Forum / Remote Desktop Manager - Feature Request

Major Security Overhaul

  • Create an Issue
  • Cancel

I think the security model used by RDM must have a major overhaul. We bought 5 license to use RDM with our IT staff. Our use case is that we want certain people to have remote access to certain servers, but without handing them the password. My configuration was having a Security Group "Credentials" assigned to the Credentials folder where people don't have access, so they don't see the credential entries. Our remote configuration entries are organized in folders along with their own security group (as not all users should have access to all remote connections). Also, every user has it'w own "user folder" where they can create entries and store credentials where no other has access to them.

As an admin everything works fine, but when trying to get access to the remote connection, the credentials are not being used so no access is given. This sounds logical as the user doesn't have access to those credentials (no "View" permission). If I give them View access to the Credentials folder, then the remote entries work as expected. But giving them View access introduces a new risk: the users can create a remote connection entry to a server they should not have access and use those credentials, even if they cannot see the password, they gain access and this is a security issue.

So, for our purposes, the security model used by RDM isn't secure at all, and I haven't even begun talking ab out the "Allow reveal password" checkbox. The use of this checkboxes (which appear in two places: User Privileges and Role Privileges) is global when it should be a Security Group<->User or Security Group<->Role feature (what I mean with this is that the reveal password should only apply to a given security group, so only passwords in that security group can be disclosed).

RDM is a great tool, but in a IT Staff day to day operation it lacks on the side of security with multiple users. I hope this can be considered for future updates to give flexibility for secure IT workflows.

Clock3 yrs

Hi,
I see what you mean and don't forget that you could make those users read-only. No Edit or Add rights. This way they will not be able to create a remote connection.

For the reveal password we have a new security model coming soon where you can add an extra security layer based on the Role. You configure it in the entry directly instead of the Security Group.

Regards

David Hervieux

signaturesignature

Clock3 yrs

Yes I could, but we need to give them the flexibility to Add/Edit/Delete remote connections in their personal folder.

The way I see is that their personal connections (and by personal I mean defined by them, because they are work related) should live in another data source apart from the restricted one.

Good to know security is being addressed! I think the option is a little misleading (I thought it applied only to the security where the role had permissions but later I discovered everyone could see the password).

I think we can managed to get this working with a a bit of workarounds, but I think RDM could benefit from a new security model, maybe for release 12? wink

Clock3 yrs

Hi,
Have you tried the Private Vault for your personal connections?

The new security model is in RDM 12.

Regards

David Hervieux

signaturesignature

Clock3 yrs