Re: remote desktop issues

---

• From: "Al Dunbar" <AlanDrub@xxxxxxxxxxxxxxxxxxx>
• Date: Sun, 23 Sep 2007 22:44:32 -0600

---

I received the following private response from Steve B.:

Our company policy that each employee signs, contains a section stating that
the computer and any data on it belong to the company and that IT management
have the right to access that data if system maintenance requires it.
Also, with RDP, having the user accept the remote control session could
over-come one hurdle.
As you say, files can be seen by IT without the need for RDP, however
ignorance is bliss.
If you are on a LAN that is protected by a firewall that blocks port 3389,
then you would only be worried about internal access via RDP, in which case
you can control remote access by allowing access to domain admins or similar
groups only.


1) we have similar policies, however, my purpose in wanting to use RDP has
nothing to do with looking at user files. IT security is concerned that if
we have RDP access we could easily do so. As you say, though, if that is all
I wanted to do I wouldn't bother with RDP.

2) my point about requiring the user to accept an RDP session is that I
would rather avoid the user inconvenience by working on the system when they
are not there. And, even if they were there, they could only say that it was
OK for me to do so as far as they, individually, were concerned. But since I
would be creating a second session and not connecting to theirs, who would
give me permission to connect on behalf of the dozens of users not currently
on shift who may have files on that system? A completely illogical
requirement in my mind, as I could swap the machine out with little notice
and no permission if I felt I needed to examine it more closely in the shop.

3) I have no doubt that our firewall blocks port 3389. By default, members
of the local administrators group would be the only ones with RDP access,
and that group is already well controlled, consisting, as it does, of those
who need local admin access to support the workstations.

I appreciate the information, but what I am looking for is some confirmation
that using RDP in a relatively closed environment does not introduce
unreasonable risk, and what risk factors, if any, are present. Oh, and did I
mention that RDP access is already enabled on all of our servers? I use it
to access our local resource server on which I am an administrator, but not
the domain controller where I am not. RDP is provided for and used by the
small number of centrally located domain admins for whom this would
otherwise require an airline ticket.


/Al

"Al Dunbar" <AlanDrub@xxxxxxxxxxxxxxxxxxx> wrote in message
news:O8qstXh$HHA.3900@xxxxxxxxxxxxxxxxxxxxxxx

I have been having some difficulty in getting a request to modify our group
policy to enable RDP on our XPSP2 workstations past IT security. In
researching potential issues, the only ones I have found are some DoS
vulnerabilies for which patches have been available for some time. In any
case, our internal network is heavily firewalled against access from the
outside.

We are already using SMS remote control, but it is configured to require
the remote user's acceptance of our request to remote control their
workstation, so not of much use when nobody is there. Also, if we log the
user out and logon to an account with administrator access, the user could
potentially close the remote control session and remain logged on with
privileges.

I would see RDP as a useful addition to our arsenal of tools, with SMS
remote control for user support, and RDP for workstation support.

I believe that one of the concerns we are seeming to work against is
privacy of the user's session, including any files they mave have created
locally, such as on the desktop. Of course, we can already browse remotely
to the local hard drive, seeminly with even less accountability than if we
were to logon remotely. And we have the authority to take a workstation
out of service and examine it directly - without having to inform the
dozens of users that have profiles there.

Basically, I am looking for comments, either for or against. Does anyone
out there have information (or better yet, actual experience) to indicate
that the benefits of using RDP for workstation management are either
outweighed, or not outweighed, by any other factors that we have perhaps
not considered? If there are security, privacy, or other issues, has
anyone found ways to mitigate them?

Any and all comments will be greatly appreciated.


/Al

.

---

• Follow-Ups:
  • Re: remote desktop issues
    • From: Anthony

• References:
  • RDP: remote desktop issues
    • From: Al Dunbar

• Prev by Date: RDP: remote desktop issues
• Next by Date: Re: remote desktop issues
• Previous by thread: RDP: remote desktop issues
• Next by thread: Re: remote desktop issues
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Terminal Services Domain? ... Remote control of the console session is only possible from another RDP session to same machine. ... I'm not sure what you mean when mention redirecting the user or the desktop as they log in - If you want a user to autmatically open an RDP session upon a desktop login you can run the RDP client from the login script with an RDP file as a parameter that will automatically run the specific application upon successful authentication. ... If your goal is to provide centralized application access to 25 users/machines without having to deploy the applications to each workstation, then installing a terminal server in application mode with the application you require and providing users an RDP file that launches the application is a very good solution. ... (microsoft.public.windows.terminal_services) Re: remote desktop issues ... We use SMS remote control for virtually any situation where Remote ... Would enabling RDP also enable R.A, ... If my request to allow RDP to XP workstations were granted, ... (microsoft.public.windows.server.security) Re: remote desktop issues ... We use SMS remote control for virtually any situation where Remote ... Would enabling RDP also enable R.A, ... If my request to allow RDP to XP workstations were granted, ... (microsoft.public.windows.server.security) RDP: remote desktop issues ... We are already using SMS remote control, but it is configured to require the ... I would see RDP as a useful addition to our arsenal of tools, ... and RDP for workstation support. ... If there are security, privacy, or other issues, has anyone found ways to ... (microsoft.public.windows.server.security) Re: Preventing logon to local accounts ... Just to go over it from the beginning, you have created a new gpo with the ... you have created a security group and added the ... this works because RDP is enabled and greyed out on the remote tab is system ... then, add another workstation to the domain, don’t add this workstation in to ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)