prevent users using remote desktop

By Adam1V
in Microsoft (Windows)

 Share

Recommended Posts

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Even if you blocked the exe from running, or blocked the port this will not actually stop anyone with half a brain ;)

Since they could just use vnc, or for that matter a java based remote desktop client, etc. Even if you block the ports, they could just use another one -- a required to be open port like 80 or 443, etc.

Once you have user that has some basic understanding of how this stuff works -- stopping them is like I stated before an uphill battle.

Sure you can block mstsc from running, that will stop them for about 2 minutes if your lucky ;) Maybe a day while change how they are accessing their remote machine ;)

Good Luck is about all I can tell you -- preventing someone with the correct skill set from creating a tunnel out of your network is near impossible.

Grand Master

Si Veteran

Posted
  • Veteran
Posted

One option would be to really, really lock down their computers with a GPO so that nothing is available to them except what is needed to do their jobs. SteadyState does a great job with this, but I've not tried it in a domain environment (if it will even run inside one).

EDIT: The point here is to stop them bringing in some other client from the web or a removable drive etc, after you have blocked mstsc. Obviously if they are local admins you may have trouble still ;)

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

And then you just boot a liveCD and remote to the machine that way.. So you have to lock down the machine from booting from removable media as well.

Your best bet when up against someone with the know how to tunnel is as already stated "policy" If you catch them at they get fired sort of thing.

What might slow them down some is if block the netblock their home isp is on. They would then have to have a different outside server to tunnel too, etc. Which could be a issue for some users to get around.

Grand Master

Si Veteran

Posted
  • Veteran
Posted
  BudMan said:
Your best bet when up against someone with the know how to tunnel is as already stated "policy" If you catch them at they get fired sort of thing.

Completely agree.

  BudMan said:
What might slow them down some is if block the netblock their home isp is on. They would then have to have a different outside server to tunnel too, etc. Which could be a issue for some users to get around.

This is a damn fine idea!

Mentor

Adam1V

Posted
  • Author
Posted
  BudMan said:
What might slow them down some is if block the netblock their home isp is on. They would then have to have a different outside server to tunnel too, etc. Which could be a issue for some users to get around.

How would one go about this?

I know the ISP of the home user :)

or even better, I know the home fixed IP :)

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

I would suggest you block his ISPs whole netblock, since he could just get a different IP from tomorrow, etc.. Doing it at the client is a bad idea -- since a boot of some liveCD removes anything you might have done there.. But sure if they are not as bright as we are making them out to be -- then just put a simple static route on his client to point that address or range to nevernever land.

But best to do it at the gateway. You said your using SBS2003, but only have the standard (no ISA) using just ICS I assume? Then you could just put the static route on that server. Now nobody is getting there ;)

Mentor

Adam1V

Posted
  • Author
Posted
  BudMan said:
But best to do it at the gateway. You said your using SBS2003, but only have the standard (no ISA) using just ICS I assume? Then you could just put the static route on that server. Now nobody is getting there ;)

I think its all done in routing and remote access?

Lets say the destination machine is 123.456.789.0

I create a static route:

Destination: 123.456.789.0

Network Mask: 255.255.255.255 (this correct?)

Gateway: <server IP> (if i want to redirect him back to sharepoint hompage??)

Thanks in advance..

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Report: Microsoft quietly disables vital Windows feature crippling many AMD Ryzen CPUs

      By Soeaker4thedead · Posted

      Clearly a lot of gamers. And I'm sorry but you are wrong, my 7800x3d (single ccd) offers huge benefits to me as a AAA 1440p gamer. And it's pretty dumb to crap on 1080p gamers as they make up like 90+% of steam gamers. But no, the x3d does not just offer benefits to esport gamers (one of the stupidest things I've seen in a while AND THATS SAYING SOMETHING.) Abd when I built my rig with my 7800x3d, I paired it with a RX7900xt and couldn't be happier.
    • Report: Microsoft quietly disables vital Windows feature crippling many AMD Ryzen CPUs

      By Soeaker4thedead · Posted

      Um, someone needs to tell this author the 7800x3d is a single ccd and shouldn't be affected. If this only effects the dual ccd, 7800x3d owners need not worry
    • Popular File Explorer alternative Files gets signature check, improved dual-pane, and more

      By TarasBuria · Posted

      Popular File Explorer alternative Files gets signature check, improved dual-pane, and more by Taras Buria A new update has arrived for File Preview, a feature-packed file manager for Windows 10 and 11. Version 3.9.14 introduces a useful new feature for file properties, dual-pane improvements, the ability to resize columns in the Columns View, and more. Starting with the Properties dialog, it now features a "Signatures" tab where you can view digital signatures associated with the file and their properties, such as version, issuer, expiry date, and more. You can also click the "Details" button to open Windows' native dialog. The dual-pane feature has been tweaked for a more intuitive experience. The "Add pane" command is now "Split pane." There is a new quick action for toggling dual-pane mode on or off, and settings now have a dedicated section for dual-pane mode. Finally, columns in the Columns View are now resizable, and search results now have a header with your current query. In addition to releasing the update, developers said the following regarding performance complaints from users: Files Preview is available in the Microsoft Store. You can purchase it there to support developers. Alternatively, you can get the app for free from the official website, and if you want to help developers with contributions or ideas, check out their Discord and GitHub.
    • WhatsApp's guest chats feature has a surprising catch

      By AnalystDan · Posted

      So the iPhone only has a leading position in a few markets around the world: US, UK, UAE, couple of other smaller ones. As a result of the far more mixed eco-system Whatsapp is a lot more popular outside of the US than I think a lot of American's may realise. It's pretty much the messaging standard in the UK
    • Giveaway: Be in it to win this USB4 TerraMaster D1 SSD Plus enclosure

      By Nemesis-IV · Posted

      Done! Would love to win this!!

  • Recent Achievements

    • First Post
      Soeaker4thedead earned a badge
      First Post
    • First Post
      kryptickid earned a badge
      First Post
    • First Post
      Nemesis-IV earned a badge
      First Post
    • First Post
      Aidan Helfrich earned a badge
      First Post
    • Collaborator
      bullgod69 earned a badge
      Collaborator

  • Popular Contributors

    1. 1
      +primortal
      760
    2. 2
      ATLien_0
      187
    3. 3
      +FloatingFatMan
      151
    4. 4
      Xenon
      117
    5. 5
      wakjak
      113
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!