Back

Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary.


CONTROL ID
01822
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Disable all unnecessary services unless otherwise noted in a policy exception., CC ID: 00880

This Control has the following implementation support Control(s):
  • Disable the "Offer Remote Assistance" setting., CC ID: 04325
  • Disable the "Solicited Remote Assistance" setting., CC ID: 04326


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Apple Remote Desktop should be disabled. It is a desktop management tool that provides AES-128 encryption. (Pg 87, Pg 129, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • The organization must only enable Remote Desktop Help Session Manager if absolutely necessary. This service supports the Remote Assistance functionality. (§ 4.1.13, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • Table F-2: For Windows 2003 Server, the organization must configure the permissions for Remote Desktop Help Session Manager (RDSessMgr) to Administrators: Full Control; System: Read; and System: Start, Stop, and Pause. Table F-3: For Windows 2000 Professional, the organization must configure the per… (Table F-2, Table F-3, Table F-4, CMS Business Partners Systems Security Manual, Rev. 10)
  • The Remote Desktop Help Session Manager service should be disabled. The service should be documented if enabling it is required. (§ 5.2.2.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The Remote Desktop Help Session Manager service should be Disabled, unless absolutely necessary. If it is Enabled, there should be a documented and justified reason. (§ 5.2.2.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • For Specialized Security - Limited Functionality systems, this service should be Disabled. For all other Windows XP environments, this service is Not Defined. (§ 3.1.1, § 6.5, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • This service is used in the Help and Support Center for controlling and managing Remote Assistance. The Remote Desktop Help Session Manager service is Not Defined for Enterprise Client environments and should be Disabled for Specialized Security - Limited Functionality environments. (Pg 69, NSA Guide to Security Microsoft Windows XP)