Maintaining security and effective management in your remote desktop environment is crucial. This guide provides key best practices for configuring host computers, managing user accounts, reviewing logs, and securing connectivity within Jump Desktop for Teams. By following these practices, you can improve security, streamline operations, and maintain better control over your team's remote desktop environment.
Host Computer Configuration
For teams on the Teams Enterprise plan, ensuring all computers have the appropriate Connect Settings applied not only enhances security but also streamlines management. When a new team is created, a default Connect Setting called Default Configuration is created and assigned to any new machines you add via the Team's installer.
1. Ensure Connect Settings are applied to all computers: Navigate to Team -> Tasks -> Computers. Click Columns and make sure Connect Settings is enabled. Visually inspect the list to make sure every machine has an appropriate Connect Settings applied to it. This uniform configuration across all devices helps maintain consistent security standards.
2. Make sure computers are running the latest version of Jump Desktop Connect client: Navigate to Dashboard -> Team -> Tasks -> Computers. Click Columns and make sure Connect Version is enabled. Visually inspect the list to ensure your computers are not running older versions of Connect. By default, Connect is set to update automatically in all installs.
3. Connect Settings Hardening: Connect settings let you manage policies applied to your machines in a centralized way and lock down settings.
-
- Screen Sharing: Default value: Enabled. When screen sharing is enabled, users are allowed to copy the screen sharing URL and start a collaborative screen sharing session with anyone who has the sharing URL. Consider disabling this feature if you do not want users to share the the hosts' screen.
- Watermarking: Default value: Disabled. This feature adds a configurable watermark to the screen when someone is connected. Consider enabling this feature to give local users a clear indication that someone is connected to the machine.
- Passwordless Login: Default value: Disabled. This feature allows users to connect to the machine without authenticating with an account on the host machine. In most cases this feature should always be disabled (as it is by default), unless your configuration has unique requirements.
- Idle Timeout: Default value: Disabled. This setting disconnects inactive sessions after a specified period, reducing the risk of unattended access. Consider adding a default idle timeout value that works well with your workflow.
- Privacy Mode: Default value: Client Controlled. This feature locks the physical mouse and screen on the host machine when connected, protecting against local observation and control. Consider setting this to Always Enabled. If local observation is important to your workflow, then you can set this to Always Disabled, which means that the client will not be able to engage privacy mode.
- Local Configuration Changes: Default value: Disabled. Prevents local users from altering Jump Desktop Connect settings, maintaining the integrity of your security configuration. Make sure this value is always Disabled.
- Add Remote Access Users: Default value: Disabled. Prevents local users from giving unattended access to other users. Make sure this value is always Disabled.
- RDP Enabled and VNC Enabled: Default value: Disabled. Keep these values disabled unless you have specific requirements to access the machines via these protocols.
- Automatic Updates: Default value: Enabled. Ensure all computers automatically receive the latest Jump Desktop Connect updates keeps your system protected. Make sure this value is Enabled.
- Manual Fluid Connections: Default value: Disabled. Always keep this value disabled unless you have a specific requirement for Cloudless Fluid.
4. Adding new Computers to your team: When adding computers, always download a fresh copy of the installer using your Team Installer link (Dashboard -> Teams -> Tasks -> Add Computers). Your team installer link automatically points to the latest version of Jump Desktop Connect when a new production version is released. Instead of saving the installer file locally, save the installer link. This practice ensures you always download the latest version, maintaining up-to-date security features.
5. Assign a Connect Setting to new team installers: If you create new Team installers, make sure the installer has a Connect Setting associated with it. A new team always has a default installer created with the Default Configuration Connect Setting applied to it.
6. Use separate host user accounts for each user: When signing into machines, avoid using shared user accounts. Each user should sign in with their own local machine credentials. If the local machine has Active Directory, LDAP, or OpenDirectory enabled, Jump Desktop Connect will automatically verify the user's credentials through these services.
