Microsoft Remote Desktop Security question

Hi gang,

I do the books for a client in another state. They contract with a private company to have their Quickbook Desktop files on said company’s server, which I access remotely with Microsoft Remote Desktop.

Accessing other computers remotely is a new thing for me and I was wondering what, if any, security concerns there are? Specifically, can this private company (which I connect to via the Remote Desktop application) somehow see things on my mac? I don’t think so, but wanted to be sure. Are there any settings I should tinker with to lock things down?

I have been using Microsoft Remote Desktop for years and it’s fine. The other company can’t access your Mac, Microsoft does a good job with security.

2 Likes

If all you need are files, why not just setup an SFTP server where the files can be uploaded and downloaded?

That could work, but the OP already has access to a PC with the needed files. The only question I would ask is about access to the remote network. If the remote network is being reached through a VPN, then any communications via Microsoft Remote Desktop should also be safe.

1 Like

The OP expressed concerns about security, I think an SFTP solution would be more secure than the remote desktop option for both parties involved.

1 Like

Why do you think SFTP is more secure?

1 Like

Just that the attack surface is smaller. RDP means you have access to the whole computer and you can potentially expose more of your own computer as well. It’s really more of a risk for the computer you are connecting to instead of your own.

Using SFTP both sides are agreeing on a specific set of files that can be uploaded/downloaded in advance. There would be no ability for either party to browse the filesystem as a whole.

1 Like

That’s not true. The admin sets the permissions with what you can access on the server your connecting to. And with Microsoft MFA, connecting is more secure than that your iCloud password is on your iPhone.

3 Likes

@jcarucci: The corp. I worked for built many data centers that were physically forbidding with an emphasis on strong security. They filled them mostly with commodity Intel Xeon boxes running one of the many versions of Windows server software, all accessed via VPN and Microsoft Remote Desktop. If it was good enough for them …

2 Likes

What part isn’t true, the amount of access you have on the PC?

I stand by my statement that SFTP is less risky. Thiefs are clever, look at the latest attacks on people’s iPhones where they steal a 4 digit iPhone passcode and then lock you out of your iCloud account, take money out of Venmo, etc. Did anyone think about those risks before it was reported in the news?

You want to limit any potential access as much as possible, because there might be a loose end somewhere that no one thought of before. Those loose ends could include some buffer overflow in the RDP software that allows people to poke through the security restrictions, etc.

Now I’m sure this RDP access is probably low risk, but if it were me and all I needed was periodic access to some specific files, I’d setup an SFTP server and share the files that way.

1 Like

Apple and Oranges.
Transfer files? - SFTP
Access a Desktop? - RDP

You can’t access a desktop with SFTP
but you CAN transfer files with RDP

SO I agree with both @McWimmish and @SpivR
With any Remote Desktop access a VPN is your friend.
while SFTP enjoys all the benefits of SSH :slight_smile:

2 Likes

I should have been more specific. The file I access is a shared Windows Quickbooks company file that can be accessed simultaneously with other users. So instead of downloading a file, modifying it, then re-uploading it, I would need an environment where it can be accessed by multiple users.

That said, I don’t know what an SFTP server is, so I’ll definitely look into that!

But as other commenters have mentioned, I was curious if there were any risks I should be aware of regarding my local Mac.

Thank you for this. Yes, I am accessing the remote server through a VPN.

Good to know! Thanks for this. I’ll definitely do my research and dig into more, but this is good to know

Thanks for everyone’s comments. Connecting to a remote server is new territory for me and I’m definitely interested in digging deeper. SFTP, SSH; I’ll definitely be doing my research.

One thing that’s concerns me is there always a pop up that reads:

“You are connecting to the RDP host “[1.2.3.4]”. The certificate couldn’t be verified back to a root certificate. Your connection may not be secure. Do you want to continue?”

Probably should have included this message in my original post. Is this something I should be worried about? Or will connecting with a VPN be enough?

That message makes it sound like the server guy at your client just created his own public key certificate without going through the trouble and expense of getting one from an official source.

I’m going to assume that your computer is not part of your client’s local network. You don’t mention any kind of access procedure or credentials needed to get on your client’s network (apart from signing into the Remote Desktop itself). You should be making your RDP connection over a VPN. This may mean that the client server you access faces directly onto the internet. This may not be safe unless the contents of this server and access to it have been carefully limited in other ways. Talk to the IT guy (or the IT service that your client employs) about your concerns.

If you are your client’s “IT guy,” then you are right to be concerned.

2 Likes

Hi @karlnyhus, thanks for your additional input.

You are correct - I am not part of my client’s local network. Signing into Remote Desktop is the only access procedure involved. I have been accessing it through my VPN for a few weeks now…and will keep doing so!

He does seem knowledgeable about what he’s doing so I would assume that there are other safeguards in place. However, I will definitely follow up with him just to be sure.

Thanks so much for the insight and helpful information. The MPU community is amazing!

No, your computer is safe. The remote computer, from the conversations on this thread, is somewhat safe but any corporate IT person would raise their ears. Should you be concerned? Relatively. If that machine is compromised by a third party attacker, perhaps your client could blame you for the incident. Not a winning case because they would need to demonstrate that it was you who hacked their computer, and no IT forensics specialist would sign anything like that without more solid evidence than “this person had access to Remote Desktop”.

2 Likes

This is very helpful. I didn’t know about the different types of VPN. Thank you!