prevent users using remote desktop


Recommended Posts

  barteh said:
I've just tried this on an account in AD called 'Test' which isnt a member of the local admins or anything.

I ticked the deny box but RD still loads fine.

I've tried re-logging on a few times as that user, but to no avail.

Does anything else have to refresh?

Your saying it "loads fine". Do you mean to block the act of using mstsc.exe and connecting and logging on to remote computer? Or to block the mere mstsc.exe from even opening?

Again -- what exactly are the users doing that you want to stop? That setting in AD has nothing to do with them running the remote desktop client and connecting to some box running remote desktop, etc.

I am going to take a guess you have users using remote desktop to access machines outside your network to say surf the net, play solitare, etc..

Is this what your trying to stop?

As mentioned you could prevent them from running the exe on their machines -- but there are 3rd party remote desktop clients they could run. Or for that matter why does it have to be remote desktop - they could just vnc to boxes outside your network, etc..

The details of exactly what your users are doing that you want to stop would be most helpful for us to suggest ways to prevent them from doing it.

If the issue is users having remote control of PCs outside of your network then outgoing firewall policies will need to be put in place. But again, there are specific questions and answers needed.

^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.

Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc.

  BudMan said:
^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.

Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc.

Very true, it can get condeluded when talking about blocking outbound traffic. It is very easy to change the port RDP uses. It is of course still an option if he wanted to take that route.

Really the only options I see are:

1. Denying users from using Terminal Services via AD. Applies only in your environment.

2. Block all outbound traffic with the exception of legitimate ports. This could be very maintainence intensive and could get very condeluded, but could also work.

3. Block the mstsc.exe from ever executing in the first place. This would without a doubt stop RDP access regardless of what PC they are connecting to. However other forms of remote control could be used as stated using different ports.

So perhaps a combination of these could best suit you.

Sorry for the long delay.

I've blocked the terminal services in AD, several days on, this had made no difference.

We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc.

Whats the easiest way to block the mstsc.exe in GPO?

I've never made any software restrictions before, so in simple terms would really help :)

  barteh said:
Sorry for the long delay.

I've blocked the terminal services in AD, several days on, this had made no difference.

We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc.

Whats the easiest way to block the mstsc.exe in GPO?

I've never made any software restrictions before, so in simple terms would really help :)

If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.

The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem?

  barteh said:
i've gone to:

User Configuration\Administrative Templates\System

"dont run specified Windows applications" = enabled

and added: mstsc.exe

Doesn't that policy just compare a filename and/or its path to block the specified EXE? If so, couldn't a user just copy the file elsewhere (and/or rename it) and run it from there?

  bobbba said:
If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.

The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem?

quite possibly.

What your saying is:

So in AD i tick the deny box which says Bart cannot use Term Services, but so long as I log into another machine with a different account Its letting me?

I've tried the .exe i'll just wait and see what happens.

Scenario for how it works:

Admin creates AD account Bart2, default is allow term services

Admin edits AD account Bart1, deny term services

Bart1 logons on to pc1 opens mstc and attempts to remote desktop pc2

pc2 asks pc1 for a logon

bart specifies his logon (Bart1)

pc2 checks the ad to see whether Bart1 is allowed access, then denies him access

Bart1 tries again:

opens mstc and attempts to remote desktop pc2

pc2 asks pc1 for a logon

bart1 specifies Bart2

pc2 checks the ad to see whether Bart2 is allowed access, then allows him access

So basically the check is all about whether an account is allowed to complete a connection and logon to a remote desktop, not whether an account is allowed to attempt a connection.

If the accounts are setup properly, this should work perfectly well as the user won't know the credentials for other accounts so the restriction works. Restricting the exe and preventing them from launching the client is a really poor workaround except for when the computers they are trying to access are not within the organisation's control (like home pc's over the internet) which is when a firewall with outgoing control should be used.

Sorry bobba, I think I should have explained in more detail earlier.

The Machine the user is connecting to is a home machine.

And like I mentioned earlier, we dont have ISA so we dont have that sort of control, and the admins do use RDP ourselves, so I dont want to completely disable it.

Sounds like you need something like the following:

software restriction policy:

Block the filename of MSTSC

Block the hash values of the various versions of MSTSC

Prevent it from applying to local admins

(if your troublesome users don't have them, use GPO security filtering if they do)

Articles to help:

