Remote Access to Win Server based on ip and username

[j_great]

Hello Guys,

 

I have a VPS Server running Windows Server 2008 R2 Standard. I access it using Remote Desktop Connection. I have admin rights so I can login and do my stuff. I wanted to give restricted access to 1 more guy so I created his normal user account and configured it so that he can also access it.

 

But I wanted that his access is restricted by IP address so he can only access from work. To do this I configured the firewall so that connections only from specific IP is allowed. Though it worked, it is applied for everyone which means even if I try to access it from some other IP I can't. How can I restrict login via specific ip this for only his account ?

 

I would be glad if anyone can help me.

 

Thank you,

 

Jack

[sc302 Veteran]

You don't restrict login to ip. That isn't a function of active directory.

[+BudMan MVC]

"How can I restrict login via specific ip this for only his account ?"

On the firewall you don't - you need to setup your firewall rule to allow both your IP and his IP.

[fusi0n]

Adding a VPN and turning off 3389 to the internet would add an extra layer of security as well..

[j_great]

I didn't understand what you guys are trying to say. If I configure RDC rule in firewall and specify IP address then it accepts login from only that ip. Though it does the job but the problem is 1. my ip is not static 2. it applies to all accounts (and I want his only).

[farmeunit]

Use a separate remote program for yourself.  VNC, TeamViewer, LogMeIn, or whatever.

[j_great]

Remote programs like Teamviewer or VNC does not work properly in Windows Server. As long as the RDC window is open it will work and the moment that window is minimized or closed teamviewer stop working. Whats the point of teamviewer when I can anyways see the desktop through RDC.

[sc302 Veteran]

Does not work properly on server...that is interesting because I use programs like them all the time to remotely connect to servers to administrate them. What is this "does not work properly" you are referring to?

Very specifically I manage over 500 servers with logmein.

[+BudMan MVC]

"1. my ip is not static 2. it applies to all accounts (and I want his only)."

How would other accounts becoming from his IP? And even if they did, they would still need his account info to login? So confused as to how 2 is an issue?

As to 1, but his is? Where are you coming from - yeah not having a static IP can be an issue with trying to create firewall rules that limit by IP ;)

as to

"Remote programs like Teamviewer or VNC does not work properly in Windows Server"

Your confused for sure - both teamviewer and vnc work just fine on all flavors of windows.

http://www.teamviewer.com/en/help/38-Which-operating-systems-are-supported.aspx

Which operating systems are supported?

TeamViewer 9 is available for the following operating systems:

Windows

Windows Millennium Edition / NT(Service Pack 6a, at least IE 5.5) / 98 *

Windows 8 / 7 / Vista / XP

Windows Server 2012 / 2008R2 / 2008 / 2003

Windows Home Server / Home Server 2011

http://www.realvnc.com/products/vnc/tech-specs/

Supported platforms

Windows

x86 and x64 architectures supported, where available:

8.x

7

Vista

XP

2000

Server 2012

Server 2008 R2

Server 2008

Server 2003

NT 4 (SP6a)

[j_great]

Thank for your help. I think there is some confusion and I will clear it.

 

1) I have admin access and the other person is a standard user. I wanted him to access the VPS server from work only. But the problem is at my workplace the IP is dynamic so restricting access on the basis of ip isn't possible. Plus if I create a firewall rule and restrict by ip it applies to all accounts in that server. (please note that the vps server is located somewhere in the planet and not at my workplace)

 

2) When I said teamviewer does not work properly I meant that teamviewer in server works only if the RDC connection is open. This is a problem because why would I need teamviewer if RDC is open, I might very well use the RDC. If RDC closes teamviewer doesn't work and this destroys the very purpose itself.

 

I hope this helped.

[sc302 Veteran]

The only thing you can dull in this situation is to give him vpn access.

[+BudMan MVC]

"I meant that teamviewer in server works only if the RDC connection is open."

