Friday, June 10, 2011

What new features or improvements would you like to see in the next future release of Microsoft’s Remote Desktop Services platform?

With the latest release of the Remote Desktop Services platform (based on Windows Server 2008 R2) being around for some time now, I thought it would be interesting to brainstorm about what new features or improvements you would like to see in the next future release. Feel free to add your comments and ideas or new features you might like to see. I’ve started this discussion on multiple places (LinkedIn, Twitter etc.). I will try to collect all comments and ideas and merge them into a blog post on my blog at
I personally believe the following features will be very much appreciated:
1.       Being able to have a full Single Sign On when using the Remote Desktop option in RD WebAccess.As you might now, since Windows Server 2008 R2, RemoteApps that you launch using RD WebAccess have support for a full Single Sign On (SSO). Unfortunately, this does not work for the Remote Desktop option that is in the second tab of the RD WebAccess page. Related to this is the fact that you get the “unknown publisher” warning every time you launch the Remote Desktop from RD WebAccess. For more details on why this happens see one of my recent blog posts here:

2.       Support for “Change Password at next logon” on the RD Gateway
When a user’s password is expired or it is manually set to “Change Password at next logon” that user is not able to logon to a RD Session Host server using a .rdp configuration that uses the RD Gateway. Why? The RD Gateway currently cannot handle this. Of course a user will get a “password will in expire in x days prompt”, but users are users, some of them will ignore it, wait as long as possible to change their password or do not even notice it at all. Educating your users to notice this reminder should be done of course, but the RD gateway being able to act on expired passwords would definitely help in my opinion.

3.       Two Factor authentication support on RD Gateway in addition on the RD WebAccess
If you want to secure your Remote Apps using a two factor authentication (2FA) solutions (like i.e. hardware tokens) you can configure this using ISA (or TMG), RD WebAccess and RD Gateway (the last one is optional, but is of course recommended when you publish Remote Apps over the internet). While setting this up, you have to keep the following in mind though: After selecting an application to launch from RD WebAccess, mstsc.exe will be launched under the hood on the client using specific .rdp settings that it receives from RD WebAccess. If your user has knowledge of the address of your RD Gateway server and the address of your RDS farm (or RDSH server) he will be able to actually launch mstsc.exe on his client and by-pass the 2FA! There is a way to deny a direct mstsc.exe session and only allow sessions that where initiated at the RD WebAccess though (see here However, I think being able to authenticate with 2FA against the RD Gateway itself would be a nice feature. That way you would also be able to use 2FA using just the Remote Desktop Client (RDC). This would however, probably also require a change on the RDC itself.
These are just three things I’ve come across myself, I’m sure there are more! I’m looking forward to your thoughts and ideas on this!

Freek Berson

No comments:

Post a Comment