prevent users using remote desktop

By Adam1V
in Microsoft (Windows)

 Share

Recommended Posts

Grand Master

Bryan R.

Posted
Posted
  barteh said:
I've just tried this on an account in AD called 'Test' which isnt a member of the local admins or anything.

I ticked the deny box but RD still loads fine.

I've tried re-logging on a few times as that user, but to no avail.

Does anything else have to refresh?

Your saying it "loads fine". Do you mean to block the act of using mstsc.exe and connecting and logging on to remote computer? Or to block the mere mstsc.exe from even opening?

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Again -- what exactly are the users doing that you want to stop? That setting in AD has nothing to do with them running the remote desktop client and connecting to some box running remote desktop, etc.

I am going to take a guess you have users using remote desktop to access machines outside your network to say surf the net, play solitare, etc..

Is this what your trying to stop?

As mentioned you could prevent them from running the exe on their machines -- but there are 3rd party remote desktop clients they could run. Or for that matter why does it have to be remote desktop - they could just vnc to boxes outside your network, etc..

The details of exactly what your users are doing that you want to stop would be most helpful for us to suggest ways to prevent them from doing it.

Grand Master

Bryan R.

Posted
Posted

If the issue is users having remote control of PCs outside of your network then outgoing firewall policies will need to be put in place. But again, there are specific questions and answers needed.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.

Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc.

Grand Master

Bryan R.

Posted
Posted
  BudMan said:
^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.

Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc.

Very true, it can get condeluded when talking about blocking outbound traffic. It is very easy to change the port RDP uses. It is of course still an option if he wanted to take that route.

Really the only options I see are:

1. Denying users from using Terminal Services via AD. Applies only in your environment.

2. Block all outbound traffic with the exception of legitimate ports. This could be very maintainence intensive and could get very condeluded, but could also work.

3. Block the mstsc.exe from ever executing in the first place. This would without a doubt stop RDP access regardless of what PC they are connecting to. However other forms of remote control could be used as stated using different ports.

So perhaps a combination of these could best suit you.

Mentor

Adam1V

Posted
  • Author
Posted

Sorry for the long delay.

I've blocked the terminal services in AD, several days on, this had made no difference.

We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc.

Whats the easiest way to block the mstsc.exe in GPO?

I've never made any software restrictions before, so in simple terms would really help :)

Veteran

bobbba

Posted
Posted
  barteh said:
Sorry for the long delay.

I've blocked the terminal services in AD, several days on, this had made no difference.

We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc.

Whats the easiest way to block the mstsc.exe in GPO?

I've never made any software restrictions before, so in simple terms would really help :)

If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.

The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem?

Mentor

_dandy_

Posted
Posted
  barteh said:
i've gone to:

User Configuration\Administrative Templates\System

"dont run specified Windows applications" = enabled

and added: mstsc.exe

Doesn't that policy just compare a filename and/or its path to block the specified EXE? If so, couldn't a user just copy the file elsewhere (and/or rename it) and run it from there?

Mentor

Adam1V

Posted
  • Author
Posted
  bobbba said:
If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.

The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem?

quite possibly.

What your saying is:

So in AD i tick the deny box which says Bart cannot use Term Services, but so long as I log into another machine with a different account Its letting me?

I've tried the .exe i'll just wait and see what happens.

Veteran

bobbba

Posted
Posted

Scenario for how it works:

Admin creates AD account Bart2, default is allow term services

Admin edits AD account Bart1, deny term services

Bart1 logons on to pc1 opens mstc and attempts to remote desktop pc2

pc2 asks pc1 for a logon

bart specifies his logon (Bart1)

pc2 checks the ad to see whether Bart1 is allowed access, then denies him access

Bart1 tries again:

opens mstc and attempts to remote desktop pc2

pc2 asks pc1 for a logon

bart1 specifies Bart2

pc2 checks the ad to see whether Bart2 is allowed access, then allows him access

So basically the check is all about whether an account is allowed to complete a connection and logon to a remote desktop, not whether an account is allowed to attempt a connection.

If the accounts are setup properly, this should work perfectly well as the user won't know the credentials for other accounts so the restriction works. Restricting the exe and preventing them from launching the client is a really poor workaround except for when the computers they are trying to access are not within the organisation's control (like home pc's over the internet) which is when a firewall with outgoing control should be used.

Mentor

Adam1V

Posted
  • Author
Posted

Sorry bobba, I think I should have explained in more detail earlier.

The Machine the user is connecting to is a home machine.

And like I mentioned earlier, we dont have ISA so we dont have that sort of control, and the admins do use RDP ourselves, so I dont want to completely disable it.