What??? Nonsense, Teamviewer or logmein or vnc have nothing to do with remote desktop being available or not. Nothing!

"But the problem is at my workplace the IP is dynamic"

So his public IP is dynamic? I find this unlikely to be honest.. At most what a pool of a couple of public IPs, so limit it to the public IPs of your work. This is server at some host somewhere on the planet right not your work network.

Now I agree we don't want anyone from the internet to be able to access port 3389 and maybe guess a username or password to login. So you create a firewall rule that only allows the public IP address of your work, lets call it 1.2.3.4 for example.

Now only someone from work can access your VPS via remote desktop. That your place of work allows 3389 outbound to the public internet is an issue for another discussion ;) Who at work would have his user name and password, are you worried about someone at work knowing your VPS ip address, and username and password to access remote desktop?

Lets say work owns 1.2.3.0/24 and you don't really know what IP address he might come from - it could be 1.2.3.1 or 1.2.3.254 or anything between. So just allow 1.2.3.0/24 Your still blocking 99.9999999999999999999999% of the rest of the internet.

So I wold take it you can connect from this place of work as well, so that firewall rule covers both of you. Now guess you want to able to access it from Home as well, right - so create a rule that allows your home IP as well. Do you want to access it from your local starbucks, then go to your local starbucks and look to see what their public IP is via something like whatsmyip.org and set a rule to allow access from there.

Just because home users get their IPs via dhcp from their isp does not mean they change hourly.. I have had the same IP address for year something. And I can tell you for example that the public Ip address at starbucks is not going to change very often.

As to what sc302 is saying, is allow vpn connection from ANY IP.. This is going to be a secure connection requiring more than just username and IP.. I would suggest say openvpn with TLS auth, so user has to have KEY to access your server..

edit: So here is me connected to a windows server os 2k8r2, it has remote desktop disabled.. See where I point that out in the screenshot via my teamviewer connection to it ;)

[j_great]

"I meant that teamviewer in server works only if the RDC connection is open."

What??? Nonsense, Teamviewer or logmein or vnc have nothing to do with remote desktop being available or not. Nothing!

"But the problem is at my workplace the IP is dynamic"

So his public IP is dynamic? I find this unlikely to be honest.. At most what a pool of a couple of public IPs, so limit it to the public IPs of your work. This is server at some host somewhere on the planet right not your work network.

Now I agree we don't want anyone from the internet to be able to access port 3389 and maybe guess a username or password to login. So you create a firewall rule that only allows the public IP address of your work, lets call it 1.2.3.4 for example.

Now only someone from work can access your VPS via remote desktop. That your place of work allows 3389 outbound to the public internet is an issue for another discussion ;) Who at work would have his user name and password, are you worried about someone at work knowing your VPS ip address, and username and password to access remote desktop?

Lets say work owns 1.2.3.0/24 and you don't really know what IP address he might come from - it could be 1.2.3.1 or 1.2.3.254 or anything between. So just allow 1.2.3.0/24 Your still blocking 99.9999999999999999999999% of the rest of the internet.

So I wold take it you can connect from this place of work as well, so that firewall rule covers both of you. Now guess you want to able to access it from Home as well, right - so create a rule that allows your home IP as well. Do you want to access it from your local starbucks, then go to your local starbucks and look to see what their public IP is via something like whatsmyip.org and set a rule to allow access from there.

Just because home users get their IPs via dhcp from their isp does not mean they change hourly.. I have had the same IP address for year something. And I can tell you for example that the public Ip address at starbucks is not going to change very often.

As to what sc302 is saying, is allow vpn connection from ANY IP.. This is going to be a secure connection requiring more than just username and IP.. I would suggest say openvpn with TLS auth, so user has to have KEY to access your server..

edit: So here is me connected to a windows server os 2k8r2, it has remote desktop disabled.. See where I point that out in the screenshot via my teamviewer connection to it ;)

teamviewer.png

 

Thanks buddy for your inputs. Lets solve this one topic at a time:

 

1) Team Viewer

I don't know how teamviewer worked in your server but read below a mail I got from teamviewer when I told them that I am unable to connect if RDC is off.

