Configuring Windows XP for Remote Desktop

Windows XP uses the same Terminal Services technology as in Windows 2000 Server and Windows 2003, although it is called Remote Desktop.

Since Remote Desktop only allows users with a password to connect, if the PC is standalone or a member of a workgroup, where blank passwords are the norm, it will be necessary to create a local account with a strong (long, complex) password specifically for Remote Desktop access. If Remote Desktop is being enabled for administration purposes, it should also be a member of the local Administrators group.

By default, Remote Desktop simply requires the feature to be turned on, and for users to be given access. The system will open port 3389 in Windows Firewall automatically. However, depending on how the machine has been configured, the use of non-standard ports and the presence of any group policy settings, the default setup may not allow connections. This is a full list of the requirements for successful login:

1. Under Control Panel → System → Remote → “Allow users to connect remotely to this computer” must be enabled.

2. The account being used must not have a blank password.

3. The account being used must belong to the Remote Desktop Users group which can be configured under Control Panel → Administrative Tools → Computer Management → System Tools → Local User and Groups → Groups.

4. The account in question must be included in “Allow logon through Terminal Services” under Control Panel → Administrative Tools → Local Security Policy → Local Policies → User Right Assignment (by default the group Remote Desktop Users is already included) and should not be included in “Deny logon through Terminal Services”.

5. The account in question must be enabled for logon to Terminal Services. If the account is a domain account, this can be done on the domain controller under Control Panel → Administrative Tools → Active Directory Users and Computers. Go to Terminal Services Profile in the user's properties and enable “Allow logon to terminal server”.

6. Windows Firewall must allow connections to the port being used by Remote Desktop (by default 3389).

7. The firewall at the Internet perimeter (such as an ADSL router) must allow connections to the port being used by Remote Desktop and to forward the traffic to the correct machine. (Note that, where systems are being dynamically assigned addresses by a router, it is not unusual for a machine previously at 192.168.0.10 to suddenly become 192.168.0.11 if it is off the network for a while, or if a network card is swapped.)

In summary:

1. The account must be enabled for Terminal Services (whether it is a local account or domain account);

2. It must be given permission to connect to a given server;

3. It must not be denied permission to connect to a given server.

Other Resources

• Terminal Services Resources and Other Cadzow Knowledgebase Articles