Jump to content



Photo

Remote Access to Win Server based on ip and username


  • Please log in to reply
35 replies to this topic

#1 j_great

j_great

    Neowinian

  • Joined: 05-November 13

Posted 05 November 2013 - 07:14

Hello Guys,

 

I have a VPS Server running Windows Server 2008 R2 Standard. I access it using Remote Desktop Connection. I have admin rights so I can login and do my stuff. I wanted to give restricted access to 1 more guy so I created his normal user account and configured it so that he can also access it.

 

But I wanted that his access is restricted by IP address so he can only access from work. To do this I configured the firewall so that connections only from specific IP is allowed. Though it worked, it is applied for everyone which means even if I try to access it from some other IP I can't. How can I restrict login via specific ip this for only his account ?

 

I would be glad if anyone can help me.

 

Thank you,

 

Jack




#2 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 05 November 2013 - 11:51

You don't restrict login to ip. That isn't a function of active directory.

#3 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 November 2013 - 11:57

"How can I restrict login via specific ip this for only his account ?"

On the firewall you don't - you need to setup your firewall rule to allow both your IP and his IP.

#4 +fusi0n

fusi0n

    The Crazy One

  • Tech Issues Solved: 1
  • Joined: 08-July 04
  • OS: OSX 10.9
  • Phone: iPhone 5S 64GB

Posted 05 November 2013 - 12:00

Adding a VPN and turning off 3389 to the internet would add an extra layer of security as well..

#5 OP j_great

j_great

    Neowinian

  • Joined: 05-November 13

Posted 06 November 2013 - 04:13

I didn't understand what you guys are trying to say. If I configure RDC rule in firewall and specify IP address then it accepts login from only that ip. Though it does the job but the problem is 1. my ip is not static 2. it applies to all accounts (and I want his only).



#6 farmeunit

farmeunit

    The other white meat.

  • Tech Issues Solved: 2
  • Joined: 05-May 03
  • Location: Branson, MO USA

Posted 06 November 2013 - 04:26

Use a separate remote program for yourself.  VNC, TeamViewer, LogMeIn, or whatever.



#7 OP j_great

j_great

    Neowinian

  • Joined: 05-November 13

Posted 06 November 2013 - 04:52

Remote programs like Teamviewer or VNC does not work properly in Windows Server. As long as the RDC window is open it will work and the moment that window is minimized or closed teamviewer stop working. Whats the point of teamviewer when I can anyways see the desktop through RDC.



#8 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 07 November 2013 - 06:56

Does not work properly on server...that is interesting because I use programs like them all the time to remotely connect to servers to administrate them. What is this "does not work properly" you are referring to?

Very specifically I manage over 500 servers with logmein.

#9 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 07 November 2013 - 20:53

"1. my ip is not static 2. it applies to all accounts (and I want his only)."

How would other accounts becoming from his IP? And even if they did, they would still need his account info to login? So confused as to how 2 is an issue?

As to 1, but his is? Where are you coming from - yeah not having a static IP can be an issue with trying to create firewall rules that limit by IP ;)

as to
"Remote programs like Teamviewer or VNC does not work properly in Windows Server"

Your confused for sure - both teamviewer and vnc work just fine on all flavors of windows.

http://www.teamviewe...-supported.aspx
Which operating systems are supported?

TeamViewer 9 is available for the following operating systems:

Windows

Windows Millennium Edition / NT(Service Pack 6a, at least IE 5.5) / 98 *
Windows 8 / 7 / Vista / XP
Windows Server 2012 / 2008R2 / 2008 / 2003
Windows Home Server / Home Server 2011

http://www.realvnc.c...vnc/tech-specs/
Supported platforms
Windows

x86 and x64 architectures supported, where available:

8.x
7
Vista
XP
2000
Server 2012
Server 2008 R2
Server 2008
Server 2003

NT 4 (SP6a)

#10 OP j_great

j_great

    Neowinian

  • Joined: 05-November 13

Posted 10 November 2013 - 07:14

Thank for your help. I think there is some confusion and I will clear it.

 

1) I have admin access and the other person is a standard user. I wanted him to access the VPS server from work only. But the problem is at my workplace the IP is dynamic so restricting access on the basis of ip isn't possible. Plus if I create a firewall rule and restrict by ip it applies to all accounts in that server. (please note that the vps server is located somewhere in the planet and not at my workplace)

 

2) When I said teamviewer does not work properly I meant that teamviewer in server works only if the RDC connection is open. This is a problem because why would I need teamviewer if RDC is open, I might very well use the RDC. If RDC closes teamviewer doesn't work and this destroys the very purpose itself.