------------------------------

Pasting email contents

------------------------------

Dear Sir,

Thank you for your reply.

Basically if there is no active RDC connection to a user profile then there will no active desktop generated for TeamViewer to connect to. Hence in regards to "How to use teamviewer if my RDC window is not connected/closed." this is not possible to due to software limitations.

Also please excuse my colleagues statement as it may be misleading for your scenario. TeamViewer does not replace RDC connections, it only enhances it (more functionality plus allows multiple users to see the same screen).

If you have any further questions or require further information, please do not hesitate to contact us.

P.S.: TeamViewer 9 is ready - Secure your introductory discount now!

www.teamviewer.com/version9

Best Regards,

William Luu

-Support Technician-

------------------------------

TeamViewer Pty Ltd * www.teamviewer.com

 

--------------------------------------------------------------

 

2) So his public IP is dynamic? I find this unlikely to be honest. <----- come on, do you think I am making this up.

 

3) I did understand your login behind the IP thing.

 

a) i am not worried that someone else from work will access it using his username or password (it wont happen)

b) all I want is for him not to access the RDC from any other location (except work)

c) the ip at work is dynamic so it changes frequently (i.e. maybe one a day or once in few days or if router is restarted)

d) I dont know how your dynamic ip didnt change for months or an year but here it changes within days if not earlier.

e) I cannot restrict by public ip as it changes (mentioned above) plus it applies to all accounts. The last thing I want is that i myself cannot login.

f) Same case for my home as its ip is also dynamic.

g) Because the ip changes completely I cannot form a pool or state from 1-10.

 

I hope this helped.

[+BudMan MVC]

No none of it helps because all your stating is gibberish nonsense.

What did you email them when you got that email back for starters? No **** you can not teamview to profile that is not active. If you wanted to support someone. If teamviewer is running as s service or you are consoled in when running it then you can teamviewer to it. But no you would not be able to teamviewer in if the software is not running.

This was your question?

"How to use teamviewer if my RDC window is not connected/closed." What was the rest of it? No you would not be able to teamviewer in and help someone that only has remote desktop access to something.. etc.. Since how would they run tv, etc. Which has NOTHING to do if tv is installed as a service on the machine.

So where is the question you asked them in detail?

2) Yeah I do!! Lets say they reboot the router daily, lets say that isp changes the IP address on purpose.. Your still going to be inside a network block of a.b.c.0/mask so there will be a range of ips, be it 254, be it 2k be it 4k, etc. That you will fall into.. So lock it down to this and your done.. This person can only access the remote desktop from that location or if he vpns into that location, or for some crazy reason he lives in the area and has the same ISP.

But a place of business would normally have a static anyway, other than small ma and pop shops with home internet type connections. So I take it this is a ma and pop shop?

b) if you limit the ip range to who can access he wont.

c) makes no matter to the solution allow the netblock as already went over in great detail!

d) Because of how dhcp works, there is a lease time.. You get the IP address for a specific amount of time. Even if you shut off your device that lease is still yours until it expires. Only once the lease has expired does the IP address go back into a pool for reissue. So even if off for length of time, that IP address is still under lease and you will get it back when you comeback online. These leases are normally for hours if not days.

So there is my lease from my router.. Notice the time of the lease 345600 seconds = 4 Days.. So I could turn off my router and would have somewhere short of 4 days before my IP address would be returned. Since you renew it at the 50% would have min of 2 days on the clock. This is how you keep the same address even if dynamic.. You keep renewing it if on, and even if off you need to be off for longer than the lease to loose the Ip address you had. Work you would think would be on 24/7/365 --- keep in mind not talking about your local rfc1918 address that your work dhcp hands out, since this has nothing to do with anything your talking about.

e) already answered in great detail as well - use a netblock

f) Again netblock!!! What do you not understand about a range of addresses? An ISP can only hand you an address they own, so its going to be a very small range.. If you see in the above lease.

option subnet-mask 255.255.248.0;

so /21 or 2046 addresses.. How is that not good enough restriction??

g) more gibberish!

edit: Here you go - look accessing via tv, remote desktop not running. Can access whatever profile I want, etc. So your problem with what tv sent you was how you asked the question. Because clearly I am remoted to this machine, can login to whatever profile would be available on the machine and remote desktop is not running - look no 3389 port even listening

So here I now see it on my computers TV interface of machines I can connect too.

