As more companies begin using Remote Desktop Services, it's only natural that users will want to connect to their...
remote desktop from a personal tablet or smartphone. However, accessing remote desktops from mobile devices can present security, supportability and other concerns in the enterprise.
Remote Desktop Services (RDS), a capability expanded in Windows Server 2008 R2, allows any client to run any application or operating system by separating where the desktop is used from where it runs. Although Microsoft RDS clients are available for almost every mobile operating system, administrators have to carefully consider whether it's in their best interest to allow employees to connect to virtual desktops on mobile devices.
Here are a few important considerations when using Windows RDS for mobile devices:
External access to Microsoft RDS
First, you have to consider whether your remote desktops are externally accessible. If the virtual desktops are only accessible from inside the corporate network, then there is little reason to allow users to access Remote Desktop Services from their mobile devices. On the other hand, if Microsoft RDS is accessible from beyond the network perimeter, then the question is whether allowing users to access remote desktops from mobile devices poses any sort of risk to the company.
The idea of allowing users to connect to corporate resources from their personal mobile devices is not new. IT pros refer to this type of connectivity as bring your own device (BYOD). One of the major disadvantages of BYOD is supportability, which becomes an important consideration for Windows RDS connections. If you allow users to connect to corporate network resources using their own device, users will expect IT admins to support both the connectivity and the mobile device.
Therefore, a BYOD program can be a major pain for help desk staff, which may not be trained on all of the latest mobile OSes and devices. If you are going to allow users to connect to remote desktops via BYOD, you need to make it clear that the organization will not officially support personal devices. Such a BYOD policy may seem harsh, but it's often the only way to avoid a support nightmare if you want to use Remote Desktop Services for mobile devices.
Mobile device security
In today's mobile world, one of the biggest problems with Remote Desktop Services is that security can become a serious issue. Imagine that a user decides to install a Windows RDS client on their personal tablet. Also pretend that the user configures the client to store their password so they don't have to enter it every time they connect to the network. If that tablet gets lost or stolen, anyone could connect to the network without even having to enter a password -- and access corporate data and applications.
There are ways to configure mobile devices so they adhere to your corporate security policy, but it's very difficult to enforce mobile device security on a tablet or smartphone that the company does not actually own. Many users will be resistant to the idea of having their personal devices locked down with passwords and other mobile device security mechanisms.
Another security issue admins must consider is malware. Users download all manner of apps, so it's possible that a mobile device could be infested with key loggers or other types of malware. If you allow Remote Desktop Services to connect remote desktops to mobile devices, these kinds of malware could pose a direct threat to the security of your corporate data.
The pro: Productivity
While it is easy to dwell on the negative aspects of Windows RDS for mobile devices, it's important to remember that connecting to virtual desktops from mobile devices could also increase the user's productivity. Sure, some users may treat the connectivity as more of a status symbol or a toy than a legitimate business tool, but the majority of users will use their mobile devices to get work done during non-working hours.
Let's not forget that it's the IT department's job to help users work more efficiently and to benefit the organization as a whole.
Verdict on Microsoft RDS
Still, it is difficult to ignore the concerns about mobile device security and supportability. My advice is to allow users to connect to virtual desktops from their mobile devices, but only by using approved RDS clients. That way, you can find an RDS client that does not store the user's passwords and that is known not to contain any malware.
Just make sure to be clear in your Microsoft RDS policy. It should state that the help desk staff will configure and test the Remote Desktop Services client, but will offer no further support for personal devices.
ABOUT THE AUTHOR:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.