 

I hope this helped.



#11 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 10 November 2013 - 07:18

The only thing you can dull in this situation is to give him vpn access.

#12 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 11 November 2013 - 02:22

"I meant that teamviewer in server works only if the RDC connection is open."

What??? Nonsense, Teamviewer or logmein or vnc have nothing to do with remote desktop being available or not. Nothing!

"But the problem is at my workplace the IP is dynamic"

So his public IP is dynamic? I find this unlikely to be honest.. At most what a pool of a couple of public IPs, so limit it to the public IPs of your work. This is server at some host somewhere on the planet right not your work network.

Now I agree we don't want anyone from the internet to be able to access port 3389 and maybe guess a username or password to login. So you create a firewall rule that only allows the public IP address of your work, lets call it 1.2.3.4 for example.

Now only someone from work can access your VPS via remote desktop. That your place of work allows 3389 outbound to the public internet is an issue for another discussion ;) Who at work would have his user name and password, are you worried about someone at work knowing your VPS ip address, and username and password to access remote desktop?

Lets say work owns 1.2.3.0/24 and you don't really know what IP address he might come from - it could be 1.2.3.1 or 1.2.3.254 or anything between. So just allow 1.2.3.0/24 Your still blocking 99.9999999999999999999999% of the rest of the internet.

So I wold take it you can connect from this place of work as well, so that firewall rule covers both of you. Now guess you want to able to access it from Home as well, right - so create a rule that allows your home IP as well. Do you want to access it from your local starbucks, then go to your local starbucks and look to see what their public IP is via something like whatsmyip.org and set a rule to allow access from there.

Just because home users get their IPs via dhcp from their isp does not mean they change hourly.. I have had the same IP address for year something. And I can tell you for example that the public Ip address at starbucks is not going to change very often.

As to what sc302 is saying, is allow vpn connection from ANY IP.. This is going to be a secure connection requiring more than just username and IP.. I would suggest say openvpn with TLS auth, so user has to have KEY to access your server..

edit: So here is me connected to a windows server os 2k8r2, it has remote desktop disabled.. See where I point that out in the screenshot via my teamviewer connection to it ;)

teamviewer.png

#13 OP j_great

j_great

    Neowinian

  • Joined: 05-November 13

Posted 12 November 2013 - 09:52

"I meant that teamviewer in server works only if the RDC connection is open."

What??? Nonsense, Teamviewer or logmein or vnc have nothing to do with remote desktop being available or not. Nothing!

"But the problem is at my workplace the IP is dynamic"

So his public IP is dynamic? I find this unlikely to be honest.. At most what a pool of a couple of public IPs, so limit it to the public IPs of your work. This is server at some host somewhere on the planet right not your work network.

Now I agree we don't want anyone from the internet to be able to access port 3389 and maybe guess a username or password to login. So you create a firewall rule that only allows the public IP address of your work, lets call it 1.2.3.4 for example.

Now only someone from work can access your VPS via remote desktop. That your place of work allows 3389 outbound to the public internet is an issue for another discussion ;) Who at work would have his user name and password, are you worried about someone at work knowing your VPS ip address, and username and password to access remote desktop?

Lets say work owns 1.2.3.0/24 and you don't really know what IP address he might come from - it could be 1.2.3.1 or 1.2.3.254 or anything between. So just allow 1.2.3.0/24 Your still blocking 99.9999999999999999999999% of the rest of the internet.

So I wold take it you can connect from this place of work as well, so that firewall rule covers both of you. Now guess you want to able to access it from Home as well, right - so create a rule that allows your home IP as well. Do you want to access it from your local starbucks, then go to your local starbucks and look to see what their public IP is via something like whatsmyip.org and set a rule to allow access from there.

Just because home users get their IPs via dhcp from their isp does not mean they change hourly.. I have had the same IP address for year something. And I can tell you for example that the public Ip address at starbucks is not going to change very often.

As to what sc302 is saying, is allow vpn connection from ANY IP.. This is going to be a secure connection requiring more than just username and IP.. I would suggest say openvpn with TLS auth, so user has to have KEY to access your server..

edit: So here is me connected to a windows server os 2k8r2, it has remote desktop disabled.. See where I point that out in the screenshot via my teamviewer connection to it ;)

attachicon.gifteamviewer.png

 

Thanks buddy for your inputs. Lets solve this one topic at a time:

 

1) Team Viewer

I don't know how teamviewer worked in your server but read below a mail I got from teamviewer when I told them that I am unable to connect if RDC is off.

------------------------------

Pasting email contents

------------------------------

Dear Sir,

Thank you for your reply.

