2003 onwards, it can use a FIPS 140 compliant encryption scheme, or encrypt communications using the Transport Layer Security standard.
Once a client initiates a connection and is informed of a successful invocation of the terminal services stack at the server, it loads up the device as well as the keyboard/mouse drivers. The UI data received over RDP is decoded and rendered as UI, whereas the keyboard and mouse inputs to the Window hosting the UI is intercepted by the drivers, and transmitted over RDP to the server. It also creates the other virtual channels and sets up the redirection. RDP communication can be encrypted; using either low, medium or high encryption. With low encryption, user input is encrypted using a weak cipher. With medium encryption, UI packets are encrypted using this weak cipher as well. The setting "High encryption " uses 128-bit RC4 encryption and "High encryption " uses 40-bit RC4 encryption. When setting the Security Layer to 'SSL ', Transport Layer Security up to version 1.2 is available.

Terminal Server

Terminal Server is the server component of Terminal services. It handles the job of authenticating clients, as well as making the applications available remotely. It is also entrusted with the job of restricting the clients according to the level of access they have. The Terminal Server respects the configured software restriction policies, so as to restrict the availability of certain software to only a certain group of users. The remote session information is stored in specialized directories, called Session Directory which is stored at the server. Session directories are used to store state information about a session, and can be used to resume interrupted sessions. The terminal server also has to manage these directories. Terminal Servers can be used in a cluster as well.
In Windows Server 2008, it has been significantly overhauled. While logging in, if the user logged on to the local system using a Windows Server Domain account, the credentials from the same sign-on can be used to authenticate the remote session. However, this requires Windows Server 2008 to be the terminal server OS, while the client OS is limited to Windows Server 2008, Windows Vista and Windows 7. In addition, the terminal server may be configured to allow connection to individual programs, rather than the entire desktop, by means of a feature named RemoteApp. Terminal Services Web Access makes a RemoteApp session invocable from the web browser. It includes the TS Web Access Web Part control which maintains the list of RemoteApps deployed on the server and keeps the list up to date. Terminal Server can also integrate with Windows System Resource Manager to throttle resource usage of remote applications.
Terminal Server is managed by the Terminal Server Manager Microsoft Management Console snap-in. It can be used to configure the sign in requirements, as well as to enforce a single instance of remote session. It can also be configured by using Group Policy or Windows Management Instrumentation. It is, however, not available in client versions of Windows OS, where the server is pre-configured to allow only one session and enforce the rights of the user account on the remote session, without any customization.

Remote Desktop Gateway

The Remote Desktop Gateway service component, also known as RD Gateway, can tunnel the RDP session using a HTTPS channel. This increases the security of RDS by encapsulating the session with Transport Layer Security. This also allows the option to use Internet Explorer as the RDP client. The official MS RDP client for macOS supports RD Gateway as of version 8. This is also available for iOS and Android.
This feature was introduced in the Windows Server 2008 and Windows Home Server products.
In October 2021, Thincast, the main contributor of the FreeRDP project, published the first Remote Desktop Gateway solution running natively on Linux.

Roles

;Remote Desktop Gateway: Enables authorized users to connect to virtual desktops, Remote-App programs, and session-based desktops over a private network or the Internet.
;Remote Desktop Connection Broker Role: Allows users to reconnect to their existing virtual desktop, RemoteApp programs, and session-based desktops. It enables even load distribution across RD Session Host servers in a session collection or across pooled virtual desktops in a pooled virtual desktop collection, and provides access to virtual desktops in a virtual desktop collection.
;Remote Desktop Session Host: Enables a server to host RemoteApp programs as session-based desktops. Users can connect to RD Session Host servers in a session collection to run programs, save files, and use resources on those servers. Users can access Remote Desktop Session Host server by using the Remote Desktop Connection client or by using RemoteApp programs.
;Remote Desktop Virtualization Host: Enables users to connect to virtual desktops by using RemoteApp and Desktop Connection.
;Remote Desktop Web Access: Enables users to access RemoteApp and Desktop Connection through the Start Menu or through a web browser. RemoteApp and Desktop Connection provides users with a customized view of RemoteApp programs, session-based desktops, and virtual desktops.
;Remote Desktop Licensing: Enables a server to manage RDS client access licenses that are required for each device or user to connect to a Remote Desktop Session Host server. RDS CALs are managed using the Remote Desktop Licensing Manager application.