I put this to the floor of technical wizardry for advice...
My client has 60+ dashboard/kiosk desktops within their LAN that currently use a combination of:
- Horizon View auto-logon into a persistent VM
- The persistent VM has the SCCM agent installed on it, and whatever drivers/kiosk specific software locally installed.
- Said machines are managed for the CMRC viewer tool, this allows a unsolicited connection to the desktop via it's hostname so they can be remotely managed.
- Users who manage/own a dashboard write down the hostname of their machine, which has never changed!
We're introducing instant clone, non persistent machines on H7. This will all operate from within the LAN, so no connections from unknown networks. Thus far the technical challenges have been:
- Find a way to display the IP/hostname of the instant-clone so the 'owner' knows how to connect to their kiosk - SOLVED: BGInfo to display the Hostname or IP (just about acceptable with our security team...)
Problem: Find a tool that allows unsolicited remote access to the desktop - I'm very much open to ideas on this and there's a number of security considerations that (ideally) need to be met:
1. The tool should run at anything better than DES encryption to secure the connections. Ideally AES.
2. The tool (ideally) should run without needing to be locally installed (this avoids us needing to manage multiple desktop images). For example, TightVNC Server component must be locally installed, which adds burden on our service teams. Most VNC tools I've seen need to register system services and add windows firewall rules, but if we could layer in the 'server' tool that would be perfect.
3. If there was a method to create a one-time access code for the 'owner' to reach their kiosk, this would help avoid situation where Joe Bloggs mis-typed his hostname and connected to John Smith's dashboard - infosec nightmares!
4. Ideally, there's some logging or audit of who connected to which desktop, and from what source.
My PoC has been using TightVNC but this is freeware and is clunks/dated/but great for free. Has anyone had a similar challenge to this, what were your ways around this? Any recommendations would be greatly appreciated. I've wrestled with trying to get Windows Remote Assistance to auto-accept invites from remote connections (unsolicited connections) - but it seems there is no magic reg-key that we can enable to allow this.