Re: remote desktop issues
- From: "Anthony" <anthony.spam@xxxxxxxxxxxxxx>
- Date: Mon, 24 Sep 2007 08:38:07 +0100
Al.
Could it be that your IT security have got hold of the wrong end of the
stick?
- Remote Assistance: question is whether to require offer or not
- Remote Desktop: question is whether to log off a user's session or not
- TS Shadowing: question is with user consent or not
I can see a privacy issue only with Shadowing without consent.
You might like to break out the exact operation being performed through each
method and ask which is the problem, e.g
- access to user's session
- control of user's mouse and keyboard
- access to files
- remote execution
- view user's actions (with consent)
- view user's actions without consent
- force user logoff or machine shutdown
- etc.
Anthony,
http://www.airdesk.co.uk
"Al Dunbar" <AlanDrub@xxxxxxxxxxxxxxxxxxx> wrote in message
news:uqBoIdm$HHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
I received the following private response from Steve B.:
Our company policy that each employee signs, contains a section stating
that the computer and any data on it belong to the company and that IT
management have the right to access that data if system maintenance
requires it.
Also, with RDP, having the user accept the remote control session could
over-come one hurdle.
As you say, files can be seen by IT without the need for RDP, however
ignorance is bliss.
If you are on a LAN that is protected by a firewall that blocks port 3389,
then you would only be worried about internal access via RDP, in which
case you can control remote access by allowing access to domain admins or
similar groups only.
1) we have similar policies, however, my purpose in wanting to use RDP has
nothing to do with looking at user files. IT security is concerned that if
we have RDP access we could easily do so. As you say, though, if that is
all I wanted to do I wouldn't bother with RDP.
2) my point about requiring the user to accept an RDP session is that I
would rather avoid the user inconvenience by working on the system when
they are not there. And, even if they were there, they could only say that
it was OK for me to do so as far as they, individually, were concerned.
But since I would be creating a second session and not connecting to
theirs, who would give me permission to connect on behalf of the dozens of
users not currently on shift who may have files on that system? A
completely illogical requirement in my mind, as I could swap the machine
out with little notice and no permission if I felt I needed to examine it
more closely in the shop.
3) I have no doubt that our firewall blocks port 3389. By default, members
of the local administrators group would be the only ones with RDP access,
and that group is already well controlled, consisting, as it does, of
those who need local admin access to support the workstations.
I appreciate the information, but what I am looking for is some
confirmation that using RDP in a relatively closed environment does not
introduce unreasonable risk, and what risk factors, if any, are present.
Oh, and did I mention that RDP access is already enabled on all of our
servers? I use it to access our local resource server on which I am an
administrator, but not the domain controller where I am not. RDP is
provided for and used by the small number of centrally located domain
admins for whom this would otherwise require an airline ticket.
/Al
"Al Dunbar" <AlanDrub@xxxxxxxxxxxxxxxxxxx> wrote in message
news:O8qstXh$HHA.3900@xxxxxxxxxxxxxxxxxxxxxxx
I have been having some difficulty in getting a request to modify our
group policy to enable RDP on our XPSP2 workstations past IT security. In
researching potential issues, the only ones I have found are some DoS
vulnerabilies for which patches have been available for some time. In any
case, our internal network is heavily firewalled against access from the
outside.
We are already using SMS remote control, but it is configured to require
the remote user's acceptance of our request to remote control their
workstation, so not of much use when nobody is there. Also, if we log the
user out and logon to an account with administrator access, the user
could potentially close the remote control session and remain logged on
with privileges.
I would see RDP as a useful addition to our arsenal of tools, with SMS
remote control for user support, and RDP for workstation support.
I believe that one of the concerns we are seeming to work against is
privacy of the user's session, including any files they mave have created
locally, such as on the desktop. Of course, we can already browse
remotely to the local hard drive, seeminly with even less accountability
than if we were to logon remotely. And we have the authority to take a
workstation out of service and examine it directly - without having to
inform the dozens of users that have profiles there.
Basically, I am looking for comments, either for or against. Does anyone
out there have information (or better yet, actual experience) to indicate
that the benefits of using RDP for workstation management are either
outweighed, or not outweighed, by any other factors that we have perhaps
not considered? If there are security, privacy, or other issues, has
anyone found ways to mitigate them?
Any and all comments will be greatly appreciated.
/Al
.
- Follow-Ups:
- Re: remote desktop issues
- From: Al Dunbar
- Re: remote desktop issues
- References:
- RDP: remote desktop issues
- From: Al Dunbar
- Re: remote desktop issues
- From: Al Dunbar
- RDP: remote desktop issues
- Prev by Date: Re: remote desktop issues
- Next by Date: I need to review the security of all the shares on my domain
- Previous by thread: Re: remote desktop issues
- Next by thread: Re: remote desktop issues
- Index(es):
Relevant Pages
|
