Adam1V Posted August 12, 2008 Share Posted August 12, 2008 IS there a way to prevent the use of RD in group policy but still allow admins to connect to that machine? Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/ Share on other sites More sharing options...
Guest Posted August 12, 2008 Share Posted August 12, 2008 That is by design anyway. Do your users have local administrative rights to the machine they are sat on? Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589639570 Share on other sites More sharing options...
+BudMan MVC Posted August 12, 2008 MVC Share Posted August 12, 2008 As stated by default only admins have access to remote desktop.. What exactly are you looking to block -- what are the users doing? That your wanting to prevent? Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589639628 Share on other sites More sharing options...
Joel Posted August 12, 2008 Share Posted August 12, 2008 Maybe he means USING the RD program, not connecting to the machine by RD. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589639670 Share on other sites More sharing options...
Adam1V Posted August 12, 2008 Author Share Posted August 12, 2008 Joel said: Maybe he means USING the RD program, not connecting to the machine by RD. yep, RD'ing into another machine to carry out tasks which are normally prohibited on the local machine. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589639674 Share on other sites More sharing options...
Grogi Posted August 12, 2008 Share Posted August 12, 2008 Enable "Deny...." in AD user properties Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589639692 Share on other sites More sharing options...
bobbba Posted August 12, 2008 Share Posted August 12, 2008 Grogi said: Enable "Deny...." in AD user properties That'll do it ^ Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589639796 Share on other sites More sharing options...
Adam1V Posted August 12, 2008 Author Share Posted August 12, 2008 I've just tried this on an account in AD called 'Test' which isnt a member of the local admins or anything. I ticked the deny box but RD still loads fine. I've tried re-logging on a few times as that user, but to no avail. Does anything else have to refresh? Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589639804 Share on other sites More sharing options...
Joel Posted August 12, 2008 Share Posted August 12, 2008 Do a gpupdate on the server, and try again. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589639856 Share on other sites More sharing options...
Grogi Posted August 12, 2008 Share Posted August 12, 2008 Hmm, strange. Other solution is in Account setting 'Log on to' and specify on which computer user can login. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589640370 Share on other sites More sharing options...
Bryan R. Posted August 12, 2008 Share Posted August 12, 2008 barteh said: I've just tried this on an account in AD called 'Test' which isnt a member of the local admins or anything.I ticked the deny box but RD still loads fine. I've tried re-logging on a few times as that user, but to no avail. Does anything else have to refresh? Your saying it "loads fine". Do you mean to block the act of using mstsc.exe and connecting and logging on to remote computer? Or to block the mere mstsc.exe from even opening? Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589640400 Share on other sites More sharing options...
majortom1981 Posted August 12, 2008 Share Posted August 12, 2008 Why not just deny the remote desktop client from running in the first place via group policy using a software restriction policy? Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589640420 Share on other sites More sharing options...
+BudMan MVC Posted August 12, 2008 MVC Share Posted August 12, 2008 Again -- what exactly are the users doing that you want to stop? That setting in AD has nothing to do with them running the remote desktop client and connecting to some box running remote desktop, etc. I am going to take a guess you have users using remote desktop to access machines outside your network to say surf the net, play solitare, etc.. Is this what your trying to stop? As mentioned you could prevent them from running the exe on their machines -- but there are 3rd party remote desktop clients they could run. Or for that matter why does it have to be remote desktop - they could just vnc to boxes outside your network, etc.. The details of exactly what your users are doing that you want to stop would be most helpful for us to suggest ways to prevent them from doing it. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589641540 Share on other sites More sharing options...
Bryan R. Posted August 13, 2008 Share Posted August 13, 2008 If the issue is users having remote control of PCs outside of your network then outgoing firewall policies will need to be put in place. But again, there are specific questions and answers needed. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589645030 Share on other sites More sharing options...
+BudMan MVC Posted August 13, 2008 MVC Share Posted August 13, 2008 ^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections. Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589645974 Share on other sites More sharing options...
Bryan R. Posted August 13, 2008 Share Posted August 13, 2008 BudMan said: ^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc. Very true, it can get condeluded when talking about blocking outbound traffic. It is very easy to change the port RDP uses. It is of course still an option if he wanted to take that route. Really the only options I see are: 1. Denying users from using Terminal Services via AD. Applies only in your environment. 2. Block all outbound traffic with the exception of legitimate ports. This could be very maintainence intensive and could get very condeluded, but could also work. 3. Block the mstsc.exe from ever executing in the first place. This would without a doubt stop RDP access regardless of what PC they are connecting to. However other forms of remote control could be used as stated using different ports. So perhaps a combination of these could best suit you. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589646148 Share on other sites More sharing options...