Veteran

bobbba

Posted
Posted

Sounds like you need something like the following:

software restriction policy:

Block the filename of MSTSC

Block the hash values of the various versions of MSTSC

Prevent it from applying to local admins

(if your troublesome users don't have them, use GPO security filtering if they do)

Articles to help:

MS Howto

Tutorial

Those are the technical means of controlling it, the organisation should also have a computer/internet usage policy as well so that they have to consciously break the rules to do something like this and if they do a discipline procedure can be applied.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Weekend PC Game Deals: Rhythm bundles, fishing festivals, and DRM-free summer sales

      By LoneWolfSL · Posted

      Weekend PC Game Deals: Rhythm bundles, fishing festivals, and DRM-free summer sales by Pulasthi Ariyasinghe Weekend PC Game Deals is where the hottest gaming deals from all over the internet are gathered into one place every week for your consumption. So kick back, relax, and hold on to your wallets. The Humble Store introduced the June Tunes collection this week. Coming in with music and rhythm titles, the bundle begins with Wanderson, Everhood, and Onde in the first tier for $5. Going up a tier by paying $8 gets you three more games: Rhythm Fighter, One Btn Bosses, and Oddada. Lastly, Trombone Champ, DJMAX RESPECT V, and Ragnarock lead the final tier, which are yours for $10. Just yesterday, Humble also brought out the Serenity Forge Storyteller's Bundle. This carries 12 indie games inside it, including LISA the Joyful and LISA the Painful, Neversong, Death's Gambit, Smile for Me, Long Gone Days, and more, all split into three tiers of prices. Replacing Two Point Hospital, The Operator landed as the latest freebie on the Epic Games Store earlier this week. The 2024-released indie title has you taking the role of a new hire at the Federal Department of Intelligence (FDI). Here you have to analyze evidence, fact-check, and try to solve a streak of mysterious crimes using the agency's advanced investigative software. However, as the story progresses, a conspiracy is revealed that paints the FDI in a different light. The Operator giveaway on the Epic Games Store is slated to last until June 26. On the same day, Sable will become the next freebie in the promotion. Free Events If you're looking to try out some games over the weekend without opening your wallet, there are three games having free weekend offers right now. Starting off, Paradox is offering its grand strategy experience, Victoria 3, to try out. The title has a much higher focus on state management than war and roleplaying compared to the company's other games. If that's too much of a tough start, Len's Island is temporarily free-to-play now too. This is a top-down perspective survival game with support for up to eight players in co-op, with combat, farming, dungeon diving, and other elements being included. Lastly, Dead by Daylight should be the most familiar to most. The multiplayer four-versus-one asymmetric survival horror game has you assuming the roles of survivors or the killer to see who can come out on top. Big Deals With the Steam Summer Sale only being days away, most publishers and developers are laying low to prepare for the big event. Still, we found quite a few games having some attractive discounts. Here's our hand-picked big deals list for this weekend: Red Dead Redemption – $29.99 on Steam Mount & Blade II: Bannerlord – $24.99 on Steam Timberborn – $24.49 on Steam BERSERK and the Band of the Hawk – $23.99 on Steam Wo Long: Fallen Dynasty – $23.99 on Steam Disney Epic Mickey: Rebrushed – $23.99 on Steam Jagged Alliance 3 – $22.49 on Steam [NINJA GAIDEN: Master Collection] NINJA GAIDEN Σ2 – $19.99 on Steam Alone in the Dark – $19.99 on Steam Last Train Home – $19.99 on Steam Len's Island – $19.49 on Steam Nightingale – $17.99 on Steam DYNASTY WARRIORS 8: Xtreme Legends Complete Edition – $16.99 on Steam Mortal Kombat 1 – $16.49 on Steam SOMA – $14.99 on Steam Victoria 3 – $14.99 on Steam Trepang2 – $14.99 on Steam Blasphemous 2 – $14.99 on Steam Wreckfest – $14.99 on Steam Expeditions: Rome – $14.84 on Steam EA SPORTS FC 25 – $13.99 on Steam STAR WARS Jedi: Survivor – $13.99 on Steam DRAGON BALL Z: KAKAROT – $12.99 on Gamesplanet Amnesia: The Bunker – $12.49 on Steam DREDGE – $12.49 on Steam Dead Space – $11.99 on Steam DAVE THE DIVER – $11.99 on Steam WILD HEARTS – $10.49 on Steam It Takes Two – $9.99 on Steam Dragon Age Inquisition – $9.99 on Steam Haven – $9.99 on Steam Hellboy Web of Wyrd – $9.99 on Steam Nova Lands – $9.99 on Steam BIOMUTANT – $9.99 on Steam Destroy All Humans! 2 - Reprobed – $9.99 on Steam Ghostrunner 2 – $9.99 on Steam Need for Speed Unbound – $9.79 on Steam Call of the Wild: The Angler – $8.99 on Steam DEAD OR ALIVE 6 – $8.99 on Steam Operation: Tango – $8.99 on Steam Katana ZERO – $8.99 on Steam Dead by Daylight – $7.99 on Steam Killer Frequency – $7.49 on Steam Nioh: Complete Edition – $7.49 on Steam Overcooked! 2 – $6.24 on Steam A Way Out – $5.99 on Steam Mass Effect Legendary Edition – $5.99 on Steam Darksiders Genesis – $5.99 on Steam Mortal Kombat 11 – $4.99 on Steam Titanfall 2 – $4.49 on Steam Golf With Your Friends – $4.49 on Steam STAR WARS Battlefront II – $3.99 on Steam Yoku's Island Express – $3.99 on Steam theHunter: Call of the Wild – $3.99 on Steam RoboCop: Rogue City – $3.74 on Fanatical Battlefield 2042 – $2.99 on Steam Road Redemption – $2.99 on Steam Shadow Warrior 2 – $2.99 on Steam Battlefield V – $2.49 on Steam Ultimate Fishing Simulator – $1.99 on Steam DRM-free Specials The GOG store has already kicked off its own summer sale, putting thousands of DRM-free games on sale. Here are some highlights: Cyberpunk 2077 - $23.99 on GOG God of War - $19.99 on GOG Fallout 4: Game of the Year Edition - $15.99 on GOG Fallout 4: Game of the Year Edition - $15.99 on GOG Dino Crisis Bundle - $15.29 on GOG Devil May Cry HD Collection & 4SE Bundle - $14.84 on GOG The Witcher 3: Wild Hunt - Complete Edition - $9.99 on GOG Vampire: The Masquerade - Bloodlines - $9.99 on GOG SPORE Collection - $7.49 on GOG Papers, Please - $4.99 on GOG Terraria - $4.99 on GOG SWAT 4: Gold Edition - $4.99 on GOG DOOM (2016) - $3.99 on GOG DOOM 3 - $3.99 on GOG CrossCode - $3.99 on GOG Mad Max - $2.99 on GOG Heroes of Might and Magic 3: Complete - $2.49 on GOG Heroes of Might and Magic 4: Complete - $2.49 on GOG World in Conflict: Complete Edition - $2.49 on GOG Alan Wake - $1.49 on GOG Mortal Kombat 1+2+3 - $1.49 on GOG RollerCoaster Tycoon Deluxe - $1.19 on GOG Keep in mind that availability and pricing for some deals could vary depending on the region. That's it for our pick of this weekend's PC game deals, and hopefully, some of you have enough self-restraint not to keep adding to your ever-growing backlogs. As always, there are an enormous number of other deals ready and waiting all over the interwebs, as well as on services you may already subscribe to if you comb through them, so keep your eyes open for those, and have a great weekend.
    • You will soon have fewer reasons to open Control Panel in Windows 11

