Security and Privacy for Remote Connection Profiles in Configuration Manager

Oppdatert: januar 2014

Gjelder for: System Center 2012 R2 Configuration Manager

Informasjonen i dette emnet gjelder bare for System Center 2012 R2 Configuration Manager.

This topic contains security and privacy information for remote connection profiles in System Center 2012 Configuration Manager.

Use the following security best practices when you manage remote connection profiles for clients.


Security best practice More information

Manually specify user device affinity instead of allowing users to identify their primary device. In addition, do not enable usage-based configuration.

Because you must enable Allow all primary users of the work computer to remotely connect before you can deploy a remote connection profile, always manually specify user device affinity. Do not consider the information that is collected from users or from the device to be authoritative. If you deploy remote connection profiles and a trusted administrative user does not specify user device affinity, unauthorized users might receive elevated privileges and then be able to remotely connect to computers.

If you do enable usage-based configuration, this information is collected through state messages for which Configuration Manager does not provide security. To help mitigate this threat, use Server Message Block (SMB) signing or Internet Protocol security (IPsec) between client computers and the management point.

Restrict local administrative rights on the site server computer.

A user who has local administrative rights on the site server can manually add members to the Remote PC Connect security group that Configuration Manager automatically creates and maintains. This might cause an elevation of privileges because members who are added to this group receive Remote Desktop permissions.

If a user initiates a connection to a work computer from the company portal, a file with a .rdp or .wsrdp extension is downloaded that contains the device name and the Remote Desktop Gateway Server name that is required to initiate the Remote Desktop session. The file extension depends on the operating system of the device. For example, the Windows® 7 and Windows 8 operating systems use an .rdp file, and Windows 8.1 uses a .wsrdp file.

The user can choose to open or save the .rdp file. If the user chooses to open the .rdp file, the file might be stored in the cache for the web browser, depending on the retention settings that are configured for the browser. If the user chooses to save the file, the file is not stored in the browser cache. The file is saved until the user manually deletes it.

The .wsrdp file is downloaded and automatically saved locally. This file is overwritten the next time that the user runs a Remote Desktop session.

Before you configure remote connection profiles, consider your privacy requirements.

Se også

For additional resources, see Information and Support for Configuration Manager.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012 Configuration Manager. For instructions and examples, see Search the Configuration Manager Documentation Library.