|
Posted by Jon on September 27, 2007, 10:09 pm
Please log in for more thread options Al Dunbar wrote:
>
> > Al.
> > Could it be that your IT security have got hold of the wrong end of
> > the stick?
>
> Perhaps...
>
> > - Remote Assistance: question is whether to require offer or not
>
> We use SMS remote control for virtually any situation where Remote
> Assistance might serve as well. I believe that Remote Assistance is
> currently disabled by group policy (although it is checked as enabled
> on the workstations). Would enabling RDP also enable R.A, thereby
> requiring another configuration change to turn it off? That might be
> one almost valid reason for us to leave RDP off if it were the case,
> or at least it would require a stronger case for RDP.
>
> > - Remote Desktop: question is whether to log off a user's session
> > or not
>
> That could certainly be an issue. As would having a user logon and
> disconnect a remote administrator's session... I expect some protocol
> would need to be put established to deal with this.
>
> > - TS Shadowing: question is with user consent or not
> > I can see a privacy issue only with Shadowing without consent.
>
> I hadn't heard of TS shadowing before (although I knew that TS
> sessions can be remote controlled somehow), but after a quick look I
> agree. I'll have to look more closely.
>
> If my request to allow RDP to XP workstations were granted, it would
> be only for accounts already noted as workstation administrators, so
> it would not be the privacy of the general user, but the privacy of
> what we might be doing on those workstations. I wouldn't mind some
> higher power in our organization being able to see what it is I am
> doing, but there will most certainly be cases where what is displayed
> is of a sensitive nature.
>
> That said, since it appears that TS shadowing is done on a TS session
> on a server (that is doing an RDP to an XP system), and since servers
> are generally considered more sensitive than workstations, it might
> be more important to consider the privacy of TS sessions on the
> server before worrying about XP workstations.
>
> I'll definitely need to think a bit more about this one...
>
> > You might like to break out the exact operation being performed
> > through each method and ask which is the problem, e.g
>
> Excellent suggestion! When I have discussed this informally, they
> seem tend to not want to get into specifics where their concerns
> could be examined in the light of day ;-)
>
> > - access to user's session
> > - control of user's mouse and keyboard
> > - access to files
> > - remote execution
> > - view user's actions (with consent)
> > - view user's actions without consent
> > - force user logoff or machine shutdown
> > - etc.
> > Anthony,
> > http://www.airdesk.co.uk
>
> Thanks. You've given me a good start.
>
>
> /Al
>
> >
> >
> >
> >
> > > I received the following private response from Steve B.:
> > >
> > > Our company policy that each employee signs, contains a section
> > > stating that the computer and any data on it belong to the
> > > company and that IT management have the right to access that
> > > data if system maintenance requires it. Also, with RDP, having
> > > the user accept the remote control session could over-come one
> > > hurdle. As you say, files can be seen by IT without the need for
> > > RDP, however ignorance is bliss. If you are on a LAN that is
> > > protected by a firewall that blocks port 3389, then you would
> > > only be worried about internal access via RDP, in which case you
> > > can control remote access by allowing access to domain admins or
> > > similar groups only.
> > >
> > >
> > > 1) we have similar policies, however, my purpose in wanting to
> > > use RDP has nothing to do with looking at user files. IT
> > > security is concerned that if we have RDP access we could easily
> > > do so. As you say, though, if that is all I wanted to do I
> > > wouldn't bother with RDP.
> > >
> > > 2) my point about requiring the user to accept an RDP session is
> > > that I would rather avoid the user inconvenience by working on
> > > the system when they are not there. And, even if they were
> > > there, they could only say that it was OK for me to do so as far
> > > as they, individually, were concerned. But since I would be
> > > creating a second session and not connecting to theirs, who
> > > would give me permission to connect on behalf of the dozens of
> > > users not currently on shift who may have files on that system?
> > > A completely illogical requirement in my mind, as I could swap
> > > the machine out with little notice and no permission if I felt I
> > > needed to examine it more closely in the shop.
> > >
> > > 3) I have no doubt that our firewall blocks port 3389. By
> > > default, members of the local administrators group would be the
> > > only ones with RDP access, and that group is already well
> > > controlled, consisting, as it does, of those who need local
> > > admin access to support the workstations.
> > >
> > > I appreciate the information, but what I am looking for is some
> > > confirmation that using RDP in a relatively closed environment
> > > does not introduce unreasonable risk, and what risk factors, if
> > > any, are present. Oh, and did I mention that RDP access is
> > > already enabled on all of our servers? I use it to access our
> > > local resource server on which I am an administrator, but not
> > > the domain controller where I am not. RDP is provided for and
> > > used by the small number of centrally located domain admins for
> > > whom this would otherwise require an airline ticket.
> > >
> > >
> > > /Al
> > >
> > > > I have been having some difficulty in getting a request to
> > > > modify our group policy to enable RDP on our XPSP2 workstations
> > > > past IT security. In researching potential issues, the only
> > > > ones I have found are some DoS vulnerabilies for which patches
> > > > have been available for some time. In any case, our internal
> > > > network is heavily firewalled against access from the outside.
> > > >
> > > > We are already using SMS remote control, but it is configured
> > > > to require the remote user's acceptance of our request to
> > > > remote control their workstation, so not of much use when
> > > > nobody is there. Also, if we log the user out and logon to an
> > > > account with administrator access, the user could potentially
> > > > close the remote control session and remain logged on with
> > > > privileges.
> > > >
> > > > I would see RDP as a useful addition to our arsenal of tools,
> > > > with SMS remote control for user support, and RDP for
> > > > workstation support.
> > > >
> > > > I believe that one of the concerns we are seeming to work
> > > > against is privacy of the user's session, including any files
> > > > they mave have created locally, such as on the desktop. Of
> > > > course, we can already browse remotely to the local hard
> > > > drive, seeminly with even less accountability than if we were
> > > > to logon remotely. And we have the authority to take a
> > > > workstation out of service and examine it directly - without
> > > > having to inform the dozens of users that have profiles there.
> > > >
> > > > Basically, I am looking for comments, either for or against.
> > > > Does anyone out there have information (or better yet, actual
> > > > experience) to indicate that the benefits of using RDP for
> > > > workstation management are either outweighed, or not
> > > > outweighed, by any other factors that we have perhaps not
> > > > considered? If there are security, privacy, or other issues,
I know this is a Microsoft Post, but another possible solution would be
a third party product such as Script Logic. No I'm not here pushing
third party, but I'm not aware of any Microsoft product that would do
the same thing. Script Logic would give the user the ability to see
what your doing so there is nothing hidden it even works over a VPN
connection, i.e. the user or yourself connected through a VPN
connection. I have used it in a large orginazation and it was a life
saver. Not mention the remote capibilities, you can manipulate GPO,
and it gives a pretty good run down of system stats before you log in.
Worth a look.
--
| 
XML Sitemap