User Accounts
Managing user accounts effectively is critical for maintaining security.
1. Always use separate user accounts: Never share user accounts. Unique logins allow for accurate access logs and cloud logging, making it easier to track user activity. For those managing multiple teams, consider implementing grouped billing to reduce costs by deduplicating users across all teams. To further manage license count, you can disable an administrator's remote access, ensuring each administrator maintains a distinct account.
2. Multiple Admins: Ensure each team has at least two admins. This redundancy prevents lockout scenarios, ensuring continuous administrative access. To manage license usage efficiently, you can disable an administrator's remote access when not needed.
3. If possible use SSO, SCIM, and Domain Verification: Teams Enterprise users can enable Single Sign-On (SSO), SCIM, and domain verification for seamless user account provisioning and deprovisioning. If SSO is not possible, see the recommendations below.
3. Non-SSO Teams:
- Require Two-Factor Authentication (2FA): For teams that do not have SSO, you can ensure all users enable 2FA for added security. Teams Enterprise users can enforce this requirement for all users in Dashboard -> Team -> Tasks -> Security.
- Disable Social Sign-In: When enforcing 2FA, make sure to disable social sign-in to ensure users create unique credentials with Jump Desktop: Dashboard -> Team -> Tasks -> Security -> Social Sign-In.
5. Set a Sign-In Duration: Setting a sign-in duration ensures that clients are automatically signed out of their Jump Desktop client applications after a certain time and are required to sign into their Jump Desktop accounts to reconnect to their machines. Consider setting this to 30 days or lower depending on your needs in Dashboard -> Team -> Tasks -> Security -> Sign-in Duration.
6. Regular User Account Reviews: Periodically review user activity, sign-in locations, and computer access. Disable or remove access for inactive users or those who no longer require access. To view a list of inactive users and see who has 2FA enabled, go to Dashboard -> Teams -> Tasks -> Users. Click Columns, enable Last Used and 2FA Enabled, and visually inspect the list. To view where users are signed in from, click a user's email and scroll down to the Where User Is Signed In section.
7. Educate Users: Advise users to only join trusted Jump Desktop Teams to avoid unintended exposure of their information.
8. Review tokens for your own accounts: Administrators and Users should periodically review where they are signed in and review API tokens assigned to their account: To review, visit the Dashboard, then click Security underneath the Home tab to check your own account's security. Check the Where I'm signed in section and API Tokens section. Remove any sign ins and tokens that are not recognized.
Review Logs
Regularly reviewing logs helps maintain security and monitor system activity:
1. Team Activity Logs: Activity logs provide detailed metadata about changes made to the team. Click the down arrow next to the log to reveal detailed information about the event. Review logs via Dashboard -> Team -> Tasks -> Activity Logs.
2. Team Connection Logs: Connection logs provide a consolidated view of all connections to your host machines. View connection logs via Dashboard -> Team -> Tasks -> Connection Logs, which track all machine logins.
3. Important note about Machine Removal and logs: When removing computers from your team, ensure you export connection history or use the API to archive logs, as the cloud logs will be deleted when the machine is removed. If you wish to keep the logs while removing the machine from the team, either factory erase the machine or manually reset Jump Desktop Connect settings and then re-add the machine as a new machine to the team while keeping the old machine in the team.
4. If possible, ingest all logs and team settings into your Security Information and Event Management (SIEM) tool: For advanced users, logs can be ingested via the API as detailed in the Jump Desktop API documentation. Additionally, all team settings can be retrieved and inspected using the Jump Desktop API.
Securing Connectivity
Jump Desktop uses end-to-end encryption by default, ensuring secure connections from anywhere. This encryption can not be disabled. However, additional configurations can be made to meet specific security and compliance needs. For detailed connectivity options, refer to the Connectivity Options in Jump Desktop for Teams.
Comments
0 comments
Please sign in to leave a comment.