remote desktop policy

Archived from groups: microsoft.public.win2000.group_policy (More info?)

win2000 server and clients
what is the best procedure for preventing remote desktop connections between
both workstation-workstation and workstation-server?
I assume there are policies in the GPO and within the actual software itself?

Will this work if the remote deskotp software is being run from software on
a mobile disk?

thanks 4 any advice
3 answers Last reply
More about remote desktop policy
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Computer Configuration
    Windows
    Security Settings
    Local Policies
    User Rights Assignment
    Allow log on through Terminal Services - turn on the
    check mark for "Define these policy settings" but leave the list of user and
    groups empty
    Deny log on through Terminal Services - turn on the
    check mark for "Define these policy settings" and add Everyone to the list
    of users and groups

    Computer Configuration
    Administrative Templates
    Windows Components
    Terminal Services
    Allow users to connect remotely using Terminal Services -
    Disable

    This should cause all of the computers that have these settings applied (via
    GPO) to reject any attempt to log on to them using the Microsoft Remote
    Desktop Client (or the older Terminal Services client).

    These policies affect the computer that the attempt to connect remotely is
    targeted at (that is, the Terminal Services component), on both servers and
    workstations (Windows 2000 SP2 or later).

    The Remote Desktop Client itself doesn't have any settings to control which
    computer it can be targetted at. I suppose you could remove the Remote
    Desktop Client (mstsc.exe) from the computers so no one can use it, but if
    all the servers and workstations reject the connection attempt, this would
    be unnecessary. If the users are administrators on their workstations, then
    they could just re-install it. I'm not sure what you mean exactly by
    "mobile disk", but in any case, the lock down is on the target computer, not
    the source computer, so it doesn't matter where the Remote Desktop Client
    software is located.

    I'm not sure why exactly one would want to do this. The ability of
    administrators to connect to computers remotely, especially servers, is very
    valuable. Windows 2003 Server comes with this ability installed by default
    (equivalent to the Windows 2000 Terminal Services in Remote Administration
    Mode) - the settings above would render this inoperable. For example, all
    of our servers are in a remote basement with very tight physical security;
    we do all of our administration remotely using the Remote Desktop Client -
    in fact, I've never actually physically seen them. Remotely connecting to
    workstations is very useful for tracking down problems, installing or
    configuring software etc. With workstations in 20 odd remote locations (some
    hundreds of miles away), we find it an essential capability. By
    appropriately configuring the settings above, you can restrict the ability
    to connect remotely to a single user account or a group (of administrators).

    --
    Bruce Sanderson MVP Printing
    http://members.shaw.ca/bsanders

    It is perfectly useless to know the right answer to the wrong question.


    "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
    news:7D2ED97D-BEA8-4B68-96A0-11771DC4F413@microsoft.com...
    > win2000 server and clients
    > what is the best procedure for preventing remote desktop connections
    > between
    > both workstation-workstation and workstation-server?
    > I assume there are policies in the GPO and within the actual software
    > itself?
    >
    > Will this work if the remote deskotp software is being run from software
    > on
    > a mobile disk?
    >
    > thanks 4 any advice
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks for the excellent answer, but I dont appear to have the terminal
    services option in my GPO. Is there an extra ADM that needs installing?

    The reason we are doing is that we are a school and the users are of course
    very restricted. I want to access the servers from clients sometimes (so can
    I just add domain admin as an allowed user?), but students have been getting
    hold of 3rd party remote desktop software and taking control of other
    workstations.


    Thanks

    "Bruce Sanderson" wrote:

    > Computer Configuration
    > Windows
    > Security Settings
    > Local Policies
    > User Rights Assignment
    > Allow log on through Terminal Services - turn on the
    > check mark for "Define these policy settings" but leave the list of user and
    > groups empty
    > Deny log on through Terminal Services - turn on the
    > check mark for "Define these policy settings" and add Everyone to the list
    > of users and groups
    >
    > Computer Configuration
    > Administrative Templates
    > Windows Components
    > Terminal Services
    > Allow users to connect remotely using Terminal Services -
    > Disable
    >
    > This should cause all of the computers that have these settings applied (via
    > GPO) to reject any attempt to log on to them using the Microsoft Remote
    > Desktop Client (or the older Terminal Services client).
    >
    > These policies affect the computer that the attempt to connect remotely is
    > targeted at (that is, the Terminal Services component), on both servers and
    > workstations (Windows 2000 SP2 or later).
    >
    > The Remote Desktop Client itself doesn't have any settings to control which
    > computer it can be targetted at. I suppose you could remove the Remote
    > Desktop Client (mstsc.exe) from the computers so no one can use it, but if
    > all the servers and workstations reject the connection attempt, this would
    > be unnecessary. If the users are administrators on their workstations, then
    > they could just re-install it. I'm not sure what you mean exactly by
    > "mobile disk", but in any case, the lock down is on the target computer, not
    > the source computer, so it doesn't matter where the Remote Desktop Client
    > software is located.
    >
    > I'm not sure why exactly one would want to do this. The ability of
    > administrators to connect to computers remotely, especially servers, is very
    > valuable. Windows 2003 Server comes with this ability installed by default
    > (equivalent to the Windows 2000 Terminal Services in Remote Administration
    > Mode) - the settings above would render this inoperable. For example, all
    > of our servers are in a remote basement with very tight physical security;
    > we do all of our administration remotely using the Remote Desktop Client -
    > in fact, I've never actually physically seen them. Remotely connecting to
    > workstations is very useful for tracking down problems, installing or
    > configuring software etc. With workstations in 20 odd remote locations (some
    > hundreds of miles away), we find it an essential capability. By
    > appropriately configuring the settings above, you can restrict the ability
    > to connect remotely to a single user account or a group (of administrators).
    >
    > --
    > Bruce Sanderson MVP Printing
    > http://members.shaw.ca/bsanders
    >
    > It is perfectly useless to know the right answer to the wrong question.
    >
    >
    >
    > "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
    > news:7D2ED97D-BEA8-4B68-96A0-11771DC4F413@microsoft.com...
    > > win2000 server and clients
    > > what is the best procedure for preventing remote desktop connections
    > > between
    > > both workstation-workstation and workstation-server?
    > > I assume there are policies in the GPO and within the actual software
    > > itself?
    > >
    > > Will this work if the remote deskotp software is being run from software
    > > on
    > > a mobile disk?
    > >
    > > thanks 4 any advice
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    The setting in Local Policies is available for Windows 2000 SP2 or later.

