• Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure): If you will be connecting to your PC from a PC running Windows 7 or Windows 8 (or Windows Server 2008 R2 or 2012), this is the way to go. These OSes support Network Level Authentication (NLA), and this will provide you with a more secure connection in which you’re authenticated against the remote PC before the connection is fully established.
There’s an additional layer of complexity that occurs if you wish to access a home computer that is sitting behind a router of some kind from outside your home, perhaps from work. To do this, you will need additional software, such as a Virtual Private Network (VPN), or you will need to configure your router to allow such a connection. Since the latter is complex and router-specific, we recommend the former. LogMeIn Hamachi (logmein.com) is a great option for this, and it’s free for noncommercial use.
Figure 14-16: You configure RDH from this, ahem, remote location.
Optionally, you can further lock down the RDH by specifying which users can access the PC. That is, when you use Remote Desktop or RDC to connect to your PC, you will be prompted to supply a username and password. By default, the currently signed-in user is automatically OK’d at the time you enable RDH. But if you want to configure other user accounts (or user groups) for this access, click Select Users. Then, in the Remote Desktop Users window shown in Figure 14-17, add the users and/or groups you want via the Add button.
Figure 14-17: Adding additional users to RDH with Remote Desktop Users
Note that these users must be already configured for use on the PC, as they will sign in to their custom environment when they access the PC remotely.
To test that Remote Desktop Host is working properly, use the Remote Desktop client on another PC on your network to try and connect to your PC.
Features Exclusive to Windows 8 Enterprise
In addition to the Windows Pro-based business features that were discussed in this chapter, Microsoft is also providing a unique set of features for users of the Windows 8 Enterprise edition. This high-end Windows 8 product edition is available only to corporate customers that subscribe to Microsoft’s Software Assurance volume licensing program. So while it doesn’t make sense to spend too much time describing each feature, we can at least provide a rundown of what most of us are missing.
Unique features in Windows 8 Enterprise include the following:
• Windows To Go: This feature lets you deploy a new, fully manageable Windows 8 environment on a bootable external USB flash drive, enabling the “Bring Your Own PC” (BYOPC) usage scenario. Employees can use Windows To Go on any company PC as well as from their home PC, securely accessing corporate resources on an encrypted device that would be useless in the hands of others. Windows To Go is a feature we hope to see ported to other Windows editions in the future, and it would be a huge boon to lab environments of all kinds, including those used by educational institutions.
• DirectAccess: This is a more modern take on VPN functionality, letting remote users seamlessly access corporate network resources without dealing with the hassles common to VPN solutions. DirectAccess is based on the proven HTTPS (secure HTTP) tunneling technology Microsoft first used with Exchange Server. There’s no VPN configuring, connecting, and reconnecting. In fact, there’s no VPN at all. Instead, DirectAccess-enabled PCs are simply always connected, securely, to the corporate network. As long as you have an Internet connection, you’re in. And for the end user, there’s nothing to see or configure. You’re simply connected. And on the administrative side, IT pros and admins can configure which corporate resources are available to which users, and they can direct Internet-based network traffic as they see fit.
• BranchCache: Aimed at distributed corporations, BranchCache lets servers and users’ PCs in branch offices cache files, websites, and other content that is sent from a central office over the WAN, so that it is not repeatedly downloaded at great cost by different users in the same location. With more and more corporate mergers and acquisitions, and larger companies maintaining separate physical offices in different locales, this is a real need.
• AppLocker: Introduced with Windows 7 as a replacement for Software Restriction Policies (SRP), AppLocker is more flexible and malleable but offers the same basic functionality: It uses Group Policy-based rules to determine which applications users can and cannot access. But it goes deeper than SRP by introducing the concept of publisher rules, where admins can specify which application versions are allowed or disallowed. For example, suppose there’s a known vulnerability in an out-of-date version of Adobe Reader, the popular PDF viewer utility. With AppLocker, you could specify that users are allowed to install and use Adobe Reader 10.01 (or whatever) or newer, only. Problem solved: Users retain the ability to view PDFs and you, the administrator, don’t need to worry that they’re doing so with obsolete and potentially dangerous versions of the software.
• VDI enhancements: With updates to RemoteFX and Windows Server 2012, users can access virtualized instances of Windows 8 Enterprise from the data center and receive rich desktop experiences via thin clients, including, interestingly, Windows RT-based tablets. (See the following section for more information about Windows RT in the enterprise.)
• Windows 8 (Metro-style) app deployment: Domain-joined PCs and tablets running Windows 8 Enterprise will automatically be enabled to “side-load” internal, Windows 8 Metro-style apps, bypassing the Windows Store.
Windows RT and Business: A Tablet for All Seasons
While ARM-based Windows RT tablets and devices are aimed squarely at the consumer market, Microsoft also knows that these devices will be hugely popular at work, because they’re deployed by the employer or because users will simply choose to use them to get work done. There’s just one problem: Windows RT, like the basic version of Windows 8, doesn’t support domain join, so you can’t integrate your Windows sign-in with your employer’s Active Directory environment. Fortunately, Windows RT has two things going for it that will somewhat mitigate this issue.
First, Windows RT, like all versions of Windows 8, fully supports the Exchange ActiveSync (EAS) management protocol, the same technology that businesses use to manage devices all of kinds, including Windows Phones, Apple iPhones and iPads, Android handsets and tablets, and many other devices. EAS provides a ton of management functionality, including:
• Push-based corporate e-mail, calendaring, tasks, and contacts: And these all integrate with the appropriate Metro-style apps on Windows RT, including Mail, Calendar, and People.
• Password: Your workplace can specify a minimum password length, that a password is required to use the device, that an alphanumeric password is required, and password reset intervals. After a failed number of sign-in attempts, the device can be remote wiped or disabled. And many, many more password policies are available.