74
Administrator Application Security
ÂMake use of user mode to limit what nonadministrator users can do with Remote Desktop.
See “Apple Remote Desktop Nonadministrator Access” on page 66.
ÂIf you leave the Remote Desktop password in your keychain, be sure to lock your keychain when you are not at your administrator computer.
ÂConsider limiting user accounts to prevent the use of Remote Desktop.
Either in a Managed Client for Mac OS X (MCX) environment, or using the Accounts pane in System Preferences, you can make sure only the users you designate can use Remote Desktop.
ÂCheck to see if the administrator computer is currently being observed or controlled before launching Remote Desktop (and stop it if it is).
Remote Desktop prevents users from controlling a client with a copy of Remote Desktop already running on it at connection time, but does not disconnect existing observe or control sessions to the administrator computer when being launched. Although this functionality is helpful if you want to interact with a remote LAN which is behind a NAT gateway, it is possible to exploit this feature to get secretly get information about the administrator, administrator’s computer, and its associated client computers.
User Privileges and Permissions Security
ÂTo disable or limit an administrator’s access to an Apple Remote Desktop client, open System Preferences on the client computer and make changes to settings in the Remote Desktop pane in the Sharing pane of System Preferences. The changes take effect after the current Apple Remote Desktop session with the client computer ends.
ÂRemember that Apple Remote Desktop keeps working on client computers as long as the session remains open, even if the password used to administer the computer is changed.
ÂDon’t use a user name for an Apple Remote Desktop access name and password. Make “dummy” accounts specifically for Apple Remote Desktop password access and limit their GUI and remote login privileges.
Password Access Security
ÂNever give the Remote Desktop password to anyone.
ÂNever give the administrator name or password to anyone.
ÂUse cryptographically sound passwords (no words found in a dictionary; eight characters or more, including letters, numbers and punctuation with no repeating patterns).
ÂRegularly test your password files against dictionary attack to find weak passwords.
