Jaa


Security and Privacy for Remote Connection Profiles in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Note

The information in this topic applies only to System Center 2012 R2 Configuration Manager versions only.

This topic contains security and privacy information for remote connection profiles in System Center 2012 Configuration Manager.

Security Best Practices for Remote Connection Profiles

Use the following security best practices when you manage remote connection profiles for clients.

Security best practice

More information

Manually specify user device affinity instead of allowing users to identify their primary device. In addition, do not enable usage-based configuration.

Because you must enable Allow all primary users of the work computer to remotely connect before you can deploy a remote connection profile, always manually specify user device affinity. Do not consider the information that is collected from users or from the device to be authoritative. If you deploy remote connection profiles and a trusted administrative user does not specify user device affinity, unauthorized users might receive elevated privileges and then be able to remotely connect to computers.

Note

If you do enable usage-based configuration, this information is collected through state messages for which Configuration Manager does not provide security. To help mitigate this threat, use Server Message Block (SMB) signing or Internet Protocol security (IPsec) between client computers and the management point.

Restrict local administrative rights on the site server computer.

A user who has local administrative rights on the site server can manually add members to the Remote PC Connect security group that Configuration Manager automatically creates and maintains. This might cause an elevation of privileges because members who are added to this group receive Remote Desktop permissions.

Privacy Information for Remote Connection Profiles

If a user initiates a connection to a work computer from the company portal, a file with a .rdp or .wsrdp extension is downloaded that contains the device name and the Remote Desktop Gateway Server name that is required to initiate the Remote Desktop session. The file extension depends on the operating system of the device. For example, the Windows® 7 and Windows 8 operating systems use an .rdp file, and Windows 8.1 uses a .wsrdp file.

The user can choose to open or save the .rdp file. If the user chooses to open the .rdp file, the file might be stored in the cache for the web browser, depending on the retention settings that are configured for the browser. If the user chooses to save the file, the file is not stored in the browser cache. The file is saved until the user manually deletes it.

The .wsrdp file is downloaded and automatically saved locally. This file is overwritten the next time that the user runs a Remote Desktop session.

Before you configure remote connection profiles, consider your privacy requirements.