      By paraman · Posted

      Is there a 'recovery' settings option in Settings? The one where we can rollback to a previous restore point. I find it very useful if there is some issue and I have to rollback to the last stable point.
    • Google brings Gemini to all Workspace for Education subscribers

      By David Uzondu · Posted

      Google brings Gemini to all Workspace for Education subscribers by David Uzondu Google has announced that its Gemini app is now accessible to all Google Workspace for Education users, regardless of age. This brings the company's generative AI directly into the suite of tools used by millions of students and teachers. The Workspace for Education platform, if you did not know, already provides a massive suite of tools like Classroom, Docs, and Drive, which are designed to work together in a school setting. Naturally, the first question on any administrator's mind is what the company plans to do with student data. Google states that Gemini usage for these accounts falls under the Workspace for Education Terms of Service. This agreement includes "enterprise-grade data protections" and a promise that user data is not reviewed by anyone or used to train the company's AI models. It also maintains compliance with regulations like FERPA and COPPA, which are fundamental requirements for any technology operating in United States schools. The experience is not one-size-fits-all, particularly for younger students. Users under the age of 18 will get a more restricted version of the app, with stricter content filters to prevent inappropriate responses and a dedicated onboarding process to teach AI literacy. To reduce the likelihood of hallucinations, the first time a younger user asks a fact-based question, a double-check feature that validates the answer using Google Search runs automatically. For educators and older students, the AI can be used to brainstorm ideas, create lesson plans, and get feedback on work. The entire service is powered by what Google calls LearnLM, a family of its AI models supposedly fine-tuned for educational purposes. Access is not mandatory, as administrators can still control which users or groups can use the Gemini app through their admin console. This rollout applies to institutions using the free Education Fundamentals, the security-focused Standard, and the feature-rich Plus editions, making it widely available immediately.
    • Apple releases massive slide deck to help children convince their parents to buy them a Mac

      By bledd · Posted

      No Steam, no point.
    • Politically funny images of the World

      By Michael Scrip · Posted

      🤣

  • Recent Achievements

    • Contributor
      GravityDead went up a rank
      Contributor
    • Week One Done
      BlakeBringer earned a badge
      Week One Done
    • Week One Done
      Helen Shafer earned a badge
      Week One Done
    • First Post
      emptyother earned a badge
      First Post
    • Week One Done
      Crunchy6 earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      662
    2. 2
      ATLien_0
      269
    3. 3
      Michael Scrip
      236
    4. 4
      Steven P.
      164
    5. 5
      +FloatingFatMan
      155
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!