Here is the windows login screen where I could pick what account I want to access.

Here is me connected via tv, when clearly remote desktop is not running on this machine!

So how is that remote desktop has to be running for TV to work??

[j_great]

No none of it helps because all your stating is gibberish nonsense.

What did you email them when you got that email back for starters? No **** you can not teamview to profile that is not active. If you wanted to support someone. If teamviewer is running as s service or you are consoled in when running it then you can teamviewer to it. But no you would not be able to teamviewer in if the software is not running.

This was your question?

"How to use teamviewer if my RDC window is not connected/closed." What was the rest of it? No you would not be able to teamviewer in and help someone that only has remote desktop access to something.. etc.. Since how would they run tv, etc. Which has NOTHING to do if tv is installed as a service on the machine.

So where is the question you asked them in detail?

2) Yeah I do!! Lets say they reboot the router daily, lets say that isp changes the IP address on purpose.. Your still going to be inside a network block of a.b.c.0/mask so there will be a range of ips, be it 254, be it 2k be it 4k, etc. That you will fall into.. So lock it down to this and your done.. This person can only access the remote desktop from that location or if he vpns into that location, or for some crazy reason he lives in the area and has the same ISP.

But a place of business would normally have a static anyway, other than small ma and pop shops with home internet type connections. So I take it this is a ma and pop shop?

b) if you limit the ip range to who can access he wont.

c) makes no matter to the solution allow the netblock as already went over in great detail!

d) Because of how dhcp works, there is a lease time.. You get the IP address for a specific amount of time. Even if you shut off your device that lease is still yours until it expires. Only once the lease has expired does the IP address go back into a pool for reissue. So even if off for length of time, that IP address is still under lease and you will get it back when you comeback online. These leases are normally for hours if not days.

leasetime.png

So there is my lease from my router.. Notice the time of the lease 345600 seconds = 4 Days.. So I could turn off my router and would have somewhere short of 4 days before my IP address would be returned. Since you renew it at the 50% would have min of 2 days on the clock. This is how you keep the same address even if dynamic.. You keep renewing it if on, and even if off you need to be off for longer than the lease to loose the Ip address you had. Work you would think would be on 24/7/365 --- keep in mind not talking about your local rfc1918 address that your work dhcp hands out, since this has nothing to do with anything your talking about.

e) already answered in great detail as well - use a netblock

f) Again netblock!!! What do you not understand about a range of addresses? An ISP can only hand you an address they own, so its going to be a very small range.. If you see in the above lease.

option subnet-mask 255.255.248.0;

so /21 or 2046 addresses.. How is that not good enough restriction??

g) more gibberish!

edit: Here you go - look accessing via tv, remote desktop not running. Can access whatever profile I want, etc. So your problem with what tv sent you was how you asked the question. Because clearly I am remoted to this machine, can login to whatever profile would be available on the machine and remote desktop is not running - look no 3389 port even listening

tv1.png

tv2.png

tv3.png

So here I now see it on my computers TV interface of machines I can connect too.

tv4.png

Here is the windows login screen where I could pick what account I want to access.

tv5.png

Here is me connected via tv, when clearly remote desktop is not running on this machine!

tv6.png

So how is that remote desktop has to be running for TV to work??

 

Though my knowledge on the networking side is limited but there are its crazy how you assumed some of the things.

