prevent users using remote desktop


Recommended Posts

  barteh said:
I've just tried this on an account in AD called 'Test' which isnt a member of the local admins or anything.

I ticked the deny box but RD still loads fine.

I've tried re-logging on a few times as that user, but to no avail.

Does anything else have to refresh?

Your saying it "loads fine". Do you mean to block the act of using mstsc.exe and connecting and logging on to remote computer? Or to block the mere mstsc.exe from even opening?

Again -- what exactly are the users doing that you want to stop? That setting in AD has nothing to do with them running the remote desktop client and connecting to some box running remote desktop, etc.

I am going to take a guess you have users using remote desktop to access machines outside your network to say surf the net, play solitare, etc..

Is this what your trying to stop?

As mentioned you could prevent them from running the exe on their machines -- but there are 3rd party remote desktop clients they could run. Or for that matter why does it have to be remote desktop - they could just vnc to boxes outside your network, etc..

The details of exactly what your users are doing that you want to stop would be most helpful for us to suggest ways to prevent them from doing it.

If the issue is users having remote control of PCs outside of your network then outgoing firewall policies will need to be put in place. But again, there are specific questions and answers needed.

^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.

Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc.

  BudMan said:
^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.

Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc.

Very true, it can get condeluded when talking about blocking outbound traffic. It is very easy to change the port RDP uses. It is of course still an option if he wanted to take that route.

Really the only options I see are:

1. Denying users from using Terminal Services via AD. Applies only in your environment.

2. Block all outbound traffic with the exception of legitimate ports. This could be very maintainence intensive and could get very condeluded, but could also work.

3. Block the mstsc.exe from ever executing in the first place. This would without a doubt stop RDP access regardless of what PC they are connecting to. However other forms of remote control could be used as stated using different ports.

So perhaps a combination of these could best suit you.

Sorry for the long delay.

I've blocked the terminal services in AD, several days on, this had made no difference.

We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc.

Whats the easiest way to block the mstsc.exe in GPO?

I've never made any software restrictions before, so in simple terms would really help :)

  barteh said:
Sorry for the long delay.

I've blocked the terminal services in AD, several days on, this had made no difference.

We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc.

Whats the easiest way to block the mstsc.exe in GPO?

I've never made any software restrictions before, so in simple terms would really help :)

If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.

The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem?

  barteh said:
i've gone to:

User Configuration\Administrative Templates\System

"dont run specified Windows applications" = enabled

and added: mstsc.exe

Doesn't that policy just compare a filename and/or its path to block the specified EXE? If so, couldn't a user just copy the file elsewhere (and/or rename it) and run it from there?

  bobbba said:
If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.

The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem?

quite possibly.

What your saying is:

So in AD i tick the deny box which says Bart cannot use Term Services, but so long as I log into another machine with a different account Its letting me?

I've tried the .exe i'll just wait and see what happens.

Scenario for how it works:

Admin creates AD account Bart2, default is allow term services

Admin edits AD account Bart1, deny term services

Bart1 logons on to pc1 opens mstc and attempts to remote desktop pc2

pc2 asks pc1 for a logon

bart specifies his logon (Bart1)

pc2 checks the ad to see whether Bart1 is allowed access, then denies him access

Bart1 tries again:

opens mstc and attempts to remote desktop pc2

pc2 asks pc1 for a logon

bart1 specifies Bart2

pc2 checks the ad to see whether Bart2 is allowed access, then allows him access

So basically the check is all about whether an account is allowed to complete a connection and logon to a remote desktop, not whether an account is allowed to attempt a connection.

If the accounts are setup properly, this should work perfectly well as the user won't know the credentials for other accounts so the restriction works. Restricting the exe and preventing them from launching the client is a really poor workaround except for when the computers they are trying to access are not within the organisation's control (like home pc's over the internet) which is when a firewall with outgoing control should be used.

Sorry bobba, I think I should have explained in more detail earlier.

The Machine the user is connecting to is a home machine.

And like I mentioned earlier, we dont have ISA so we dont have that sort of control, and the admins do use RDP ourselves, so I dont want to completely disable it.

