Security and Privacy for Remote Connection Profiles in Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide.
The information in this topic applies only to System Center 2012 R2 Configuration Manager versions only.
This topic contains security and privacy information for remote connection profiles in System Center 2012 Configuration Manager.
Use the following security best practices when you manage remote connection profiles for clients.
Security best practice
Manually specify user device affinity instead of allowing users to identify their primary device. In addition, do not enable usage-based configuration.
Because you must enable Allow all primary users of the work computer to remotely connect before you can deploy a remote connection profile, always manually specify user device affinity. Do not consider the information that is collected from users or from the device to be authoritative. If you deploy remote connection profiles and a trusted administrative user does not specify user device affinity, unauthorized users might receive elevated privileges and then be able to remotely connect to computers.
Restrict local administrative rights on the site server computer.
A user who has local administrative rights on the site server can manually add members to the Remote PC Connect security group that Configuration Manager automatically creates and maintains. This might cause an elevation of privileges because members who are added to this group receive Remote Desktop permissions.
If a user initiates a connection to a work computer from the company portal, a file with a .rdp or .wsrdp extension is downloaded that contains the device name and the Remote Desktop Gateway Server name that is required to initiate the Remote Desktop session. The file extension depends on the operating system of the device. For example, the Windows® 7 and Windows 8 operating systems use an .rdp file, and Windows 8.1 uses a .wsrdp file.
The user can choose to open or save the .rdp file. If the user chooses to open the .rdp file, the file might be stored in the cache for the web browser, depending on the retention settings that are configured for the browser. If the user chooses to save the file, the file is not stored in the browser cache. The file is saved until the user manually deletes it.
The .wsrdp file is downloaded and automatically saved locally. This file is overwritten the next time that the user runs a Remote Desktop session.
Before you configure remote connection profiles, consider your privacy requirements.