We use Devolutions server as a central datasource.
As a RDM administrator for our company, i discovered that users can set their (domain) credentials on the datasource in the client, so they don't have to enter their datasource (domain)credentials. For us, this is highly unwanted behaviour and thus a security risk.
Implementing the Devolutions GPO - setting "Always ask for credentials when connecting to a datasource" has not the desired effect: RDM requires the user to specify an application password instead of graying out the username/password checkboxes in the datasource settings.
How does one feel to have the following settings managed by a gpo:
- The option file->data sources->Edit Data Source - Enable/disable access to the settings
- The option file->data sources->Edit Data Source -> Username + Password - Make the checkboxes username/password grayed out (or not) so users cannot set their credentials.
Is it possible to make this happen in a (short) furture release?
Thanks in advance.
The documentation is wrong for the ForceLogin policy. It is for the security options of the Application itself, not for the data sources. We will fix the documentation.
To prevent from modifying a data source, it can be Locked. http://help.remotedesktopmanager.com/datasource_lock.htm
Our recommended workflow to have a "hardened" RDM deployment is to use our custom installer service to ensure RDM is configured properly, then either
- including a "locked" data source to prevent tampering in the case where you want that single data source untouched, or
- by using our policies to disable options/menus for the user (CURRENT_USER) or the workstation (LOCAL_MACHINE)
Let me know if you feel that this does not fit with your needs.
Maurice, thanks for the reply.
We have already tested with the locked datasource option in the past. It would be a feasable solutions, however there's one issue:
after deleting the appdata\local\devolutions folder (inclusive contents) the lock was gone after restarting RDM (with a fresh new appdata\local\devolutions folder).
Is there a way to protect the lock from deleting?
Disabling the file/options menu is not an option for us, since we experience frequently cache issues. Then we clear the offline cache via the manage cache button.
Thanks in advance.
Just a quick note on the cache issues you've been seeing.
The newer versions now have two offline engines SQLite (old) & MCDF (new). We've recently made MCDF the default offline engine. With MCDF you should see a much more stable caching subsystem. I would like to think 100% issue free, but time will tell :-)
MCDF was first introduced in v184.108.40.206 then in v220.127.116.11 (beta) it was made the default engine.
File -> Options -> Advanced -> Offline Engine
File - Options is not required to clear the cache.
Any type of lockdown of RDM implies that a user cannot have access to delete the configuration. Even if we add the options you ask, if they can delete the files we back to square one.
Disabling File - Data sources at the in using the policies and locking the data source itself will prevent them from modifying the file. If they ever delete the config file they will not be able to create a new one and they will have to ask you for a new one.
And to invalidate the cache, you can press CTRL-F5, or press CTRL while you click on the refresh button up top, no need to go in the data source area