prevent users using remote desktop


Recommended Posts

  barteh said:
I've just tried this on an account in AD called 'Test' which isnt a member of the local admins or anything.

I ticked the deny box but RD still loads fine.

I've tried re-logging on a few times as that user, but to no avail.

Does anything else have to refresh?

Your saying it "loads fine". Do you mean to block the act of using mstsc.exe and connecting and logging on to remote computer? Or to block the mere mstsc.exe from even opening?

Again -- what exactly are the users doing that you want to stop? That setting in AD has nothing to do with them running the remote desktop client and connecting to some box running remote desktop, etc.

I am going to take a guess you have users using remote desktop to access machines outside your network to say surf the net, play solitare, etc..

Is this what your trying to stop?

As mentioned you could prevent them from running the exe on their machines -- but there are 3rd party remote desktop clients they could run. Or for that matter why does it have to be remote desktop - they could just vnc to boxes outside your network, etc..

The details of exactly what your users are doing that you want to stop would be most helpful for us to suggest ways to prevent them from doing it.

If the issue is users having remote control of PCs outside of your network then outgoing firewall policies will need to be put in place. But again, there are specific questions and answers needed.

^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.

Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc.

  BudMan said:
^ and it does not take a rocket scientist to figure out that if you block outbound access on 3389, to just have the machine listen on another port -- say 80 or 443 for remote desktop connections.

Trying to block users from access to things outside of your control is a uphill battle to say the least, its like trying to block spam.. As soon as you block one thing, they figure out a new way to get it paste the filters, etc.

Very true, it can get condeluded when talking about blocking outbound traffic. It is very easy to change the port RDP uses. It is of course still an option if he wanted to take that route.

Really the only options I see are:

1. Denying users from using Terminal Services via AD. Applies only in your environment.

2. Block all outbound traffic with the exception of legitimate ports. This could be very maintainence intensive and could get very condeluded, but could also work.

3. Block the mstsc.exe from ever executing in the first place. This would without a doubt stop RDP access regardless of what PC they are connecting to. However other forms of remote control could be used as stated using different ports.

So perhaps a combination of these could best suit you.

Sorry for the long delay.

I've blocked the terminal services in AD, several days on, this had made no difference.

We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc.

Whats the easiest way to block the mstsc.exe in GPO?

I've never made any software restrictions before, so in simple terms would really help :)

  barteh said:
Sorry for the long delay.

I've blocked the terminal services in AD, several days on, this had made no difference.

We're using SBS2003, so dont have ISA server to have real control over outgoing ports etc.

Whats the easiest way to block the mstsc.exe in GPO?

I've never made any software restrictions before, so in simple terms would really help :)

If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.

The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem?

  barteh said:
i've gone to:

User Configuration\Administrative Templates\System

"dont run specified Windows applications" = enabled

and added: mstsc.exe

Doesn't that policy just compare a filename and/or its path to block the specified EXE? If so, couldn't a user just copy the file elsewhere (and/or rename it) and run it from there?

  bobbba said:
If this is not working there's something wrong and I'd suggest you resolve it in case they work around the software restriction policy.

The Deny restriction applies to the user account that is being used to connect and not to the user launching the terminal services session, could that be the problem?

quite possibly.

What your saying is:

So in AD i tick the deny box which says Bart cannot use Term Services, but so long as I log into another machine with a different account Its letting me?

I've tried the .exe i'll just wait and see what happens.

Scenario for how it works:

Admin creates AD account Bart2, default is allow term services

Admin edits AD account Bart1, deny term services

Bart1 logons on to pc1 opens mstc and attempts to remote desktop pc2

pc2 asks pc1 for a logon

bart specifies his logon (Bart1)

pc2 checks the ad to see whether Bart1 is allowed access, then denies him access

Bart1 tries again:

opens mstc and attempts to remote desktop pc2

pc2 asks pc1 for a logon

bart1 specifies Bart2

pc2 checks the ad to see whether Bart2 is allowed access, then allows him access

So basically the check is all about whether an account is allowed to complete a connection and logon to a remote desktop, not whether an account is allowed to attempt a connection.

If the accounts are setup properly, this should work perfectly well as the user won't know the credentials for other accounts so the restriction works. Restricting the exe and preventing them from launching the client is a really poor workaround except for when the computers they are trying to access are not within the organisation's control (like home pc's over the internet) which is when a firewall with outgoing control should be used.

Sorry bobba, I think I should have explained in more detail earlier.

The Machine the user is connecting to is a home machine.

And like I mentioned earlier, we dont have ISA so we dont have that sort of control, and the admins do use RDP ourselves, so I dont want to completely disable it.

Sounds like you need something like the following:

software restriction policy:

Block the filename of MSTSC

Block the hash values of the various versions of MSTSC

Prevent it from applying to local admins

(if your troublesome users don't have them, use GPO security filtering if they do)

Articles to help:

MS Howto

Tutorial

Those are the technical means of controlling it, the organisation should also have a computer/internet usage policy as well so that they have to consciously break the rules to do something like this and if they do a discipline procedure can be applied.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Intel v32.0.101.6881 graphics driver fixes a popular multiplayer hero shooter by Taras Buria Intel is rolling out a new graphics driver under version 32.0.101.6881. This WHQL release does not contain much. In fact, there is only a single fix for a popular multiplayer hero shooter. The new driver fixes crashes when launching Overwatch 2 (DirectX 12) on High or Ultra graphics settings on Intel Arc A-Series graphics cards. From the changelog: Overwatch 2 (DX12) may experience an application crash while launching the game with High or Ultra graphics quality settings. Known bugs in the drive include the following: Intel Arc B-Series Graphics Products: Fortnite may experience an application crash when “Performance - Lower Graphical Fidelity” is selected as Rendering Mode. Recommendation is to use default Rendering Mode – DX12. Visual corruptions may appear in certain scenarios with multiple application interactions. Call of Duty: Black Ops 6 (DX12) may exhibit flickering corruption in certain scenes during gameplay. Returnal (DX12) may experience an application crash during gameplay with Ray-Tracing settings turned on. Call of Duty: Warzone 2.0 (DX12) may exhibit corruptions on water areas in certain scenarios. SPECapc for Maya 2024 may experience intermittent application freeze during benchmark. PugetBench for Davinci Resolve Studio V19 may experience an application crash while running the benchmark. HWiNFO may incorrectly report number of Xe Cores for certain Intel Arc B-Series Graphics Products. Intel Arc A-Series Graphics Products: Returnal (DX12) may experience an application crash during gameplay with Ray-Tracing settings turned on. Marvel’s Spider-Man 2 (DX12) may experience an application crash with Ray-Tracing and XeSS enabled. PugetBench for Davinci Resolve Studio V19 may experience an application crash while running the benchmark. Intel Core Ultra Series 1 with built-in Intel Arc GPUs: Adobe Premiere Pro may fail to import video. Mitigation is to use Intel NPU Driver version 32.0.100.3717 or lower. PugetBench for Davinci Resolve Studio V19 may experience errors intermittently with benchmark preset set to Extended. Intel Core Ultra Series 2 with built-in Intel Arc GPUs: Valorant (DX11) may fail to enumerate supported resolutions in game settings. Adobe Premiere Pro may experience an intermittent application crash. Adobe Premiere Pro may fail to import video. Mitigation is to use Intel® NPU Driver version 32.0.100.3717 or lower. PugetBench for Davinci Resolve Studio V19 may experience errors intermittently with benchmark preset set to Extended. You can install Intel 32.0.101.6881 WHQL driver on PCs with 64-bit Windows 10 and Windows 11 with the following graphics products from Intel: Discrete GPUs Integrated GPUs Intel Arc A-Series (Alchemist) Intel Arc B-Series (Battlemage) Intel Iris Xe Discrete Graphics (DG1) Intel Core Ultra Series 2 (Lunar Lake and Arrow Lake) Intel Core Ultra (Meteor Lake) Intel Core 14th Gen (Raptor Lake Refresh) Intel Core 13th Gen (Raptor Lake) Intel Core 12th Gen (Alder Lake) Intel Core 11th Gen (Tiger Lake) You can download the driver from the official website here. Full release notes are available here (PDF).
    • Just look at the shiney shiney Vista clone, ignore the fact that they are a disaster in anything AI related. Roll on the class actions for all iPhone 16 owners.
    • Since Windows 8 they still try & error a new Start Menu... And never stop. I'm afraid there is no menu than old start menu from XP - and then we still had 2 choices to select...
    • FFmpeg Batch AV Converter 3.2.4 by Razvan Serea FFmpeg Batch AV Converter is a free universal audio and video encoder, that allows to use the full potential of ffmpeg command line with a few mouse clicks in a convenient GUI. Among other things, you can drag and drop, see progress information, change encoding priority, pause and resume, and set automatic shutdown. It is good for seasoned ffmpeg users as well as beginners. It provides unlimited single or multi-file batch encoding for almost any audio/video format. You can use any set of parameters and try them before starting encoding. You can manipulate and multiplex streams, batch subtitle videos (as track and hardcoded), trim, concatenate, record screen, capture M3u8 or other media URLs. You