prevent users using remote desktop


Recommended Posts

Even if you blocked the exe from running, or blocked the port this will not actually stop anyone with half a brain ;)

Since they could just use vnc, or for that matter a java based remote desktop client, etc. Even if you block the ports, they could just use another one -- a required to be open port like 80 or 443, etc.

Once you have user that has some basic understanding of how this stuff works -- stopping them is like I stated before an uphill battle.

Sure you can block mstsc from running, that will stop them for about 2 minutes if your lucky ;) Maybe a day while change how they are accessing their remote machine ;)

Good Luck is about all I can tell you -- preventing someone with the correct skill set from creating a tunnel out of your network is near impossible.

One option would be to really, really lock down their computers with a GPO so that nothing is available to them except what is needed to do their jobs. SteadyState does a great job with this, but I've not tried it in a domain environment (if it will even run inside one).

EDIT: The point here is to stop them bringing in some other client from the web or a removable drive etc, after you have blocked mstsc. Obviously if they are local admins you may have trouble still ;)

And then you just boot a liveCD and remote to the machine that way.. So you have to lock down the machine from booting from removable media as well.

Your best bet when up against someone with the know how to tunnel is as already stated "policy" If you catch them at they get fired sort of thing.

What might slow them down some is if block the netblock their home isp is on. They would then have to have a different outside server to tunnel too, etc. Which could be a issue for some users to get around.

  BudMan said:
Your best bet when up against someone with the know how to tunnel is as already stated "policy" If you catch them at they get fired sort of thing.

Completely agree.

  BudMan said:
What might slow them down some is if block the netblock their home isp is on. They would then have to have a different outside server to tunnel too, etc. Which could be a issue for some users to get around.

This is a damn fine idea!

  BudMan said:
What might slow them down some is if block the netblock their home isp is on. They would then have to have a different outside server to tunnel too, etc. Which could be a issue for some users to get around.

How would one go about this?

I know the ISP of the home user :)

or even better, I know the home fixed IP :)

I would suggest you block his ISPs whole netblock, since he could just get a different IP from tomorrow, etc.. Doing it at the client is a bad idea -- since a boot of some liveCD removes anything you might have done there.. But sure if they are not as bright as we are making them out to be -- then just put a simple static route on his client to point that address or range to nevernever land.

But best to do it at the gateway. You said your using SBS2003, but only have the standard (no ISA) using just ICS I assume? Then you could just put the static route on that server. Now nobody is getting there ;)

  BudMan said:
But best to do it at the gateway. You said your using SBS2003, but only have the standard (no ISA) using just ICS I assume? Then you could just put the static route on that server. Now nobody is getting there ;)

I think its all done in routing and remote access?

Lets say the destination machine is 123.456.789.0

I create a static route:

Destination: 123.456.789.0

Network Mask: 255.255.255.255 (this correct?)

Gateway: <server IP> (if i want to redirect him back to sharepoint hompage??)

Thanks in advance..

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • From cars to cosmos: Honda's experimental rocket aces first landing test by Paul Hill Image via Honda Watch your back SpaceX, the Japanese company Honda has just performed a successful first launch of its experimental reusable rocket. The 6.3 meter rocket, which weighs 900kg, reached a modest altitude of 271.4 meters, but managed to land within 37cm of its target (1.2 feet), which is certainly pretty close. The rocket took off from a Honda facility in Taiki Town, Hokkaido, a growing space town in Japan. The flight time was also modest, coming in at just 56.6 seconds, but in that time, Honda was able to demonstrate key reusability technologies such as flight stability and landing capability. This marks a significant milestone for Honda’s space R&D department, which began work just four years ago. If you remember the tests SpaceX was performing around 2012 with Grasshopper, well Honda is at about the same stage with its reusable rocket. Why Honda is building rockets: Beyond cars and motorcycles Honda said that it wants to leverage core technologies it already works on for offering space services. It said that reusable rockets are a key part of sustainable space transportation. By 2029, the company wants to be able to perform suborbital launches, and while commercialization hasn’t been decided yet, it sees itself launching remote-sensing and wide-area communication satellites in the future. The Japanese car maker sees growing demand for satellite launches and wants to be involved by developing reusable rockets which could help it perform such launches economically. If it does end up finding customers, it will add more competition to the rocket launch sector. While the company hasn’t confirmed this, by developing its own launch system, it could eventually be in a position to launch its own satellites that could provide services to its cars to add value for customers. The competitive landscape and Japan's space ambitions Honda is just the latest company to join the growing list of companies trying to develop reusable rocket technology. The most famous companies doing this are SpaceX and Blue Origin, but there are also lots of other companies around the world also developing this technology. Honda is still taking baby steps compared to SpaceX, but it shows that the company is taking a focused, step-by-step approach, and achieving successes as noted by this launch. Hopefully, the company ends up providing tough competition against SpaceX, Blue Origin, and other companies so that it can help to drive down prices and spur on innovation.
    • Does that subscription include international data roaming, inclusive of Russia?
    • If you're stupid enough to try and get one, each and every headache along the way is on you. I can only hope that these roadblocks on a pre-order are enough to dissuade people.
    • "You should have a Microsoft Account because we can help keep your data safe...until we can't." As an IT guy I know that I should never put my trust in one backup solution if the data is important. But for non-IT people, they are getting tricked into Microsoft's practices with falsehoods.
    • it is delayed and has no definitive release date... that is "delayed indefinitely".
  • Recent Achievements

    • Week One Done
      TBithoney earned a badge
      Week One Done
    • First Post
      xuxlix earned a badge
      First Post
    • First Post
      Tomek Święcicki earned a badge
      First Post
    • One Year In
      carlitin86 earned a badge
      One Year In
    • Reacting Well
      Peterlll06 earned a badge
      Reacting Well
  • Popular Contributors

    1. 1
      +primortal
      676
    2. 2
      ATLien_0
      283
    3. 3
      Michael Scrip
      227
    4. 4
      +FloatingFatMan
      192
    5. 5
      Steven P.
      145
  • Tell a friend

    Love Neowin? Tell a friend!