Apple Remote Desktop - Maintaining Security

background image

Maintaining Security

Remote Desktop can be a powerful tool for teaching, demonstrating, and performing
maintenance tasks. For convenience, the administrator name and password used to
access Remote Desktop can be stored in a keychain or can be required to be typed
each time you open the application. However, the administrator name and password
for each client computer are stored in the administrator’s preferences and are strongly

background image


Chapter 6

Setting Up the Network and Maintaining Security

Administrator Application Security
 Make use of user mode to limit what nonadministrator users can do with Remote


See “Apple Remote Desktop Nonadministrator Access” on page 73.

 If you leave the Remote Desktop password in your keychain, be sure to lock your

keychain when you are not at your administrator computer.

 Consider limiting user accounts to prevent the use of Remote Desktop.

Either in a Managed Client for Mac OS X (MCX) environment, or using the Accounts
pane in System Preferences, you can make sure only the users you designate can use
Remote Desktop.

 Check to see if the administrator computer is currently being observed or controlled

before launching Remote Desktop (and stop it if it is).

Remote Desktop prevents users from controlling a client with a copy of Remote
Desktop already running on it at connection time, but does not disconnect existing
observe or control sessions to the administrator computer when being launched.
Although this functionality is helpful if you want to interact with a remote LAN which
is behind a NAT gateway, it is possible to exploit this feature to get secretly get
information about the administrator, administrator’s computer, and its associated
client computers.

User Privileges and Permissions Security
 To disable or limit an administrator’s access to an Apple Remote Desktop client, open

System Preferences on the client computer and make changes to settings in the
Remote Management pane in the Sharing pane of System Preferences. The changes
take effect after the current Apple Remote Desktop session with the client computer

 Remember that Apple Remote Desktop keeps working on client computers as long

as the session remains open, even if the password used to administer the computer
is changed.

 Don’t use a user name for an Apple Remote Desktop access name and password.

Make “dummy” accounts specifically for Apple Remote Desktop password access and
limit their GUI and remote login privileges.

Password Access Security
 Never give the Remote Desktop password to anyone.
 Never give the administrator name or password to anyone.
 Use cryptographically sound passwords (no words found in a dictionary; eight

characters or more, including letters, numbers and punctuation with no repeating

 Regularly test your password files against dictionary attack to find weak passwords.

background image

Chapter 6

Setting Up the Network and Maintaining Security


 Quit the Remote Desktop application when you have finished using it. If you have

not stored the Remote Desktop password in your keychain, the application prompts
you to enter the administrator name and password when you open it again.

Physical Access Security
 If you have stored the Remote Desktop password in your keychain, make sure the

keychain is secured and the application isn’t running while you are away from the
Remote Desktop window.

 If you want to leave the Remote Desktop application open but need to be away from

the computer, use a password-protected screen saver and select a hot corner so you
can instantly activate the screen saver.