Today I want to talk about the Remote Control functionality in ADUC Admin Plus, because basic RDP functionality is built into our tooling.
There are literally hundreds of Remote Control tools out there, most of which are faster than our solution, one of the reasons being that we chose for P2P connectivity instead of UDP.
So, our Remote Control functionality is not impressive as such. But, there’s one thing that does make our solution particularly interesting.
All RDP solutions are server – client based, meaning that a piece of software needs to be installed and run both on the source (your) computer and the target (end user’s) computer. This also goes for Microsoft’s Remote Control functionality, although source and target software are, of course, built into the operating system.
The fact that RDP is server – client based has all kinds of security implications. On Microsoft’s RDP solution – if you want to allow your help desk employees to help your end users via RDP, they need to be added to the RDP group on the local machine. This poses an inherent security threat.
On third party solutions: in all cases the RDP client needs to be installed to the target computer as a service, or pushed as a process, and this client is always running, waiting for someone to try and start an RDP session. This, also, poses an inherent security risk. DameWare is notorious in this respect, but actually, the problem does not lie with DameWare, or any other third party Remote Control solution. Like I said, RDP server – client solutions are by their very nature unsafe.
When you deploy a Remote Control solution across your network, you end up with excessive local group memberships or, say, a thousand computers constantly waiting for an RDP connection. Not only does this feel unsafe – it is unsafe.
Which brings me back to the interesting part of our Remote Control solution. We also use a server – client solution (there is no way around it), and you can also install the client to any number of target PCs as a service. Nothing special there.
But, we have also built the option to push the client side of the session as a shortcut to the end user of the target PC. We can accomplish this because our tooling is one hundred percent Active Directory based.
First you find out to which computer a particular user is logged on (with the scan function), then there are two options:
- you can place a session shortcut on the end user’s desktop. The end user only needs to click on the shortcut to start the Remote Control session.
- or you obtain his or her email address from your active directory, and mail him or her a session link by email. Again, the end user only needs to click on the link in this email to start the client side of the session.
In both cases the desktop of the end user pops up on your screen. And so:
- your helpdesk employees do not need any extra rights to help your end users. They don’t need rights to install a service, or push a process. They don’t need to be member of any computer local group. They only need to be able to send an email.
- a session isn’t started until after end user input.
- when you or the end user ends the session, the client is killed. No software is waiting to be misused, no ports remain open to hackers.
Relatively end user friendly and safe. Right?
Vision It has been developing custom software solutions since 2009 and launched aducADMIN+ in 2010 to help us save time and money managing our own networks.
Developing software out of amsterdam, The Netherlands with installations in over 50 countries around the globe.