18.8.36.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'

Information

This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.

The recommended state for this setting is: Disabled.

Rationale:

There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\System\Remote Assistance\Configure Solicited Remote Assistance

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).

Impact:

Users on this computer cannot use e-mail or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.

Default Value:

Users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.

See Also

https://workbench.cisecurity.org/files/2700

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(4), CSCv6|5.1

Plugin: Windows

Control ID: 2aa28dba49ac4c05b606ad322e4e06ee4de61054be1563530fdb70bdeac0bd04