can also access useful multimedia file information. You can manually save your favourite custom ffmpeg parameters, using a fancy encoding wizard. You can use relative/absolute output paths, automatically rename output files, overwrite them etc. Key features: Video encoding: AV1 / H264 / H265 / NVENC / QuickSync / ProRes / VP9 / Any other video format supported by ffmpeg. Audio encoding: MP3 / AAC / AC3 / FLAC / WAV / Opus / Vorbis / Any other audio format supported by ffmpeg. Unlimited batch processing Multi-file encode for thousands of files Dynamic variables for ffmpeg parameters. Automatic shutdown, with option to run post-encoding executables. Set encoding priority Stream mapping and multiplex with jobs manager. Batch mux and demux. FFmpeg presets wizard Filter files using different criteria. File multimedia info and up to 12 properties columns. Trim and concatenate files Batch image thumbnail extraction Batch image to video creation. Batch audio silence detection.. and much more... FFmpeg Batch AV Converter 3.2.4 changelog: Polish translation available (a few translations were automatic). Log refreshable during encoding, now with encoding results summary. Log saved every 60 seconds kept in case of application crash/blackout. Added warning for incompatible characters [',] found in input file path, required to be renamed to avoid errors when using ffmpeg filters. Fixed: Sequential encoding abruptly ends with some ffmpeg.exe builds. Fixed: some settings being lost after upgrades, like ffmpeg.exe path. (installer version). Fixed: %fn variable not working (working directory was not set properly). Fixed: %f2 variable not working (Windows paths conversion issue). Fixed: Keep source timestamp was not applied for some features (two pass encoding, multiplex, batch subtitling). Fixed: -vf filter previously not supported in batch subtitles parameters (Burnt subtitles) . Fixed: Try preset button sometimes rendering application unresponsive. Hopefully fixed Youtube download progress sometimes wrong by a factor of 10. Other minor corrections and bugfixes. Download: FFmpeg Batch AV Converter 3.2.4 | Portable ~20.0 MB (Open Source) Links: FFmpeg Batch Home Page | Project Page @GitHub | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Download Apple macOS 26 Tahoe, iOS 26 official stock wallpapers in high quality by Aditya Tiwari Apple's latest software design can be thought of as the tech version of 'new year, new me.' macOS 26 is one among them, featuring the "Liquid Glass" as a translucent new material that reflects and refracts its surroundings. The updated macOS design is all over the place, including the Dock, sidebars, and toolbars, which have been refined to focus more on the user's content. Apple continued its annual tradition and introduced new wallpapers custom-made for macOS 26 Tahoe to go along with the new design language. These macOS Tahoe 26 wallpapers are available in light and dark theme options, complementing the transparent menu bar, which makes the display feel bigger. To download the wallpapers to your device, click on the image to open it, then right-click on the wallpaper and select "Save Image As." Apple said during the announcement that "the new design also unlocks more personalization on the Mac. App icons come to life in light or dark appearances, colorful new light and dark tints, as well as an elegant new clear look." Apple's Liquid Design-inspired default wallpapers are also available for iOS 26 in light and dark options. The company has utilised Liquid Design extensively when upgrading the wallpaper experience on iPhones. Lock Screen wallpapers on iPhone create a 3D effect when the device is moved around, giving the illusion that the objects in the image are popping out of the screen. The time displayed on the lock screen fluidly adapts to the available space in an image for a more dynamic feel. Not just the design, Apple has further bridged the gap between iPhone and Mac by adding new Continuity features to macOS 26 on these supported Mac models. This includes the new Phone app that lets you relay phone calls from your iPhone nearby. Just like widgets, macOS 26 can populate Live Activities from a nearby iPhone, enabling you to track your Uber ride, live sports scores, or incoming dinner orders. Source: Apple via 9to5Mac [1,2]
  • Recent Achievements

    • Explorer
      MusicLover2112 went up a rank
      Explorer
    • Dedicated
      MadMung0 earned a badge
      Dedicated
    • Rookie
      CHUNWEI went up a rank
      Rookie
    • Enthusiast
      the420kid went up a rank
      Enthusiast
    • Conversation Starter
      NeoToad777 earned a badge
      Conversation Starter
  • Popular Contributors

    1. 1
      +primortal
      502
    2. 2
      ATLien_0
      268
    3. 3
      +FloatingFatMan
      253
    4. 4
      +Edouard
      202
    5. 5
      snowy owl
      169
  • Tell a friend

    Love Neowin? Tell a friend!