|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
If you are a small or medium business – or an IT consultant who helps small or medium businesses here’s a thought of a way to temporarily allow folks
[See the full post at: Patch Lady – remoting into a desktop without VPN]
Susan Bradley Patch Lady/Prudent patcher
VPN allows file level access to shares with the user permissions on that share directly from a client machine. The security nightmare is that the home machine may be a staff members BYOD with substandard anti-virus and existing infections.
Secure RDP over TLS acts more like a long distance extension cord for a monitor and keyboard/mouse to a secure workstation on premises.
But . . . there is one security hole that should be closed even with RDP: By default the remote users local USB devices and their C: drive is mounted, these can be forcefully disabled – and should be – in Group Policy.
Disable Drive redirection:
https://www.windows-security.org/0d474c28e9044a1ea9706eb63c2e3d15/do-not-allow-drive-redirection
Disable PnP on RDP:
Unless really required, I disable all of the following to increase security, and also to reduce bandwidth:
Disable audio and video playback redirection
Disable audio recording redirection
Do not allow COM port redirection
Do not allow LPT port redirection
Do not allow drive redirection
Do not allow supported Plug and Play device redirection
~ Group "Weekend" ~
It only does screen images across the wire. It doesn’t make that remote PC a part of the local remote network. So if that remote machine is infected, it won’t infect the network. It’s similar to Logmein or Splashtop where the remote machine is just a conduit not a member of the network.
Susan Bradley Patch Lady/Prudent patcher
P.S. it only goes over port 443, 3389 is not exposed externally and if you are really paranoid you can add two factor duo.com to that rdgateway.
Susan Bradley Patch Lady/Prudent patcher
I was quite disappointed to find out (the hard way) that Server Essentials 2019 completely removed all support for any RDS roles. Not cool, Microsoft. Not cool.
I have been unable to find a satisfactory solution to this problem: Remote Desktop changes the location of icons on the client desktops, and some of my clients find this so discombobulating that RD is not usable. Is this resolved in the latest RD version?
GaryK
I only seem to have this problem occasionally with 1 client who runs 3 monitors and I believe it may have to do with running different resolutions between my machine and his but I haven’t really investigated it. For him I use AnyDesk. For all others with 1 or 2 monitor setups it doesn’t seem to be an issue.
Edit to add he also has like 100 shortcut icons and folders on the desktop between the monitors. A real mess 🙂
Never Say Never
- Buy same size screens
- Buy Fences, it keeps the icons arranged
- live with it. No it hasn’t been fixed.
It’s not me who has to “live with it.” It’s clients who have to live with it, and because they yell and scream and threaten to fire me, I have either to find a way to make it work or to find alternatives. Some clients think my job is to satisfy them, not to adapt their work habits to my choice of remote software. Some clients are funny that way.
My preference is TeamViewer, but it’s very expensive. I think the best in terms of user experience is the original version of PCAnywhere, it’s got serious security problems. Really Remote Desktop would be a great solution if MS would fix the icon-location problem. Others have done it, so it’s a mystery why MS won’t.
GaryK
@gkarasik-
I hate anything that messes up my desktop… and I love that you respect your clients… and I remember something that you may find helpful.
In the AskWoody Newsletter, ISSUE 16.15.0 • 2019-04-22, Deanna, of OlderGeeks did a review of ‘Desktop Restore’. This is something I now keep and use!
It can be downloaded at their site.
Maybe a client could be e-mailed a link and install before you use Remote Desktop? I know that I would be very grateful at having a way to restore my desktop. At the very least, it would show that you are sensitive to their concerns.
Not quite as elegant as doing it from within Remote Desktop… but certainly more serviceable than leaving the desktop disrupted, and the client perturbed.
Non-techy Win 10 Pro and Linux Mint experimenter
It is ok to fire clients. I’ve done it. But I’m busy enough that I can do that and not lose a dime. A stress free life is worth more than a problematic client.
As have I, as have many of us, but what’s not clear is why I should fire a client who’s making what seems to me to be an entirely reasonable request: Please find a solution that doesn’t mess up my desktop and hurt my productivity, which is what produces enough income so that I can pay you the exorbitant amout youre charging me to keep my computers running well.
GaryK
Please find a solution that doesn’t mess up my desktop and hurt my productivity
Can’t be done unless you run the same size screen and resolution.
That is the least inconvenience your users will have to put up with during this crisis.
cheers, Paul
Any concern for Key Loggers on the Home PC that could record RDP Credentials?
Sure, but wouldn’t those be the same concerns you’d have for any credentials for any remote software?
Currently we only allow VPN using corporate computers that are firewall locked down to our VPN. I am worried about my corporate machines but I would be concerned about random home machines that are not governed by our corporate protection. This does not seem like a safe option if their corporate credentials are freely read by the home PC. Maybe my viewpoint is unique?
Gosh no. Or at least I hope it’s not unique. Your point is well taken, and it’s a thought that should be terrifying every admin contemplating people working from home. How many of these home machines are also being used by others in the house to look at who knows what? My point, no doubt poorly expressed, is only that this isn’t a concern unique to RDP. The danger from key-loggers or other MITM attacks is the same for LogMeIn, GoToMyPC, TeamViewer, or any other remote-control software. A panicked, poorly-thought-out policy to send people home to work that doesn’t take into account the security of those home machines will have–not could have–major malware consequences for some businesses.
GaryK
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
