Ability to hide the host details

Hello,

We actually added a GPO to hide the port for RDP entries (HIDEPORTINRDP), so we could add one to hide all host information. Would that work for you?

Regards,

GPO? As in a group policy?

Yes, this would allow you to push this to all of your users on your domain. The alternative would be to add a System Setting, but if you aren't using a datasource like SQL Server/DVLS/MySQL, the System Settings aren't available. This is why we made the other setting a GPO, as the original requester wasn't on one of these datasources that supported System Settings.

Regards,

We're using DPS and not all our clients are domain connected so our preference would be a system setting as this would apply everywhere, but if it's a GPO we can make it work somehow.

No problem, we can simply add it both as a GPO and a System Setting. I've opened a ticket to add this improvement to RDM.

Regards,

Great, thankyou

Hello,

We've been discussing this internally and I would like to confirm something with you.

What you showed in your screenshot is from the dashboard. We can easily hide the information from there. The thing is, there are a lot more areas where you can get the host from. We never considered the host as "privileged" information in the past, like a password, so we don't have easy mechanics to hide it from every possible place.

Basically, we can easily add an option for "hide host information from dashboard", but to make a full "hide host information", it's a much bigger undertaking than we thought at first.
If you think that it would be useful for you to simply hide the host from the dashboard, we can make this quickly, but to hide it from everywhere, it may take us a while.

Regards,

Thanks for following up.

In the short term, hiding the host information from the dashboard would be good. I can't see anywhere else where the host is listed unless the user has full read/write access to the session - which our users don't.

I suppose longer term it would be great to hide it from everywhere. The confidential client information is the IP address, port number and UN/PW. The reason for the concern is that there's nothing to stop a user logging in to the server with RDMS, creating a local administrator account on the server and then using the IP/Port to RDP from outside RDMS thus bypassing all security and logging.

Hello,

The two easiest places we could find when investigating, other than the dashboard, were through the use of the Clipboard > Copy Host menu, and when the RDP tab is opened, hovering the mouse cursor over it. Those two additional areas could easily be hidden as well, so we'd do it alongside the dashboard. Basically, I want to make it clear that as a phase 1, there would still be ways to access the host through RDM (if only because we didn't think of them). It wouldn't be an ironclad solution to your security concern, but it would be something.
We'll update this thread once we have an update on the feature.

I've also discussed the scenario with our security team, and they brought up that once you're connected to the remote machine, there are also ways on the machine itself to extract its IP. So you would also need to restrict certain actions on the remote machine itself to make sure the IP doesn't leak out.

Regards,

Yes, aware that phase 1 only covers a few holes but leaves others open, but that's fine.

With regards to the concerns raised by security team, this is true if the customer only has one internet connection (ie only one WAN IP), but many of ours have multiple. Where a customer only has one WAN IP nothing you can do can protect the IP because doing a google search for "what is my ip" will display the public IP. Showing the IP address for the host in itself is not the major problem, it's showing the port number which is the critical information required to connect to the server.

Alright, I wanted to be sure we're on the same page.

If the port is the more important part in your case, does the "hide port in RDP" option work for you, or do you also need it to work on other types of entries and it's why it isn't a good solution for you at the moment?



If this option covers your needs for now, we could omit "phase 1" and instead skip straight to hiding all host information.

Regards,

I don't have that option in RDM 2020.3.27.0 and DPS 2020.3.18.0 - I assume that's a new setting?

Unfortunately with everyone working from home with COVID, rolling out an updated version of RDM to 100+ users is difficult but we'll do that when the next major release comes out in October.

We can use that in the short-term and skip phase 1 in that case.

Indeed, this setting is quite recent and would require the latest version of RDM as well as DVLS (2021.1).
Thanks for the confirmation, we'll skip straight to phase 2 regarding this feature then. We'll update this thread once we have an update on the matter.

Regards,

Hi Hubert

If it's still possible to quickly add a "Hide host in RDP" alongside the "Hide port in RDP" option until phase 2 is rolled out, this would be useful for us.

We're now using DLGW now for all our connections and for every server we connect to it simply displays the devolutions gateway address rather than the actual endpoint which confuses our staff so better to just hide it altogether.

Hello,

I understand the confusion for your staff. I will raise the priority on this feature.

Regards,

Thanks.

Must have changed in a recent update because it used to say “connecting to <endpoint IP>“ now it just says “connecting to DGW IP”

I will check with our team in charge of Devolutions Gateway, perhaps this is an unintended side-effect of the integration. It would be clearer to keep seeing the endpoint and not the gateway IP, as you mention.

Regards,