![]() When a user remotely connects to a work computer, they download a. This action might cause an elevation of privileges because members receive Remote Desktop permissions. A local administrator on the site server can manually add members to the Remote PC Connect security group that Configuration Manager automatically creates and maintains. Restrict local administrative rights on the site server computer. To help mitigate this threat, use Server Message Block (SMB) signing or Internet Protocol security (IPsec) between client computers and the management point. If you deploy a profile, and a trusted administrative user doesn't specify user device affinity, unauthorized users might receive elevated privileges and can remotely connect to computers.Ĭonfiguration Manager collects usage-based information through state messages, which is a fast but insecure communication channel. Don't consider the information that Configuration Manager collects from users or from the device to be authoritative. With this configuration, you should always manually specify user device affinity. Don't enable usage-based configuration.īefore you can deploy a remote connection profile, you need to enable the option to Allow all primary users of the work computer to remotely connect. ![]() Manually specify user device affinity instead of allowing users to identify their primary device. Security and privacy considerations Security considerations For more information, see Configure role-based administration. The Compliance Settings Manager built-in role includes the permissions required to manage these profiles. To manage remote connection profiles, your user account needs specific permissions in Configuration Manager. For more information, see Link users and devices with user device affinity. ![]() In order for a user to connect to a work computer, that computer must be a primary device of the user. If clients run a different host-based firewall, manually configure this firewall dependency. If you use Group Policy to configure Windows Firewall, make sure that Group Policy settings don't block mstsc.exe. Group Policy settings to configure Windows Firewall can override the configuration that you set in Configuration Manager.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |