prevent users using remote desktop


Recommended Posts

  barteh said:
I've just tried this on an account in AD called 'Test' which isnt a member of the local admins or anything.

I ticked the deny box but RD still loads fine.

I've tried re-logging on a few times as that user, but to no avail.

Does anything else have to refresh?

Your saying it "loads fine". Do you mean to block the act of using mstsc.exe and connecting and logging on to remote computer? Or to block the mere mstsc.exe from even opening?

Again -- what exactly are the users doing that you want to stop? That setting in AD has nothing to do with them running the remote desktop client and connecting to some box running remote desktop, etc.

I am going to take a guess you have users using remote desktop to access machines outside your network to say surf the net, play solitare, etc..

Is this what your trying to stop?

As mentioned you could prevent them from running the exe on their machines -- but there are 3rd party remote desktop clients they could run. Or for that matter why does it have to be remote desktop - they could just vnc to boxes outside your network, etc..

The details of exactly what your users are doing that you want to stop would be most helpful for us to suggest ways to prevent them from doing it.

If the issue is users having remote control of PCs outside of your network then outgoing firewall policies will need to be put in place. But again, there are specific questions and answers needed.

^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.

Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc.

  BudMan said:
^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.

Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc.

Very true, it can get condeluded when talking about blocking outbound traffic. It is very easy to change the port RDP uses. It is of course still an option if he wanted to take that route.

Really the only options I see are:

1. Denying users from using Terminal Services via AD. Applies only in your environment.

2. Block all outbound traffic with the exception of legitimate ports. This could be very maintainence intensive and could get very condeluded, but could also work.

3. Block the mstsc.exe from ever executing in the first place. This would without a doubt stop RDP access regardless of what PC they are connecting to. However other forms of remote control could be used as stated using different ports.

So perhaps a combination of these could best suit you.

Sorry for the long delay.

I've blocked the terminal services in AD, several days on, this had made no difference.

We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc.

Whats the easiest way to block the mstsc.exe in GPO?

I've never made any software restrictions before, so in simple terms would really help :)

  barteh said:
Sorry for the long delay.

I've blocked the terminal services in AD, several days on, this had made no difference.

We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc.

Whats the easiest way to block the mstsc.exe in GPO?

I've never made any software restrictions before, so in simple terms would really help :)

If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.

The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem?

  barteh said:
i've gone to:

User Configuration\Administrative Templates\System

"dont run specified Windows applications" = enabled

and added: mstsc.exe

Doesn't that policy just compare a filename and/or its path to block the specified EXE? If so, couldn't a user just copy the file elsewhere (and/or rename it) and run it from there?

  bobbba said:
If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.

The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem?

quite possibly.

What your saying is:

So in AD i tick the deny box which says Bart cannot use Term Services, but so long as I log into another machine with a different account Its letting me?

I've tried the .exe i'll just wait and see what happens.

Scenario for how it works:

Admin creates AD account Bart2, default is allow term services

Admin edits AD account Bart1, deny term services

Bart1 logons on to pc1 opens mstc and attempts to remote desktop pc2

pc2 asks pc1 for a logon

bart specifies his logon (Bart1)

pc2 checks the ad to see whether Bart1 is allowed access, then denies him access

Bart1 tries again:

opens mstc and attempts to remote desktop pc2

pc2 asks pc1 for a logon

bart1 specifies Bart2

pc2 checks the ad to see whether Bart2 is allowed access, then allows him access

So basically the check is all about whether an account is allowed to complete a connection and logon to a remote desktop, not whether an account is allowed to attempt a connection.

If the accounts are setup properly, this should work perfectly well as the user won't know the credentials for other accounts so the restriction works. Restricting the exe and preventing them from launching the client is a really poor workaround except for when the computers they are trying to access are not within the organisation's control (like home pc's over the internet) which is when a firewall with outgoing control should be used.

Sorry bobba, I think I should have explained in more detail earlier.

The Machine the user is connecting to is a home machine.

And like I mentioned earlier, we dont have ISA so we dont have that sort of control, and the admins do use RDP ourselves, so I dont want to completely disable it.

Sounds like you need something like the following:

software restriction policy:

Block the filename of MSTSC

Block the hash values of the various versions of MSTSC

Prevent it from applying to local admins

(if your troublesome users don't have them, use GPO security filtering if they do)

Articles to help:

MS Howto

Tutorial

Those are the technical means of controlling it, the organisation should also have a computer/internet usage policy as well so that they have to consciously break the rules to do something like this and if they do a discipline procedure can be applied.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • WinToUSB 9.9 by Razvan Serea WinToUSB allows you to install and run a fully-functional Windows on external hard drive, USB flash drive or Thunderbolt drive. It is so easy and efficient, with just 3 steps and a few minutes, you can create your first portable Windows 11/10/8/7 or Windows Server directly from an ISO, WIM, ESD, SWM, VHD, VHDX file or CD/DVD drive, or you can clone currently running Windows installation to USB or Thunderbolt drive as portable Windows. WinToUSB also supports creating Windows installation USB drive from Windows 11/10/8/7 and Windows Server installation ISO, with it you can install Windows from the USB drive easily. Note: The WinToUSB Free Edition is solely intended for non-commercial, private, and personal use on home computers. It should be noted that technical support is not available for the free edition. Use of WinToUSB Free Edition within any organization or for commercial purpose is strictly prohibited. WinToUSB key features include: Creation of Windows To Go from ISO, WIM, ESD, SWM, VHD(X) or DVD drive.Improved Clone Windows 11/10/8/7 to USB/Thunderbolt drive as portable Windows. Creation of Windows To Go on Non-Certified Windows To Go USB drive. Encrypt Windows To Go with BitLocker to keep your data safe. Creation of Windows installation and bootable WinPE USB drive with BIOS & UEFI support. Download Official Windows 11/10/8.1 ISO file from Microsoft. Use any edition of Windows 11/10/8/7 and Windows Server 2022/2019/2016/2012/2010 to create Windows To Go USB drive. Windows To Go (Portable Windows) Creator WinToUSB allows you to install & run fully-functional Windows on an external HDD/SSD, USB flash drive or Thunderbolt drive, which means you can carry the portable Windows drive to anywhere and use it on any computer. Faster installation and cloning speed compared to competing products Support any edition of Windows 11/10/8/7 and Windows Server Creation of Windows To Go from ISO, WIM, ESD, SWM, VHD(X) or CD/DVD drive Clone currently running Windows to USB/Thunderbolt drive Creation of Windows To Go on Non-Certified Windows To Go drive Create BitLocker encrypted Windows To Go Workspace Create portable Windows for Intel-based Mac computers Support for creating VHD(X)-based Windows To Go Windows Installation USB Creator WinToUSB releases a feature called "Windows Installation USB Creator" which allows you to create a Windows installation USB drive from a Windows 11/10/8/7/vista/2022/2019/2016/2012/2008 installation ISO file with a few simple steps, with this feature you can create a bootable Windows installation USB drive to install Windows on both Traditional BIOS and UEFI computers by using the same USB drive. Bypass Windows 11 system requirements (TPM 2.0, Secure Boot, Minimum hardware and Microsoft account) Install Windows on both BIOS and UEFI computers by using the same USB drive Windows PE Bootable USB Creator This feature allows you to create a bootable Windows PE USB drive, it can help you transfer the contents of a Windows PE ISO file to a USB drive and make the USB drive bootable, and this feature supports the creation of a bootable WinPE USB driver that supports both Traditional BIOS and UEFI computers. WinToUSB 9.9 changelog: Added option to disable BitLocker automatic drive encryption when creating Windows installation USBs Fixed bug: setup.exe cannot bypass the Windows 11 system requirements Fixed bug: Cloned Windows ARM64 cannot start properly Fix other minor bugs Download: WinToUSB 9.9.0 | 28.7 MB (Freeware) Links: Home Page | Free vs Pro Comparison | Screnshots Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Maybe you don't realize this...but everything you said agreed with me. Yes, many tech outlets reported on Ryzen 9000 issues prior to 24H2, which I already addressed, and as I already said, that issue only existed for a few short months. Ryzen 9000 was released the same quarter of 2024 as 24H2. So again...months, not years. I also already said 24H2 showed some minor improvements on older Ryzen CPU. The article you posted agrees with me, and even says the improvements were only 3-5%, which is even more harsh a statement than what I said. If you want to fuss on the 3-5% numbers, then yes, I will grant you that was an issue for an extended amount of time. In my opinion, that is such a small amount it isn't worth fussing over, but you are welcome to a different option. However, if that was your point, then you didn't make that point in good faith, because you highlighted Ryzen 9000 so much, which had a FAR bigger and FAR shorter issue, it's really a very different conversation.
    • The vast majority of users do not care which iOS version they're using. They don't even know or bother updating to the latest version, unless they see the prompt. The version numbers is more for the power users and I don't think Apple renamed their OS for them.
    • No operating system works well with programs that modify its interface. There will always be bugs, whether it's MacOS or Linux. Windows too, you'll only suffer from bugs using this crap software.
  • Recent Achievements

    • Week One Done
      abortretryfail earned a badge
      Week One Done
    • First Post
      Mr bot earned a badge
      First Post
    • First Post
      Bkl211 earned a badge
      First Post
    • One Year In
      Mido gaber earned a badge
      One Year In
    • One Year In
      Vladimir Migunov earned a badge
      One Year In
  • Popular Contributors

    1. 1
      +primortal
      495
    2. 2
      snowy owl
      251
    3. 3
      +FloatingFatMan
      251
    4. 4
      ATLien_0
      228
    5. 5
      +Edouard
      191
  • Tell a friend

    Love Neowin? Tell a friend!