prevent users using remote desktop


Recommended Posts

  barteh said:
I've just tried this on an account in AD called 'Test' which isnt a member of the local admins or anything.

I ticked the deny box but RD still loads fine.

I've tried re-logging on a few times as that user, but to no avail.

Does anything else have to refresh?

Your saying it "loads fine". Do you mean to block the act of using mstsc.exe and connecting and logging on to remote computer? Or to block the mere mstsc.exe from even opening?

Again -- what exactly are the users doing that you want to stop? That setting in AD has nothing to do with them running the remote desktop client and connecting to some box running remote desktop, etc.

I am going to take a guess you have users using remote desktop to access machines outside your network to say surf the net, play solitare, etc..

Is this what your trying to stop?

As mentioned you could prevent them from running the exe on their machines -- but there are 3rd party remote desktop clients they could run. Or for that matter why does it have to be remote desktop - they could just vnc to boxes outside your network, etc..

The details of exactly what your users are doing that you want to stop would be most helpful for us to suggest ways to prevent them from doing it.

If the issue is users having remote control of PCs outside of your network then outgoing firewall policies will need to be put in place. But again, there are specific questions and answers needed.

^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.

Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc.

  BudMan said:
^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.

Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc.

Very true, it can get condeluded when talking about blocking outbound traffic. It is very easy to change the port RDP uses. It is of course still an option if he wanted to take that route.

Really the only options I see are:

1. Denying users from using Terminal Services via AD. Applies only in your environment.

2. Block all outbound traffic with the exception of legitimate ports. This could be very maintainence intensive and could get very condeluded, but could also work.

3. Block the mstsc.exe from ever executing in the first place. This would without a doubt stop RDP access regardless of what PC they are connecting to. However other forms of remote control could be used as stated using different ports.

So perhaps a combination of these could best suit you.

Sorry for the long delay.

I've blocked the terminal services in AD, several days on, this had made no difference.

We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc.

Whats the easiest way to block the mstsc.exe in GPO?

I've never made any software restrictions before, so in simple terms would really help :)

  barteh said:
Sorry for the long delay.

I've blocked the terminal services in AD, several days on, this had made no difference.

We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc.

Whats the easiest way to block the mstsc.exe in GPO?

I've never made any software restrictions before, so in simple terms would really help :)

If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.

The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem?

  barteh said:
i've gone to:

User Configuration\Administrative Templates\System

"dont run specified Windows applications" = enabled

and added: mstsc.exe

Doesn't that policy just compare a filename and/or its path to block the specified EXE? If so, couldn't a user just copy the file elsewhere (and/or rename it) and run it from there?

  bobbba said:
If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.

The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem?

quite possibly.

What your saying is:

So in AD i tick the deny box which says Bart cannot use Term Services, but so long as I log into another machine with a different account Its letting me?

I've tried the .exe i'll just wait and see what happens.

Scenario for how it works:

Admin creates AD account Bart2, default is allow term services

Admin edits AD account Bart1, deny term services

Bart1 logons on to pc1 opens mstc and attempts to remote desktop pc2

pc2 asks pc1 for a logon

bart specifies his logon (Bart1)

pc2 checks the ad to see whether Bart1 is allowed access, then denies him access

Bart1 tries again:

opens mstc and attempts to remote desktop pc2

pc2 asks pc1 for a logon

bart1 specifies Bart2

pc2 checks the ad to see whether Bart2 is allowed access, then allows him access

So basically the check is all about whether an account is allowed to complete a connection and logon to a remote desktop, not whether an account is allowed to attempt a connection.

If the accounts are setup properly, this should work perfectly well as the user won't know the credentials for other accounts so the restriction works. Restricting the exe and preventing them from launching the client is a really poor workaround except for when the computers they are trying to access are not within the organisation's control (like home pc's over the internet) which is when a firewall with outgoing control should be used.

Sorry bobba, I think I should have explained in more detail earlier.

The Machine the user is connecting to is a home machine.

And like I mentioned earlier, we dont have ISA so we dont have that sort of control, and the admins do use RDP ourselves, so I dont want to completely disable it.

Sounds like you need something like the following:

software restriction policy:

Block the filename of MSTSC

Block the hash values of the various versions of MSTSC

Prevent it from applying to local admins

(if your troublesome users don't have them, use GPO security filtering if they do)

Articles to help:

MS Howto

Tutorial

Those are the technical means of controlling it, the organisation should also have a computer/internet usage policy as well so that they have to consciously break the rules to do something like this and if they do a discipline procedure can be applied.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I'm not a fan of the HP "Smart" app either, but it does work. I just wish I didn't have to log in to use it. HP Color LaserJet Pro MFP 4301
    • FocusOn Image Viewer 1.32 by Razvan Serea FocusOn Image Viewer is a fast, lightweight, and user-friendly photo viewer for Windows. It supports various image formats, offers basic editing tools, EXIF data display, and batch renaming. With a clean interface, slideshow mode, and easy navigation, it’s ideal for quickly viewing and organizing photos without unnecessary complexity or system resource usage. FocusOn Image Viewer key features: Auto Organize: Automatically sorts photos by date using your chosen template. Explorer View: Browse and manage images with thumbnails; includes basic edits like resize and rotate. Photo Editing: Crop, apply filters, correct colors, add borders or text. Non-Destructive Edits: Original images remain untouched. Photo Sharing: Post directly to blogs, Twitter, and Facebook. Email Support: Send selected images via email. Print Options: Print to fit paper size, preserve aspect ratio, or fit multiple images per page. Slideshow: View selected photos in a slideshow. EXIF Tools: View or remove EXIF data. Scanning: Import from TWAIN or WIA-compatible scanners. Set as Background: Quickly set any image as desktop wallpaper. Batch Rename: Rename images in bulk using templates. Resize Images: Resize with optimized or custom resampling methods, including multi-step resizing. Thumbnail Sizes: Choose from thumbnail sizes between 32–256 pixels. Format Support: Compatible with over 100 image formats. FocusOn Image Viewer 1.32 changelog: Added Ghostscript(AI, PDF) DPI option Fixed transparency issue when saving PDF document as image Other improvements and bug fixes Download: FocusOn Image Viewer 64-bit | Portable 64-bit | ~7.0 MB (Freeware) Download: FocusOn Image Viewer 32-bit | Portable 32-bit View: FocusOn Image Viewer Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Wall cabinet: Fiber connection (1Gbps) Patch panel 2.5Gbps Router A mini PC with Ryzen 5800H CPU and 32GB DDR4 RAM, for network related tools (Portainer, Pi-Hole, Cloudflared, Tailscale, Uptime Kuma, Wetty) A headless server running Proxmox: AMD Ryzen 9 9950X CPU, 96GB DDR5, RTX 3090 24GB GPU, 10Gbps NIC, and a bunch of NVMs, SATA SSDs, HDDs A VM with TrueNAS for backups and media server via Jellyfin, passing through the SATA storage controller A VM with an Ubuntu server acting as a web and a GPU server for AI workloads, and a TeamCity build/deploy agent for my personal projects This setup has evolved many times for the last 2 years, I have not gone completely crazy, yet (I think), but still experimenting, still learning, it is a fun and rewarding experience having a home lab!
    • Microsoft PC Manager 3.17.4.0 (Offline Installer) by Razvan Serea With Microsoft PC Manager, users can easily perform basic computer maintenance and enhance the speed of their devices with just one click. This app offers a range of features, including disk cleanup, startup app management, virus scanning, Windows Update checks, process monitoring, and storage management. Microsoft PC Manager key features: Storage Manager- easily uninstall infrequently used apps, manage large files, perform a cleanup, and set up Storage Sense to automatically clear temporary files. Health Checkup feature -scans for potential problems, viruses, and startup programs to turn off. It helps you identify unnecessary items to remove, optimizing your system's performance. Pop-up Management - block pop-up windows from appearing in apps. Windows Update - scans your system for any pending updates. Startup Apps - enable or disable startup apps on your PC, allowing you to optimize your system's startup performance. Browser Protection - rest assured that harmful programs cannot alter your default browser. Also enables you to change your default browser. Process Management - allows you to conveniently terminate any active process, ensuring optimal system performance and resource utilization. Anti-virus protection - Fully integrated with Windows Security. Safeguard your PC anytime. Quick Steps: Download Microsoft PC Manager Offline Installer (APPX/MSIX) with Adguard Adguard serves as a third-party online service, offering a user-friendly method for directly downloading appx, appxbundle, and msixbundle files from the Microsoft Store. Official download links will be generated for both the app's various versions and its dependency packages. How to download Microsoft PC Manager Offline Installer (APPX/MSIX) 1. Initially, you must find the app URL within the Microsoft Store. Access the Microsoft Store via your browser and search for "Microsoft PC Manager". Once located, copy the app URL, which includes the product ID, either from the address bar or from the provided link below. https://apps.microsoft.com/detail/9PM860492SZD 2. Now paste the app URL into the designated area, then click the check mark button to produce a direct download link. 3. To download, right-click the relevant link and select “Save link as…” from your browser's menu. Occasionally, Microsoft Edge may flag the download as insecure. In such cases, consider utilizing alternative browsers such as Google Chrome or Firefox to successfully complete the download. Microsoft PC Manager is a completely free tool optimized exclusively for use on Windows 10 (version 1809 or newer) and Windows 11. Download: Microsoft PC Manager 3.17.4.0 | from Microsoft Store View: Microsoft PC Manager Home Page Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • You might want to update to 1TB drive.  They are not very expensive these days, there are plenty of options - simple look I would think you could find a 1TB ssd or even nvme somewhere between 50 and 100 bucks. when I have moved to larger ssds in laptop in the past, you can just connect the drive via usb - image.  Then take the old drive out, put in the new drive and there you go..  If your concerned about how much space you have left this prob your best bet..   
  • Recent Achievements

    • First Post
      Johnny Mrkvička earned a badge
      First Post
    • Week One Done
      viraltui earned a badge
      Week One Done
    • One Month Later
      serfegyed earned a badge
      One Month Later
    • Dedicated
      firey earned a badge
      Dedicated
    • Dedicated
      fettermanj earned a badge
      Dedicated
  • Popular Contributors

    1. 1
      +primortal
      645
    2. 2
      ATLien_0
      223
    3. 3
      Michael Scrip
      223
    4. 4
      Xenon
      151
    5. 5
      +FloatingFatMan
      144
  • Tell a friend

    Love Neowin? Tell a friend!