Remote Tools Security Best Practices and Privacy Information
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Microsoft System Center Configuration Manager 2007 remote control makes centralized administration easier. However, administrators with remote control permissions might be able to spy on users, compromising security and privacy. As mentioned earlier, there is no way to protect against an administrator improperly using administrative rights.
Security Best Practices for Remote Tools
Use either Group Policy or Configuration Manager to configure Remote Assistance settings, but not both You can use both Configuration Manager 2007 and Group Policy to make configuration changes to the Remote Assistance settings. When Group Policy is refreshed on the client, by default it optimizes the process by changing only the policies that have changed on the server. Configuration Manager 2007 changes the settings in the local security policy, which might not be overwritten unless the Group Policy update is forced. Setting policy in both places could lead to inconsistent results. Choose one of these methods to configure your Remote Assistance settings.
Do not consider the “Ask for permission” setting to be adequate security for remote tools for Windows 2000 clients Even if you enable the Ask for permission when an administrator tries to access clients option on the Remote Tools Client Agent properties, if you remotely administer a Windows 2000 client computer, disconnect, and then reconnect within 10 seconds, you can re-establish the remote administration session without asking for permission. Also on Windows 2000 client computers, anyone with local administrator rights can modify the registry temporarily to remove the permissions requirement and then re-enable it.
Enable "Ask for permission" setting Although there are ways around the setting Ask for permission when an administrator tries to access clients, you should still enable it to reduce the chance of users being spied upon while working on confidential tasks.
Enable notification You should enable the settings Display a visual indicator and Play a sound to reduce the chance of users being spied upon while working on confidential tasks.
Prevent users from changing policy or notification settings You should enable the setting Users cannot change policy or notification settings in the Remote Control Control Panel to prevent users from making changes that could make it easier for them to be spied on. .
Limit the Permitted Viewers list Local administrator rights are not required for a user to be able to use Remote Tools. If the collection and Permitted Viewers list security is met, the Remote Tools user can use Remote Tools on the client.
Specify required global groups Members of global groups that are members of local groups listed in the Permitted Viewers list are not enumerated, and thus members of global groups are not granted access permissions when they are nested in local groups. To avoid confusion, explicitly specify all global groups on the Permitted Viewers list.
Specify the domain context for user accounts The Permitted Viewers list is intentionally ambiguous because a user is authenticated against the list at the client, and the site server might not have access to the same domains as the client. Consequently, you can enter an account name in the Permitted Viewers list without specifying a domain for the account. However, the list must be clear at the client. Therefore, it is recommended that you enter an account name in the Permitted Viewers list by using the domain\account format to remove any ambiguity that might occur at the client.
Do not rely on collection security to control remote tools access Bypassing collection security for Remote Tools is easy for knowledgeable or determined people. They could set up a Configuration Manager 2007 site that is not part of your hierarchy and create resource records for clients they want to control. They could grant themselves any rights they want on those resources. Also, anyone with the Use Remote Tools right can use the command line version of Windows 2000 Remote Tools with the /SMS:NOSQL option to bypass checking the database. You should think of collection security for Remote Tools as an organizational convenience and effective for staff that follow your policies and procedures.
Do not enter passwords for privileged accounts when remotely administering Windows 2000 computers The password is secure to the client computer, but the password is entered through the virtual keyboard. Software that observes keyboard input could capture the password. Or if the program being run on the client computer is not the program that the remote control user assumes, the program might be capturing the password. When accounts and passwords are required, the end user should enter them.
Remote control allows you to view active sessions on Configuration Manager 2007 client computers and potentially view any information stored on those computers. Remote control is not enabled by default. You can configure remote control to provide prominent notice and get consent from a user before a control session begins, or to monitor users without their permission or awareness. Before configuring remote control, consider your privacy requirements.
No information is collected during the remote control session, but auditing status is generated when a session is initiated. Auditing status is stored in the site database and deleted by default every 180 days. The deletion behavior is configurable by setting both the Status Filter Rule properties and the site maintenance task. No auditing status information is sent back to Microsoft.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.