Sign in with
Sign up | Sign in
Your question

remote desktop policy

Last response: in Windows 2000/NT
Share
Anonymous
February 23, 2005 1:01:10 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

win2000 server and clients
what is the best procedure for preventing remote desktop connections between
both workstation-workstation and workstation-server?
I assume there are policies in the GPO and within the actual software itself?

Will this work if the remote deskotp software is being run from software on
a mobile disk?

thanks 4 any advice

More about : remote desktop policy

Anonymous
February 24, 2005 12:44:17 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Computer Configuration
Windows
Security Settings
Local Policies
User Rights Assignment
Allow log on through Terminal Services - turn on the
check mark for "Define these policy settings" but leave the list of user and
groups empty
Deny log on through Terminal Services - turn on the
check mark for "Define these policy settings" and add Everyone to the list
of users and groups

Computer Configuration
Administrative Templates
Windows Components
Terminal Services
Allow users to connect remotely using Terminal Services -
Disable

This should cause all of the computers that have these settings applied (via
GPO) to reject any attempt to log on to them using the Microsoft Remote
Desktop Client (or the older Terminal Services client).

These policies affect the computer that the attempt to connect remotely is
targeted at (that is, the Terminal Services component), on both servers and
workstations (Windows 2000 SP2 or later).

The Remote Desktop Client itself doesn't have any settings to control which
computer it can be targetted at. I suppose you could remove the Remote
Desktop Client (mstsc.exe) from the computers so no one can use it, but if
all the servers and workstations reject the connection attempt, this would
be unnecessary. If the users are administrators on their workstations, then
they could just re-install it. I'm not sure what you mean exactly by
"mobile disk", but in any case, the lock down is on the target computer, not
the source computer, so it doesn't matter where the Remote Desktop Client
software is located.

I'm not sure why exactly one would want to do this. The ability of
administrators to connect to computers remotely, especially servers, is very
valuable. Windows 2003 Server comes with this ability installed by default
(equivalent to the Windows 2000 Terminal Services in Remote Administration
Mode) - the settings above would render this inoperable. For example, all
of our servers are in a remote basement with very tight physical security;
we do all of our administration remotely using the Remote Desktop Client -
in fact, I've never actually physically seen them. Remotely connecting to
workstations is very useful for tracking down problems, installing or
configuring software etc. With workstations in 20 odd remote locations (some
hundreds of miles away), we find it an essential capability. By
appropriately configuring the settings above, you can restrict the ability
to connect remotely to a single user account or a group (of administrators).

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
news:7D2ED97D-BEA8-4B68-96A0-11771DC4F413@microsoft.com...
> win2000 server and clients
> what is the best procedure for preventing remote desktop connections
> between
> both workstation-workstation and workstation-server?
> I assume there are policies in the GPO and within the actual software
> itself?
>
> Will this work if the remote deskotp software is being run from software
> on
> a mobile disk?
>
> thanks 4 any advice
Anonymous
February 24, 2005 4:31:02 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks for the excellent answer, but I dont appear to have the terminal
services option in my GPO. Is there an extra ADM that needs installing?

The reason we are doing is that we are a school and the users are of course
very restricted. I want to access the servers from clients sometimes (so can
I just add domain admin as an allowed user?), but students have been getting
hold of 3rd party remote desktop software and taking control of other
workstations.


Thanks

"Bruce Sanderson" wrote:

> Computer Configuration
> Windows
> Security Settings
> Local Policies
> User Rights Assignment
> Allow log on through Terminal Services - turn on the
> check mark for "Define these policy settings" but leave the list of user and
> groups empty
> Deny log on through Terminal Services - turn on the
> check mark for "Define these policy settings" and add Everyone to the list
> of users and groups
>
> Computer Configuration
> Administrative Templates
> Windows Components
> Terminal Services
> Allow users to connect remotely using Terminal Services -
> Disable
>
> This should cause all of the computers that have these settings applied (via
> GPO) to reject any attempt to log on to them using the Microsoft Remote
> Desktop Client (or the older Terminal Services client).
>
> These policies affect the computer that the attempt to connect remotely is
> targeted at (that is, the Terminal Services component), on both servers and
> workstations (Windows 2000 SP2 or later).
>
> The Remote Desktop Client itself doesn't have any settings to control which
> computer it can be targetted at. I suppose you could remove the Remote
> Desktop Client (mstsc.exe) from the computers so no one can use it, but if
> all the servers and workstations reject the connection attempt, this would
> be unnecessary. If the users are administrators on their workstations, then
> they could just re-install it. I'm not sure what you mean exactly by
> "mobile disk", but in any case, the lock down is on the target computer, not
> the source computer, so it doesn't matter where the Remote Desktop Client
> software is located.
>
> I'm not sure why exactly one would want to do this. The ability of
> administrators to connect to computers remotely, especially servers, is very
> valuable. Windows 2003 Server comes with this ability installed by default
> (equivalent to the Windows 2000 Terminal Services in Remote Administration
> Mode) - the settings above would render this inoperable. For example, all
> of our servers are in a remote basement with very tight physical security;
> we do all of our administration remotely using the Remote Desktop Client -
> in fact, I've never actually physically seen them. Remotely connecting to
> workstations is very useful for tracking down problems, installing or
> configuring software etc. With workstations in 20 odd remote locations (some
> hundreds of miles away), we find it an essential capability. By
> appropriately configuring the settings above, you can restrict the ability
> to connect remotely to a single user account or a group (of administrators).
>
> --
> Bruce Sanderson MVP Printing
> http://members.shaw.ca/bsanders
>
> It is perfectly useless to know the right answer to the wrong question.
>
>
>
> "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
> news:7D2ED97D-BEA8-4B68-96A0-11771DC4F413@microsoft.com...
> > win2000 server and clients
> > what is the best procedure for preventing remote desktop connections
> > between
> > both workstation-workstation and workstation-server?
> > I assume there are policies in the GPO and within the actual software
> > itself?
> >
> > Will this work if the remote deskotp software is being run from software
> > on
> > a mobile disk?
> >
> > thanks 4 any advice
>
>
>
Anonymous
February 26, 2005 11:49:31 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