+BudMan MVC Posted August 13, 2008 MVC Share Posted August 13, 2008 Yup all valid suggestions, but without some details of what exactly he is trying to prevent the users from doing they are all meaningless. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589646154 Share on other sites More sharing options...
Adam1V Posted August 18, 2008 Author Share Posted August 18, 2008 Sorry for the long delay. I've blocked the terminal services in AD, several days on, this had made no difference. We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc. Whats the easiest way to block the mstsc.exe in GPO? I've never made any software restrictions before, so in simple terms would really help :) Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589666654 Share on other sites More sharing options...
Adam1V Posted August 18, 2008 Author Share Posted August 18, 2008 i've gone to: User Configuration\Administrative Templates\System "dont run specified Windows applications" = enabled and added: mstsc.exe Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589666690 Share on other sites More sharing options...
bobbba Posted August 18, 2008 Share Posted August 18, 2008 barteh said: Sorry for the long delay.I've blocked the terminal services in AD, several days on, this had made no difference. We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc. Whats the easiest way to block the mstsc.exe in GPO? I've never made any software restrictions before, so in simple terms would really help :) If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy. The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem? Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589666810 Share on other sites More sharing options...
_dandy_ Posted August 18, 2008 Share Posted August 18, 2008 barteh said: i've gone to:User Configuration\Administrative Templates\System "dont run specified Windows applications" = enabled and added: mstsc.exe Doesn't that policy just compare a filename and/or its path to block the specified EXE? If so, couldn't a user just copy the file elsewhere (and/or rename it) and run it from there? Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589667416 Share on other sites More sharing options...
Adam1V Posted August 19, 2008 Author Share Posted August 19, 2008 bobbba said: If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem? quite possibly. What your saying is: So in AD i tick the deny box which says Bart cannot use Term Services, but so long as I log into another machine with a different account Its letting me? I've tried the .exe i'll just wait and see what happens. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589669876 Share on other sites More sharing options...
bobbba Posted August 19, 2008 Share Posted August 19, 2008 Scenario for how it works: Admin creates AD account Bart2, default is allow term services Admin edits AD account Bart1, deny term services Bart1 logons on to pc1 opens mstc and attempts to remote desktop pc2 pc2 asks pc1 for a logon bart specifies his logon (Bart1) pc2 checks the ad to see whether Bart1 is allowed access, then denies him access Bart1 tries again: opens mstc and attempts to remote desktop pc2 pc2 asks pc1 for a logon bart1 specifies Bart2 pc2 checks the ad to see whether Bart2 is allowed access, then allows him access So basically the check is all about whether an account is allowed to complete a connection and logon to a remote desktop, not whether an account is allowed to attempt a connection. If the accounts are setup properly, this should work perfectly well as the user won't know the credentials for other accounts so the restriction works. Restricting the exe and preventing them from launching the client is a really poor workaround except for when the computers they are trying to access are not within the organisation's control (like home pc's over the internet) which is when a firewall with outgoing control should be used. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589670282 Share on other sites More sharing options...
Adam1V Posted August 19, 2008 Author Share Posted August 19, 2008 Sorry bobba, I think I should have explained in more detail earlier. The Machine the user is connecting to is a home machine. And like I mentioned earlier, we dont have ISA so we dont have that sort of control, and the admins do use RDP ourselves, so I dont want to completely disable it. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589671764 Share on other sites More sharing options...
bobbba Posted August 19, 2008 Share Posted August 19, 2008 Sounds like you need something like the following: software restriction policy: Block the filename of MSTSC Block the hash values of the various versions of MSTSC Prevent it from applying to local admins (if your troublesome users don't have them, use GPO security filtering if they do) Articles to help: MS Howto Tutorial Those are the technical means of controlling it, the organisation should also have a computer/internet usage policy as well so that they have to consciously break the rules to do something like this and if they do a discipline procedure can be applied. Link to comment https://www.neowin.net/forum/topic/656626-prevent-users-using-remote-desktop/#findComment-589672290 Share on other sites More sharing options...
Recommended Posts