    The setting in Administrative Templates, Windows Components is available for
    Windows XP and Windows 2003 or later. Sorry, I should have checked that
    before making my post.

    However, none of these settings will have any affect on third party remote
    control software - they apply only to features built into Windows.

    --
    Bruce Sanderson MVP Printing
    http://members.shaw.ca/bsanders

    It is perfectly useless to know the right answer to the wrong question.


    "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
    news:6DA72642-FCA5-449C-A20A-0E530B729CFA@microsoft.com...
    > Thanks for the excellent answer, but I dont appear to have the terminal
    > services option in my GPO. Is there an extra ADM that needs installing?
    >
    > The reason we are doing is that we are a school and the users are of
    > course
    > very restricted. I want to access the servers from clients sometimes (so
    > can
    > I just add domain admin as an allowed user?), but students have been
    > getting
    > hold of 3rd party remote desktop software and taking control of other
    > workstations.
    >
    >
    > Thanks
    >
    > "Bruce Sanderson" wrote:
    >
    >> Computer Configuration
    >> Windows
    >> Security Settings
    >> Local Policies
    >> User Rights Assignment
    >> Allow log on through Terminal Services - turn on the
    >> check mark for "Define these policy settings" but leave the list of user
    >> and
    >> groups empty
    >> Deny log on through Terminal Services - turn on the
    >> check mark for "Define these policy settings" and add Everyone to the
    >> list
    >> of users and groups
    >>
    >> Computer Configuration
    >> Administrative Templates
    >> Windows Components
    >> Terminal Services
    >> Allow users to connect remotely using Terminal Services -
    >> Disable
    >>
    >> This should cause all of the computers that have these settings applied
    >> (via
    >> GPO) to reject any attempt to log on to them using the Microsoft Remote
    >> Desktop Client (or the older Terminal Services client).
    >>
    >> These policies affect the computer that the attempt to connect remotely
    >> is
    >> targeted at (that is, the Terminal Services component), on both servers
    >> and
    >> workstations (Windows 2000 SP2 or later).
    >>
    >> The Remote Desktop Client itself doesn't have any settings to control
    >> which
    >> computer it can be targetted at. I suppose you could remove the Remote
    >> Desktop Client (mstsc.exe) from the computers so no one can use it, but
    >> if
    >> all the servers and workstations reject the connection attempt, this
    >> would
    >> be unnecessary. If the users are administrators on their workstations,
    >> then
    >> they could just re-install it. I'm not sure what you mean exactly by
    >> "mobile disk", but in any case, the lock down is on the target computer,
    >> not
    >> the source computer, so it doesn't matter where the Remote Desktop Client
    >> software is located.
    >>
    >> I'm not sure why exactly one would want to do this. The ability of
    >> administrators to connect to computers remotely, especially servers, is
    >> very
    >> valuable. Windows 2003 Server comes with this ability installed by
    >> default
    >> (equivalent to the Windows 2000 Terminal Services in Remote
    >> Administration
    >> Mode) - the settings above would render this inoperable. For example,
    >> all
    >> of our servers are in a remote basement with very tight physical
    >> security;
    >> we do all of our administration remotely using the Remote Desktop
    >> Client -
    >> in fact, I've never actually physically seen them. Remotely connecting
    >> to
    >> workstations is very useful for tracking down problems, installing or
    >> configuring software etc. With workstations in 20 odd remote locations
    >> (some
    >> hundreds of miles away), we find it an essential capability. By
    >> appropriately configuring the settings above, you can restrict the
    >> ability
    >> to connect remotely to a single user account or a group (of
    >> administrators).
    >>
    >> --
    >> Bruce Sanderson MVP Printing
    >> http://members.shaw.ca/bsanders
    >>
    >> It is perfectly useless to know the right answer to the wrong question.
    >>
    >>
    >>
    >> "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
    >> news:7D2ED97D-BEA8-4B68-96A0-11771DC4F413@microsoft.com...
    >> > win2000 server and clients
    >> > what is the best procedure for preventing remote desktop connections
    >> > between
    >> > both workstation-workstation and workstation-server?
    >> > I assume there are policies in the GPO and within the actual software
    >> > itself?
    >> >
    >> > Will this work if the remote deskotp software is being run from
    >> > software
    >> > on
    >> > a mobile disk?
    >> >
    >> > thanks 4 any advice
    >>
    >>
    >>
Ask a new question

Read More

Remote Desktop Policy Software Workstations Servers Windows