 

1) Team Viewer

 

I acknowledge that you are able to run team viewer (as shown in images above) but when I said I am unable to run it, it didn't mean that I had RDC window open/closed only and that's it. This is what I did :

 

-> I installed team viewer, chose option Install to control this computer later from remote. Then I ran team viewer and took a note of id and password. (Teamviewer service and program is running). Then I just closed the RDC window. After that when I tried to connect and it failed. Then I opened the RDC window and then I tried to connect and it succeeded. This is what happened and when I emailed this to the TV support guys I got a reply which I pasted in the post above. After reading that reply what would you think ?

 

2) I am sorry but I need a bit of clarification on this front :

Your still going to be inside a network block of a.b.c.0/mask so there will be a range of ips, be it 254, be it 2k be it 4k, etc. That you will fall into.. So lock it down to this and your done.. This person can only access the remote desktop from that location or if he vpns into that location, or for some crazy reason he lives in the area and has the same ISP.

 

| Does this mean that if my ip is 120.59.180.190 then will only last few sets change or what does the above mean ?

 

-> This is a small business and to be honest we never required a static ip so far.

 

3) how fast the ip changes does not matter to me as I cant keep a track and update it in the ip list frequently. Please re explain me the netblock thing.

 

Thank you.

[+John Teacake MVC]

I'm really surprised no one said just tie it down with Windows firewall.

[+BudMan MVC]

"Then I ran team viewer and took a note of id and password. "

You ran it - the password changes, and as soon as you logged out, it would stop running. You need to setup unattended access

http://www.teamviewer.com/en/res/pdf/first_steps_unattended_access_en.pdf

3) Who said anything about updating a list? Set it and forget it.

Look and your IP is going to stay with in a range of addresses.. so for example 192.168.1.0/24 says that this network is 192.168.1.1, .2, .3 up to .254 and .255 is the broadcast address while .0 is the actual wire and not used. Depending on that mask 255.255.255.0 etc.. tells you how big the network is what part of the address is hosts, which part is network. So look on your router and see what IP your isp gave you and what mask.. From the mask you can see how big the network is, then in your firewall allow that range.

ISP don't just hand out addresses willy nilly, they only own specific address ranges, they only use specific addresses in an area. So if you think your public address is changing all the time, then watch it you will notice it always falls inside a specific network. And I again doubt it changes as much as you think.. We are talking the public IP of your router, not what your local machines address are via the routers internal dhcp server to your machines. And those as well should stay the same unless your turning off machines for longer than your lease period you have set on your dhcp server you run locally.

example

Now keep in mind on your VPS are you talking the local firewall of the vps, or does your host give you option for other firewall?

Notice the local ips on the rule, if its a vps and public it once you allow access its local subnet is going to be allowed as well.. So for example if your vps had an IP address of

4.5.6.0/23

This would mean that 4.5.6.0 - 4.5.7.255 would be able to access since that is your local subnet. You would need to look at the ipconfig /all of your vps to see what its netmask is and therefore what network your on.

Is that address you gave yours or close via the fist 2 numbers? Or did you just make up numbers? I show that owned by

inetnum: 120.56.0.0 - 120.63.255.255

netname: MTNLISP

descr: MTNL CAT B ISP

country: IN

irt: IRT-MTNL-IN

address: Jeevan Bharati Building

address: Tower 1, 12th Floor, 124, Connaught Circus, New Delhi

Is that your ISP? Worse case call them and ask what range of address you could be assigned. Then set your rules in your vps firewall to only allow those networks.

[+BudMan MVC]

I'm really surprised no one said just tie it down with Windows firewall.

That is what we are trying to get him to do - have you not read the thread? He does not understand the concept of a netblock or range or subnet, and says his IP keeps changing so that he can not do that, etc. etc.

[+John Teacake MVC]

Oh sorry! I didnt see anyone recommend that woops. I thought everyone was on about Teamviewer.

[+BudMan MVC]

that turned into a side topic, since he somehow got the impression that tv does not run on server versions, or that it only works if remote desktop is being used, etc.

