Detections
Analytics

1.2.2.1.2 Configure 'Solicited Remote Assistance'

Information

This policy setting determines whether remote assistance may be solicited from computers running Windows operating systems in your environment. You can enable this policy setting to allow users to solicit remote assistance from IT expert administrators. If the Solicited Remote Assistance setting is enabled, the following options are available: . Allow helpers to remotely control the computer . Allow helpers to only view the computer Also, the following options are available to configure the amount of time that a user help request remains valid: . Maximum ticket time (value): . Maximum ticket time (units): hours, minutes or days When a ticket (help request) expires, the user must send another request before an expert can connect to the computer. If you disable the Solicited Remote Assistance setting, users cannot send help requests and the expert cannot connect to their computers. If the Solicited Remote Assistance setting is not configured, users can configure solicited remote assistance through the Control Panel. The following settings are enabled by default in the Control Panel: Solicited Remote Assistance, Buddy support, and Remote control. The value for the Maximum ticket time is set to 30 days. If this policy setting is disabled, no one will be able to access Windows Vista client computers across the network. There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation.

Solution

Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization-

Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance

Impact- If you enable this policy, users on this computer can use e-mail or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. If you disable this policy, users on this computer cannot use e-mail or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. If you don't configure this policy, users can enable or disable Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance- 'Allow helpers to only view the computer' or 'Allow helpers to remotely control the computer.' The 'Maximum ticket time' setting sets a limit on the amount of time that a Remote Assistance invitation created by using e-mail or file transfer can remain open. The 'Select the method for sending e-mail invitations' setting specifies which e-mail standard to use to send Remote Assistance invitations. Depending on your e-mail program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your e-mail message). This setting is not available in Windows Vista since SMAPI is the only method supported. If you enable this policy you should also enable appropriate firewall exceptions to allow Remote Assistance communications.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(4), CCE|CCE-3599-8

Plugin: Windows

Control ID: c8eb02d6f702f448e116e0286f973ff04179e76d8d4d7e199a80fdbfbabf4927