One of the reservations I've had with ARD is that it allows anyone on the same network as you to access your computer, as long as:
-
ARD is enabled (this can be confirmed by scanning with the ARD client software)
-
Your username (most likely the same or similar to your computer name that shows up in the ARD client software)
-
Your password. (this is not so easy to figure out, but most users seem to be a bit more lax with their local machine password, than they would with say a cloud account password, which may be managed by a password manager)
The problem with this is that there doesn't seem to be any brute force protections, built into ARD, nor key / certificate method, where you could setup a key in advance.
I think I've found a way around this to some extent, but wanted to know if this would actually work, or if there are any shortcomings in this. My work-around would be to create a new user on the machine I plan to be the ARD host. This user account would be called, for example, "ARD", and have a really strong password manager generated password.
I would then use my the ARD client machine to login to the ARD user on the host. What I've noticed is that once you've connected, and as long as you have the usernames / passwords for the other user accounts on the host machine, you can login to those other user accounts, even if those other users don't have ARD enabled under the preference tab.
Are there any potential issues you could see with the above ?
Best Answer
The protection of the ARD is in the fact that you can enable and disable users for this feature.
The brute force protection is that of the user account. You can set it up to lock after 5 failed attempts or what ever you please.
It is strongly advisable NOT to use an Admin account for this, but instead use a normal account to give access to the ARD, and using account switching or admin privilege escalation where and when you need it. Part of the reason being is that you can take over the session of any user currently logged in that way, without the user knowing. So IF you are worried about people breaking in to your account, that is the way to minimise the risk as far as possible. (Best practice is that nobody is admin on a Mac apart from a dedicated account that can be used for privilege escalation instead)
Hope this helps in your decision making process.
GJ