MS Howto

Tutorial

Those are the technical means of controlling it, the organisation should also have a computer/internet usage policy as well so that they have to consciously break the rules to do something like this and if they do a discipline procedure can be applied.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • That makes no sense. Of course the average user knows that Edge exists, because it's built into Windows as standard. Hence the normie joke about it just being a downloader for Chrome. People use Chrome because Google have spent the past 15+ years aggressively ramming it down people's throats through massive advertising campaigns, both on their own services and beyond. It's become just the standard internet browser and the average person doesn't care enough about the minutiae of browser differences to switch. Mozilla and Firefox simply cannot compete with Google and Microsoft when it comes to getting Firefox's name out there. They don't have a platform like Google's network of websites or Windows to constantly push adoption. The idea that people pick a browser based on milliseconds of page loading time that's imperceptible outside of a benchmark is nonsense.
    • Microsoft Weekly: useful PowerToys modules, Microsoft Store updates, and video gen in Bing by Taras Buria This week's news recap is here, bringing you the latest stories from the Microsoft world, including useful PowerToys modules, fresh Windows 11 preview builds, AI video generation in Bing, Office updates, gaming news, and more. Quick links: Windows 10 and 11 Windows Insider Program Updates are available Gaming news Great deals to check Windows 11 and Windows 10 Here, we talk about everything happening around Microsoft's latest operating system in the Stable channel and preview builds: new features, removed features, controversies, bugs, interesting findings, and more. And, of course, you may find a word or two about older versions. This week's Windows 11 section kicks off with some stats. StatCounter published its monthly report, showing that Windows 11 slowed its climb a little bit in May 2025. On the gaming side, however, things are much better, with Windows 11 occupying the majority of PCs on Steam. Now, here are some Windows updates you might have missed. Windows 11 versions 23H2 and 22H2 received KB5062170, a small emergency patch that resolved errors when installing recent updates. The patch is available only through the Microsoft Update Catalog, and the company recommends installing it only if your system experiences the 0xc0000098 code when installing the May 2025 security update. Finally, Microsoft released a new Defender update for Windows 11 and 10 installations, fresh recovery updates, and a script for recovering the inetpub folder, which showed up unannounced on systems in April. As Windows 10 is getting closer to the end of support, more companies are urging users to switch. AMD, Dell, and ASUS all urge users to prepare for the "mandatory Windows 11 upgrade," while other companies shamelessly poach Windows 10 users, luring them to Linux. To finish this week's Windows section, here is an ancient CD-burning app that made a surprising 64-bit comeback and now works on modern operating systems, including Windows 11. Windows Insider Program Here is what Microsoft released for Windows Insiders this week: Builds Canary Channel Build 27871 This week's Canary build introduced Start menu improvements (more Phone Link features), small taskbar tweaks, and a long list of various fixes to improve different parts of the operating system. Dev Channel Build 26200.5622 (KB5058512) This build brought new Click to Do features, a dedicated Settings section for Quick Machine recovery, improved Windows Widgets, a new spec card for the Settings app, and a few fixes here and there. Build 26200.5622 also contains a new "Your Device Info" card on the Settings Home page, which makes it easier to find your computer's specs with fewer clicks. Beta Channel Build 26120.4230 (KB5058506) This one is almost identical to build 26200.5622 from the Dev Channel. Release Preview Channel Nothing in the Release Preview Channel this week Besides new builds, Microsoft announced a new update for the Windows Photos app, which is now available to Windows Insiders in all channels. The update introduces AI-powered light controls (Relight), which let you place and control up to three light sources on your photo, and AI-powered search with natural language support. Updates are available This section covers software, firmware, and other notable updates (released and coming soon) from Microsoft and third parties, delivering new features, security fixes, improvements, patches, and more. Microsoft announced a batch of new features for the Microsoft Store. The app is getting an improved Home page with personalized recommendations based on your recent activities, region, and deals. Search now considers additional information when ranking apps in the results, and a Copilot button lets you ask AI about a certain app. Microsoft also brags about significant performance improvements under the hood. This week, we had plenty of various Office updates. Microsoft 365, for one, is getting significant changes to its update channels beginning July 2025. Rollback support will be expanded to two months, the Semi-Annual Enterprise Channel (Preview) is being deprecated, and the Semi-Annual Enterprise Channel will be supported for eight months instead of the current 14. Microsoft also announced the general availability of the new Message Trace in the Exchange Admin Center in Exchange Online, some big updates for the new Outlook for Windows in the June 2025 update, and acknowledged a few issues with Outlook after a recent Calendar feature upgrade. Teams is also getting a "major" change for third-party app settings, and Word is getting SharePoint eSignature support. Bing received a surprising update this week. OpenAI's Sora video generator is now available for free in Bing Video Creator. Now, you do not have to pay for an OpenAI subscription to generate short videos using AI. Way to boost Bing stats, Microsoft! PowerToys Run, a useful and convenient launcher for Windows 10 and 11, recently received three new third-party modules that let you test your internet speed, download videos from hundreds of websites, and check out word definitions, usage, synonyms, and more. Microsoft