Can Symantec DLP endpoints be deployed onto a Windows Remote Desktop Service instance?

book

Article ID: 159398

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover

Issue/Introduction

Can Symantec DLP be deployed within Remote Desktop Server Instances?

Environment

Remote Desktop Services and Remote Desktop (RD) Session Hosts are certified on Windows Server 2008 R2, in DLP releases from 12.5 and up.

Resolution

Using Windows Remote Desktop Services, you should know this is not the best method for detecting Data Loss on 'unmanaged endpoints'.

For best results at controlling user activity, a Symantec DLP Endpoint Agent should be installed on the Endpoint (not on the Remote Desktop Session Host, aka RD Session Host).

As per the DLP Administrator Guide, from 12.5 onwards:

By running a DLP Agent in the virtual host, you can prevent a user from copying confidential data that is accessible from the hosted virtual desktop to a remote computer or device that may not be secure. You can configure DLP Agent to monitor storage volumes, print and fax requests, clipboards, and network activity on the virtual desktop.

In general, the best way to address the entire 'unmanaged endpoints' area to utilize DLP Detection Servers, such as Network Monitor.  Otherwise, an endpoint agent will need to be setup on each virtual environment.

Please note that Windows Terminal Services Sessions in Windows Server 2003 and earlier environments are not certified.