The setting in Local Policies is available for Windows 2000 SP2 or later.

The setting in Administrative Templates, Windows Components is available for
Windows XP and Windows 2003 or later. Sorry, I should have checked that
before making my post.

However, none of these settings will have any affect on third party remote
control software - they apply only to features built into Windows.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
news:6DA72642-FCA5-449C-A20A-0E530B729CFA@microsoft.com...
> Thanks for the excellent answer, but I dont appear to have the terminal
> services option in my GPO. Is there an extra ADM that needs installing?
>
> The reason we are doing is that we are a school and the users are of
> course
> very restricted. I want to access the servers from clients sometimes (so
> can
> I just add domain admin as an allowed user?), but students have been
> getting
> hold of 3rd party remote desktop software and taking control of other
> workstations.
>
>
> Thanks
>
> "Bruce Sanderson" wrote:
>
>> Computer Configuration
>> Windows
>> Security Settings
>> Local Policies
>> User Rights Assignment
>> Allow log on through Terminal Services - turn on the
>> check mark for "Define these policy settings" but leave the list of user
>> and
>> groups empty
>> Deny log on through Terminal Services - turn on the
>> check mark for "Define these policy settings" and add Everyone to the
>> list
>> of users and groups
>>
>> Computer Configuration
>> Administrative Templates
>> Windows Components
>> Terminal Services
>> Allow users to connect remotely using Terminal Services -
>> Disable
>>
>> This should cause all of the computers that have these settings applied
>> (via
>> GPO) to reject any attempt to log on to them using the Microsoft Remote
>> Desktop Client (or the older Terminal Services client).
>>
>> These policies affect the computer that the attempt to connect remotely
>> is
>> targeted at (that is, the Terminal Services component), on both servers
>> and
>> workstations (Windows 2000 SP2 or later).
>>
>> The Remote Desktop Client itself doesn't have any settings to control
>> which
>> computer it can be targetted at. I suppose you could remove the Remote
>> Desktop Client (mstsc.exe) from the computers so no one can use it, but
>> if
>> all the servers and workstations reject the connection attempt, this
>> would
>> be unnecessary. If the users are administrators on their workstations,
>> then
>> they could just re-install it. I'm not sure what you mean exactly by
>> "mobile disk", but in any case, the lock down is on the target computer,
>> not
>> the source computer, so it doesn't matter where the Remote Desktop Client
>> software is located.
>>
>> I'm not sure why exactly one would want to do this. The ability of
>> administrators to connect to computers remotely, especially servers, is
>> very
>> valuable. Windows 2003 Server comes with this ability installed by
>> default
>> (equivalent to the Windows 2000 Terminal Services in Remote
>> Administration
>> Mode) - the settings above would render this inoperable. For example,
>> all
>> of our servers are in a remote basement with very tight physical
>> security;
>> we do all of our administration remotely using the Remote Desktop
>> Client -
>> in fact, I've never actually physically seen them. Remotely connecting
>> to
>> workstations is very useful for tracking down problems, installing or
>> configuring software etc. With workstations in 20 odd remote locations
>> (some
>> hundreds of miles away), we find it an essential capability. By
>> appropriately configuring the settings above, you can restrict the
>> ability
>> to connect remotely to a single user account or a group (of
>> administrators).
>>
>> --
>> Bruce Sanderson MVP Printing
>> http://members.shaw.ca/bsanders
>>
>> It is perfectly useless to know the right answer to the wrong question.
>>
>>
>>
>> "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
>> news:7D2ED97D-BEA8-4B68-96A0-11771DC4F413@microsoft.com...
>> > win2000 server and clients
>> > what is the best procedure for preventing remote desktop connections
>> > between
>> > both workstation-workstation and workstation-server?
>> > I assume there are policies in the GPO and within the actual software
>> > itself?
>> >
>> > Will this work if the remote deskotp software is being run from
>> > software
>> > on
>> > a mobile disk?
>> >
>> > thanks 4 any advice
>>
>>
>>
!