announced some long-requested changes for Microsoft Edge, but only for those living in the EEA region. Windows will no longer annoy you with setting Edge as your default browser, and Windows Widgets will respect your default browser. Also, Microsoft will let you uninstall the Microsoft Store app, and Windows Search will be able to use other search providers. Speaking of browsers, Microsoft published a blog post that explained why Edge is a faster and smarter alternative to Chrome. If you are picking between the two, the article might help you make the choice (Google has an answer to that with its own article explaining that Chrome is now faster than ever). Also, the company released Edge 138 in the Beta Channel, bringing some important changes and new features, such as a new (sort of new) media control center, AI-powered history search, and more. Here are other updates and releases you may find interesting: Microsoft expanded LinkedIn's CEO role to manage Office apps. Microsoft announced the general availability of two new reasoning AI agents: Research and Analyst. Microsoft and Crowdstrike announced a partnership on threat actor naming. Microsoft will invest $400 million in Switzerland to bolster cloud and AI infrastructure. The annual Build conference is moving away from Seattle. Here are the latest drivers and firmware updates released this week: Intel 32.0.101.6876 non-WHQL with support for four new games and a single fix for intermittent display artifacts. Nvidia 576.66 Hotfix with patches for FC 25 crashes, video bugs in browsers, and more. In addition to that, Nvidia released a new version of the Nvidia App, which introduced a light theme (and automatic theme switching), support for more games, and some bug fixes. AMD Software Pro Edition 25 Q2 with support for Windows Server 2025, new Ryzen processors, and a few fixes. AMD Radeon Software 25.6.1 with the RX 9060 XT support and FSR 4 support for more games. On the gaming side Learn about upcoming game releases, Xbox rumors, new hardware, software updates, freebies, deals, discounts, and more. Hello Games continues relentlessly improving No Man's Sky. The game's latest update, "Beacon," was announced this week. It offers space explorers overhauled settlements, player overseer duties, and much more. The update is now available on all supported platforms, including Nintendo Switch 2. The Witcher 4 from CD Projekt RED might be a few years away. Still, at the State of Unreal 2025 keynote, the developers revealed a tech demo showcasing the capabilities of Unreal Engine 5 on the base PlayStation 5, which managed to pull it off at a solid 60 FPS. Nvidia announced new games that are now available in the GeForce NOW cloud streaming service (you have to own them to play them). The latest drop is a massive one: 25 new games, including FBC: Firebreak, Dune: Awakening, 7 Days to Die, DREADZONE, and more. Game Pass is also getting new games, and the first drop in June is also a pretty big one. You will soon get access to Kingdom: Two Crowns, EA Sports FC 25, FBC: Firebreak, Crash Bandicoot 4: It's About Time, The Alters, and more. Some games are leaving the service, so check out the full list here. Xbox Games Showcase 2025 is happening today. With the show kicking off in just a few hours, check out our recap of what to expect at the show and how to watch it. On the hardware side, we have a new Xbox Storage Expansion Card from Seagate. At a whopping $429.99 price tag, the new card offers an immense amount of space for your games, doubling that of the previously biggest expansion card. Now, you can get an Xbox Storage Expansion Card with 4TB. By the way, it costs as much as the 1TB Xbox Series S. Deals and freebies If you are looking for some new games at lower prices, check out this week's Weekend PC Game Deals, which covers multiple specials and discounts, including some freebies, such as Deathloop from the Epic Games Store. Other gaming news includes the following: Ubisoft is skipping its Forward game showcase for the first time since 2020. Valve released a new beta version of Steam for Linux to address sluggish update installations. Elden Ring Nighteign received its first update with reduced difficulty for solo runs. The Expanse TV show is getting a narrative-driven sci-fi action RPG. Black Myth: Wukong is coming to Xbox in August. Atomic Heart is getting a sequel and an MMO RPG spin-off. Great deals to check Every week, we cover many deals on different hardware and software. The following discounts are still available, so check them out. You might find something you want or need. Crucial X10 8TB Portable SSD - $439.99 | 44% off Apple 2025 MacBook Air 13-inch Laptop with M4 chip - $849 | 15% off 4TB WD_BLACK SN7100 PCIe Gen4 Solid-State Drive - $249.99 | 16% off SAMSUNG Q-Series Soundbar HW-Q900F - $997.99 | 29% off KEF Q Concerto Meta Three-Way Bookshelf Speaker - $1,199.99 | 14% off This link will take you to other issues of the Microsoft Weekly series. You can also support Neowin by registering a free member account or subscribing for extra member benefits, along with an ad-free tier option.
    • No, they aren't because they don't do with that online advertising, they sell with that "spots" in their store. Apple is not an online advertising company. The business model of Microsoft ads is exactly the same with Google ads. They both are ad companies which do online advertising and make though their sites user profiling. Just because Microsoft never managed to be as successful as Google in that business that doesn't mean they are not exactly what Google is. An online advertising company. Both Google, Microsoft and Amazon are online advertising companies. Apple isn't.
    • I'm lost without clippy.
    • Read the books, watched the show. Wish they'd continue the show.
  • Recent Achievements

    • Week One Done
      LunaFerret earned a badge
      Week One Done
    • Week One Done
      Ricky Chan earned a badge
      Week One Done
    • Week One Done
      maimutza earned a badge
      Week One Done
    • Week One Done
      abortretryfail earned a badge
      Week One Done
    • First Post
      Mr bot earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      483
    2. 2
      +FloatingFatMan
      262
    3. 3
      snowy owl
      240
    4. 4
      ATLien_0
      227
    5. 5
      Edouard
      185
  • Tell a friend

    Love Neowin? Tell a friend!