Sounds like you need something like the following:

software restriction policy:

Block the filename of MSTSC

Block the hash values of the various versions of MSTSC

Prevent it from applying to local admins

(if your troublesome users don't have them, use GPO security filtering if they do)

Articles to help:

MS Howto

Tutorial

Those are the technical means of controlling it, the organisation should also have a computer/internet usage policy as well so that they have to consciously break the rules to do something like this and if they do a discipline procedure can be applied.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Last chance to download The Cybersecurity Control Playbook (worth $100) for free by Steven Parker Claim your complimentary eBook worth $100 for free, before the offer ends on June 4. Implement effective cybersecurity measures for all organizations Cybersecurity is one of the central concerns of our digital age. In an increasingly connected world, protecting sensitive data, maintaining system integrity, and ensuring privacy have never been more important. The Cybersecurity Control Playbook offers a step-by-step guide for implementing cybersecurity controls that will protect businesses and prepare them to compete in an overwhelmingly networked landscape. With balanced coverage of both foundational and advanced topics, and concrete examples throughout, this is a must-own resource for professionals looking to keep their businesses safe and secure. Readers will also find: Clear, jargon-free language that makes it accessible to a wide range of readers An introduction to developing, deploying, monitoring, testing, and retiring controls and control frameworks across large, medium, and small enterprises A system for identifying, prioritizing, and managing cyber risks based on the MITRE ATT&CK framework, with additional coverage of other key cybersecurity frameworks The Cybersecurity Control Playbook is ideal for cybersecurity practitioners, IT professionals, and security managers who are responsible for implementing and managing cybersecurity strategies in their organizations. How to get it Please ensure you read the terms and conditions to claim this offer. Complete and verifiable information is required in order to receive this free offer. If you have previously made use of these free offers, you will not need to re-register. While supplies last! Download The Cybersecurity Control Playbook (worth $100) for free Offered by Wiley, view other free resources The below offers are also available for free in exchange for your (work) email: The Cybersecurity Control Playbook ($100 Value) FREE – Expires today 6/4 The Embedded Linux Security Handbook ($31.99 Value) FREE – Expires today 6/4 Teach Yourself VISUALLY Microsoft 365, 2nd Edition ($20 Value) FREE – Expires 6/4 Winxvideo AI V3.0 Lifetime License for PC ($69.95 Valued) FREE – Expires 6/8 Aiarty Image Enhancer for PC/Mac ($85 Value) FREE – Expires 6/8 Solutions Architect's Handbook, Third Edition ($42.99 Value) FREE – Expires 6/10 AI and Innovation ($21 Value) FREE – Expires 6/11 Macxvideo AI ($39.95 Value) Free for a Limited Time – Expires 6/22 The Ultimate Linux Newbie Guide – Featured Free content Python Notes for Professionals – Featured Free content Learn Linux in 5 Days – Featured Free content Quick Reference Guide for Cybersecurity – Featured Free content We post these because we earn commission on each lead so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. Other ways to support Neowin The above deal not doing it for you, but still want to help? Check out the links below. Check out our partner software in the Neowin Store Buy a T-shirt at Neowin's Threadsquad Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: An account at Neowin Deals is required to participate in any deals powered by our affiliate, StackCommerce. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through the branded deals site.
    • I use Firefox for all the reasons already mentioned above and I also use Edge mainly because I like the snappiness of it. It does seem snappier then Firefox to me. I figure I might as well have 1 of each type browser engine. I probably won't use Edge as much once they follow in Googles footsteps of killing my ad blocker. I play around with several other browsers usually when I see an updated story on them here just to see if they can persuade me to stick with them, but they usually don't. Have never figured out what it is about Google Chrome that makes others like it so much? Heck, it isn't even smart enough to give you an option to alphabetize your bookmarks!
    • IDK, let me test. I attached this the same way I always have when using Edge. I simply paste as plain text. Really hate that I have to sign into YouTube to see videos! Is this what you were meaning?  
    • I agree, whether or not youre going to even attempt or know about installing an operating system really depends on how determined someone is to not spend money on a new computer and whether or not they care about security. Check those boxes and i expect the number of people capable of installing an OS make up a larger portion of those who try. The users that dont care about security or upgrades also probably dont even know windows 10 is on its way out. They are the same people who've been using windows 7 or 8 on a a dying spinning platter for over a decade. Those folks are more likely to just get help from someone in their life who's tech savvy.
  • Recent Achievements

    • Week One Done
      mywakehealth earned a badge
      Week One Done
    • Dedicated
      jbatch earned a badge
      Dedicated
    • Week One Done
      Leonard grant earned a badge
      Week One Done
    • One Month Later
      portacnb1 earned a badge
      One Month Later
    • Week One Done
      portacnb1 earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      295
    2. 2
      snowy owl
      161
    3. 3
      +FloatingFatMan
      156
    4. 4
      ATLien_0
      143
    5. 5
      Xenon
      125
  • Tell a friend

    Love Neowin? Tell a friend!