I was approaching the DMZ RDP host virtual server this way:
His company is *UBER* paranoid, but still has to service personel that are outside the country, and need access to files that are restricted, and can't be stored on hardware that leaves the country. (Say, DoD security blueprint files, for consultants dealing with chinese material dealers. They need access to the blueprint data to make sure the material they are brokering the purchase of is going to suit their needs, but they DO NOT want the chinese to steal the blueprints while he is in the shower. As such, they issue the executive a netbook running a liveCD based OS, and have him access an RDP host that is in a special DMZ, to get access to his files, and only as needed. They might even require use of an OTP generating key dongle. Hell, *I* have such a toy, and I need it to access BOEING's internal website! Requiring a 2 front pass to get in from outside the DMZ is just plain prudent in this case.)
The (ab)user learns what the LOCAL IP address is, and RDPs to that virtual host from his workstation. He loads DF on that virtual host, and plays it over RDP, in text mode.
Because that virtual host is servicing foriegn executives, cpu and network activty are expected, and not flagged. If he uses a whitelisted VM inside the virtual host, (and suffers the performance penalty), he won't trigger ay unsigned code flags either. The most he might trigger is an unapproved user account access attempt, and then only if the VM is configured right by the DA. Many enterprise assets are NOT configured right, so he could very well RDP into that system through the local intranet, without suspision.
It's just REALLY REALLY ballsy.
![Cheesy :D](http://97.107.128.126/smf/Smileys/aaron/cheesy.gif)
Some of the benefits of doing this: screencapturing spyware would experience similar problems to what normal capture software, like fraps, experiences: capturing an uninformative black rectangle where the RDP session window is! Not garanteed, but the possibility is certainly real.
Further, keypresses wouldn't be very informative, and further obscured if you are *also* doing your job at the same time. Bonus points if you have legitimate reasons to use RDP sessions. (Like I do. I need it to access our MRP infrastructure, which is hosted on a terminal services virtual host. Many MRP systems are accessible this way, because they also function as the timeclock, and for clocking job cards.)