Basically if there is no active RDC connection to a user profile then there will no active desktop generated for TeamViewer to connect to. Hence in regards to "How to use teamviewer if my RDC window is not connected/closed." this is not possible to due to software limitations.

Also please excuse my colleagues statement as it may be misleading for your scenario. TeamViewer does not replace RDC connections, it only enhances it (more functionality plus allows multiple users to see the same screen).

If you have any further questions or require further information, please do not hesitate to contact us.

P.S.: TeamViewer 9 is ready - Secure your introductory discount now!
www.teamviewer.com/version9

Best Regards,

William Luu
-Support Technician-
------------------------------
TeamViewer Pty Ltd * www.teamviewer.com

 

--------------------------------------------------------------

 

2) So his public IP is dynamic? I find this unlikely to be honest. <----- come on, do you think I am making this up.

 

3) I did understand your login behind the IP thing.

 

a) i am not worried that someone else from work will access it using his username or password (it wont happen)

b) all I want is for him not to access the RDC from any other location (except work)

c) the ip at work is dynamic so it changes frequently (i.e. maybe one a day or once in few days or if router is restarted)

d) I dont know how your dynamic ip didnt change for months or an year but here it changes within days if not earlier.

e) I cannot restrict by public ip as it changes (mentioned above) plus it applies to all accounts. The last thing I want is that i myself cannot login.

f) Same case for my home as its ip is also dynamic.

g) Because the ip changes completely I cannot form a pool or state from 1-10.

 

I hope this helped.



#14 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 12 November 2013 - 13:31

No none of it helps because all your stating is gibberish nonsense.

What did you email them when you got that email back for starters? No **** you can not teamview to profile that is not active. If you wanted to support someone. If teamviewer is running as s service or you are consoled in when running it then you can teamviewer to it. But no you would not be able to teamviewer in if the software is not running.

This was your question?
"How to use teamviewer if my RDC window is not connected/closed." What was the rest of it? No you would not be able to teamviewer in and help someone that only has remote desktop access to something.. etc.. Since how would they run tv, etc. Which has NOTHING to do if tv is installed as a service on the machine.

So where is the question you asked them in detail?

2) Yeah I do!! Lets say they reboot the router daily, lets say that isp changes the IP address on purpose.. Your still going to be inside a network block of a.b.c.0/mask so there will be a range of ips, be it 254, be it 2k be it 4k, etc. That you will fall into.. So lock it down to this and your done.. This person can only access the remote desktop from that location or if he vpns into that location, or for some crazy reason he lives in the area and has the same ISP.

But a place of business would normally have a static anyway, other than small ma and pop shops with home internet type connections. So I take it this is a ma and pop shop?

b) if you limit the ip range to who can access he wont.
c) makes no matter to the solution allow the netblock as already went over in great detail!

d) Because of how dhcp works, there is a lease time.. You get the IP address for a specific amount of time. Even if you shut off your device that lease is still yours until it expires. Only once the lease has expired does the IP address go back into a pool for reissue. So even if off for length of time, that IP address is still under lease and you will get it back when you comeback online. These leases are normally for hours if not days.

leasetime.png

So there is my lease from my router.. Notice the time of the lease 345600 seconds = 4 Days.. So I could turn off my router and would have somewhere short of 4 days before my IP address would be returned. Since you renew it at the 50% would have min of 2 days on the clock. This is how you keep the same address even if dynamic.. You keep renewing it if on, and even if off you need to be off for longer than the lease to loose the Ip address you had. Work you would think would be on 24/7/365 --- keep in mind not talking about your local rfc1918 address that your work dhcp hands out, since this has nothing to do with anything your talking about.

e) already answered in great detail as well - use a netblock

f) Again netblock!!! What do you not understand about a range of addresses? An ISP can only hand you an address they own, so its going to be a very small range.. If you see in the above lease.

option subnet-mask 255.255.248.0;

so /21 or 2046 addresses.. How is that not good enough restriction??

g) more gibberish!

edit: Here you go - look accessing via tv, remote desktop not running. Can access whatever profile I want, etc. So your problem with what tv sent you was how you asked the question. Because clearly I am remoted to this machine, can login to whatever profile would be available on the machine and remote desktop is not running - look no 3389 port even listening

tv1.png
tv2.png
tv3.png

So here I now see it on my computers TV interface of machines I can connect too.
tv4.png

Here is the windows login screen where I could pick what account I want to access.
tv5.png

Here is me connected via tv, when clearly remote desktop is not running on this machine!
tv6.png

So how is that remote desktop has to be running for TV to work??