Been like pulling teeth to get him to believe that tv runs just fine without remote desktop, and runs on server versions just fine, etc.

I think TV would prob be a better solution for him in security then opening up remote desktop to the public internet, since he does not seem to understand how to lock it down to a range of IPs, and he is convinced that his works public IP changes like every day or something. Which ok his IPs change, then just lock it down to that network - he does not want his 1 user to be able to access the vps from anything other than his place of work?? Not sure the reason for that to be honest. Seems pointless to me to restrict user you trust to access to only be able to access from one location? I personally don't see a reason for such a thing. I don't think this would be possible with TV, other than locking it down to specific partner ID, and installing it on his work machine - and then locking it down to that ID.

[j_great]

Phew,

 

1) TeamViewer confusion seems to have been solved. Basically I had to setup unattended access and I did not do that. I tried to login by noting down the current id and password it gave and that didnt work once rdc window was closed. (Y)

 

2) Give me a few days to keep a track of my public ip and then I will get back to you. This way I will know how fast or how much it changes. True, I am not so good on the networking side but before I posted in this forum I did specify my public ip in the windows firewall specific ip address list. But after a day or 2 the ip changed and I myself got locked out. Thus I contact the the systems admin guys (vps hoster) and they had to fix it.

 

3) Standard users are not allowed to change date/time. Since I have admin account I made a change for that user and now he is allowed to change date/time. So can applications running on his account also change date/time or they are not allowed. ??

 

I really apprecicate your support. :yes:

 

Thank you,

 

Jack

[+BudMan MVC]

Ok I have to ask - why would they need to change date or time on your vps?? At a complete and utter loss, does your vps not sync its time with ntp source? Why should you ever need to change this???

And why would you be worried about an application that he runs changing the time? What???

But yes if a process is running as user X, and user X has permissions to do Y -- then sure with common sense that process can do Y as well. But without some actual details of what your concerns are they are hard to address. Why would you be worried about his applications changing the system time?

[j_great]

Ok I have to ask - why would they need to change date or time on your vps?? At a complete and utter loss, does your vps not sync its time with ntp source? Why should you ever need to change this???

And why would you be worried about an application that he runs changing the time? What???

But yes if a process is running as user X, and user X has permissions to do Y -- then sure with common sense that process can do Y as well. But without some actual details of what your concerns are they are hard to address. Why would you be worried about his applications changing the system time?

 

I run an application which downloads some data from the internet in real time. At times it need to adjust the time (not date) to work properly. That's why I asked that since user has permission then application also gets it automatically. This is the way that application works and has been doing so for years.

[+BudMan MVC]

I have never seen such an application - and have been in the business 30 years. What is the time source for this application? You see new stuff all the time - what is the name of this application, you have me curious!

You do understand that if time is a factor that a Virtual machine is prob not the best thing to be running an application on that is time sensitive.. You should prob be on actual hardware.

[j_great]

I have never seen such an application - and have been in the business 30 years. What is the time source for this application? You see new stuff all the time - what is the name of this application, you have me curious!

You do understand that if time is a factor that a Virtual machine is prob not the best thing to be running an application on that is time sensitive.. You should prob be on actual hardware.

 

This application gets stock data from internet and only sometimes adjusts the clock by a few seconds. Why do you say that running it on Win Server isn't a great idea? It's been running okay for last few weeks since I have been running it.

 

I need some advice to fine tune my server (to speed it up a bit) by probably not running unwanted services. So if I do something from my admin a/c will it affect all accounts or just mine and I had to find another way.

 

Back to our old topic, this is how my IP changes : (date is in dd/mm/yy format)

 

1XX.176.216.187  - 22/11/13 12 pm

1XX.176.128.90    - 22/11/13 5 pm

1XX.176.196.218  - 23/12/13

1XX.176.244.193  - 25/12/13

1XX.176.142.128  - 26/11/13

 

As you see the last two masks are changing. What do you say?