*** Teamviewer and RDP Security ***

Hi Qlemo, I am not being argumentative just need clarification.  With the local admin wouldn't the user have privileges to take ownership of files and set permission?  How can we limit access privileges to an account that have full local access because that's what administrator access is.

Sorry, I misunderstood and thanks for your explanation.

If I give my IT guy access to my computer, he would access my servers via RDP as administrator.

How can I limit his RDP access to my computer, so:
a) he can not copy files and data from my computer to his local machine
b) he can not copy files and data from my servers to his local machine?

Question is: are you monitoring him? If so, you can see all his actions. Teamviewer does not add any unknown factors. As long as he uses your session, you see anything.

RE: Question is: are you monitoring him?
-> Yes I will record a video of his actions on my computer accessing the servers.

RE: screenshots (or him taking photos of the data on his screen) is something  you cannot stop or regulate at all.
-> I guess I can't stop screenshots?

RE: You can disable resource sharing and clipboard on RDP so he will not be able to "easily" transfer files but it doesn't mean he won't be able to email it to himself for example.
-> How do I do disable resource sharing and clipboard on RDP to my computer?

It seems, some think he, the helper, RDPs into the server / no he doesn|t. He just uses teamviewer to connect to the askers machine and uses the askers user to rdp into the server, so anything can be seen, Benc, why won't you just watch his actions? you can interrupt at any time.

The IT guy used to use Teamviewer to access my PC and then use my PC to RDP to the servers.  Within Teamviewer there are custom settings to prevent file download and FTP.  Since TeamViewer has a time lag and recently imposed a 5 minute limit for their free version, I don't want to use it anymore.

I try to watch him when he accesses my PC and if I'm not there, my video recorder is on.  He could turn off the video recording but it's just in case.


RE: Expand (arrow down on bottom left) to see advanced settings. In "Local Resources" you uncheck Clipboard everything - make sure to also press the button to get more detailed options to uncheck. If done switch back to the first tab, and save. This is now you default setting, if not using a particular RDP file.
If I uncheck Clipboard, does this mean he cannot copy ALL file types from my computer and from my servers to his local computer?

How can I set up RDP on my computer so he can NOT copy any files or data from my PC?  

I am assuming if he can only access the servers via RDP from my computer:
a) he can not copy files and data from my computer to his local machine
b) he can not copy files and data from my servers to his local machine    ?

serialband has some good points. However, I will take this one more step past what he said ...

My initial thought to the original post was "Why are you using this person / company when trust seems to already be low?" The more being posted and the more I think about it, that question keeps coming back.

To me, higher trust in the Admin of choice and a solid agreement should mitigate a lot combined with a product which can (1) record the session and (2) be configured to not allow (a) transfers and (b) background / unseen command line access. At that point, you have covered almost everything you can.

Again, I'm more concerned about the implicit lack of trust which I'm sensing that throws more flags in this conversation than what technology can / cannot do for this situation. I could be perceiving this wrong but it is what I sensed from the beginning and continue to do so.

Yes agreements are important.  However even when agreements in place, I have been burned in the past.  It's better to be safe than sorry when giving remote access to private data.  Video recording is on for all sessions and additional security measures provide peace of mind.

RE: RDP options only apply to RDP sessions, they cannot have any effect outside of that.
If you RDP into some machine with Clipboard enabled, and then RDP to another machine without, you can copy using the clipboard between the first machine and your machine, but not from/to the second machine in any way.

If RDP is set up on my computer with clipboard DISABLED, and RDP from my computer to servers have clipboard ENABLED, can he copy files and data to his local machine?

If clipboard is disabled on both my computer and on the servers, can he copy files FROM my computer TO servers and vice versa?

There are ways he can do it like via FTP, webmail, or use cloud storage.  It's very hard to control because he will have access to the internet.  Also keep in mind that if he have domain admin credentials he will be able to jump into other machines in your LAN.

... and, depending on the configuration of each workstation (which is usually left as default), use the command line (if it is a feature he can run hidden from your view) or the open screen to surf C$ shares for data, etcetera.

In my opinion, he could be the verified, certified and guaranteed world's best technical mind but If trust / integrity become questionable, I'll choose someone else every time. I would rather pay three guys wages, sleep well at night and keep my career intact (or quit if management forces me to hire or subcontract to him) rather than play with that kind of fire.

Then why are you trying to go RDP, just go with a paid copy of Teamviewer to a desktop you can watch and wrest control from.  I'm not sure what kind of IT people you contract with, but if you're not able to trust them even with a signed contract, then you should hire someone in house.  Giving them admin access means they can get around anything, assuming they are capable admins.  The only limit on them is legal and trust.

So is TeamViewer the best choice then?

Thank you everyone for your help!!!