#15 OP j_great

j_great

    Neowinian

  • Joined: 05-November 13

Posted 13 November 2013 - 08:43

No none of it helps because all your stating is gibberish nonsense.

What did you email them when you got that email back for starters? No **** you can not teamview to profile that is not active. If you wanted to support someone. If teamviewer is running as s service or you are consoled in when running it then you can teamviewer to it. But no you would not be able to teamviewer in if the software is not running.

This was your question?
"How to use teamviewer if my RDC window is not connected/closed." What was the rest of it? No you would not be able to teamviewer in and help someone that only has remote desktop access to something.. etc.. Since how would they run tv, etc. Which has NOTHING to do if tv is installed as a service on the machine.

So where is the question you asked them in detail?

2) Yeah I do!! Lets say they reboot the router daily, lets say that isp changes the IP address on purpose.. Your still going to be inside a network block of a.b.c.0/mask so there will be a range of ips, be it 254, be it 2k be it 4k, etc. That you will fall into.. So lock it down to this and your done.. This person can only access the remote desktop from that location or if he vpns into that location, or for some crazy reason he lives in the area and has the same ISP.

But a place of business would normally have a static anyway, other than small ma and pop shops with home internet type connections. So I take it this is a ma and pop shop?

b) if you limit the ip range to who can access he wont.
c) makes no matter to the solution allow the netblock as already went over in great detail!

d) Because of how dhcp works, there is a lease time.. You get the IP address for a specific amount of time. Even if you shut off your device that lease is still yours until it expires. Only once the lease has expired does the IP address go back into a pool for reissue. So even if off for length of time, that IP address is still under lease and you will get it back when you comeback online. These leases are normally for hours if not days.

attachicon.gifleasetime.png

So there is my lease from my router.. Notice the time of the lease 345600 seconds = 4 Days.. So I could turn off my router and would have somewhere short of 4 days before my IP address would be returned. Since you renew it at the 50% would have min of 2 days on the clock. This is how you keep the same address even if dynamic.. You keep renewing it if on, and even if off you need to be off for longer than the lease to loose the Ip address you had. Work you would think would be on 24/7/365 --- keep in mind not talking about your local rfc1918 address that your work dhcp hands out, since this has nothing to do with anything your talking about.

e) already answered in great detail as well - use a netblock

f) Again netblock!!! What do you not understand about a range of addresses? An ISP can only hand you an address they own, so its going to be a very small range.. If you see in the above lease.

option subnet-mask 255.255.248.0;

so /21 or 2046 addresses.. How is that not good enough restriction??

g) more gibberish!

edit: Here you go - look accessing via tv, remote desktop not running. Can access whatever profile I want, etc. So your problem with what tv sent you was how you asked the question. Because clearly I am remoted to this machine, can login to whatever profile would be available on the machine and remote desktop is not running - look no 3389 port even listening

attachicon.giftv1.png
attachicon.giftv2.png
attachicon.giftv3.png

So here I now see it on my computers TV interface of machines I can connect too.
attachicon.giftv4.png

Here is the windows login screen where I could pick what account I want to access.
attachicon.giftv5.png

Here is me connected via tv, when clearly remote desktop is not running on this machine!
attachicon.giftv6.png

So how is that remote desktop has to be running for TV to work??

 

Though my knowledge on the networking side is limited but there are its crazy how you assumed some of the things.

 

1) Team Viewer

 

I acknowledge that you are able to run team viewer (as shown in images above) but when I said I am unable to run it, it didn't mean that I had RDC window open/closed only and that's it. This is what I did :

 

-> I installed team viewer, chose option Install to control this computer later from remote. Then I ran team viewer and took a note of id and password. (Teamviewer service and program is running). Then I just closed the RDC window. After that when I tried to connect and it failed. Then I opened the RDC window and then I tried to connect and it succeeded. This is what happened and when I emailed this to the TV support guys I got a reply which I pasted in the post above. After reading that reply what would you think ?

 

2) I am sorry but I need a bit of clarification on this front :

Your still going to be inside a network block of a.b.c.0/mask so there will be a range of ips, be it 254, be it 2k be it 4k, etc. That you will fall into.. So lock it down to this and your done.. This person can only access the remote desktop from that location or if he vpns into that location, or for some crazy reason he lives in the area and has the same ISP.

 

| Does this mean that if my ip is 120.59.180.190 then will only last few sets change or what does the above mean ?
 

-> This is a small business and to be honest we never required a static ip so far.

 

3) how fast the ip changes does not matter to me as I cant keep a track and update it in the ip list frequently. Please re explain me the netblock thing.

 

Thank you.





Click here to login or here to register to remove this ad, it's free!