How can I prevent a TS user from TS or RDP to another serv..

Archived from groups: microsoft.public.win2000.security (More info?)

Big Picture

How can I prevent a TS user from TS or RDP to another server?


Scenario:

Users (Vendors) log into my organization via VPN. They are setup on the VPN
under a group which has only access to one machine and back via RDP. (i.e.
Microsoft Group has access to the Microsoft Server Box, now we setup John on
the Microsoft group and he has only RDP access to the Win2KSVR). In order
for them to get into the Win2KSVR they are also setup on the network as jdoe
(Domain Admins) and that's the way he log into the Win2KSVR.


Concern:

John VPN into organization and RDP to Win2KSVR did what he needed to do and
opened the network neighborhood and saw all the servers we have. Now he
wants to browse and log into the boxes he has no need in loging in.


Question:

How can I prevent a user from login into another machine via TS or RDP when
they are login into a machine via TS or RDP?
4 answers Last reply
More about prevent user serv
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    So he's a Domain Admin but you don't want him administering your domain?
    Maybe I don't understand...


    "GX" <GX@DOMAIN.com> wrote in message
    news:9CdOc.333$Hu2.108@tornado.tampabay.rr.com...
    > Big Picture
    >
    > How can I prevent a TS user from TS or RDP to another server?
    >
    >
    >
    > Scenario:
    >
    > Users (Vendors) log into my organization via VPN. They are setup on the
    > VPN
    > under a group which has only access to one machine and back via RDP. (i.e.
    > Microsoft Group has access to the Microsoft Server Box, now we setup John
    > on
    > the Microsoft group and he has only RDP access to the Win2KSVR). In order
    > for them to get into the Win2KSVR they are also setup on the network as
    > jdoe
    > (Domain Admins) and that's the way he log into the Win2KSVR.
    >
    >
    >
    > Concern:
    >
    > John VPN into organization and RDP to Win2KSVR did what he needed to do
    > and
    > opened the network neighborhood and saw all the servers we have. Now he
    > wants to browse and log into the boxes he has no need in loging in.
    >
    >
    >
    > Question:
    >
    > How can I prevent a user from login into another machine via TS or RDP
    > when
    > they are login into a machine via TS or RDP?
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi,

    I am not sure how many (TS) servers you have and how practical this is for
    you, but you can do this by managing permissions "Allow logon through
    Terminal Services". This is a group policy setting. You can also open
    "Terminal Services Configuration" right click on RDP-TCP and select
    Properties. Click on Security tab and assign your "guest" user Deny
    permission.

    Last option that comes to mind -- again I don't know how convenient this is
    for you. Setup your TS server in DMZ and deny access from DMZ to LAN on TS
    TCP port (TCP port 3389).

    I hope this helps,

    Mike

    "GX" <GX@DOMAIN.com> wrote in message
    news:9CdOc.333$Hu2.108@tornado.tampabay.rr.com...
    > Big Picture
    >
    > How can I prevent a TS user from TS or RDP to another server?
    >
    >
    >
    > Scenario:
    >
    > Users (Vendors) log into my organization via VPN. They are setup on the
    VPN
    > under a group which has only access to one machine and back via RDP. (i.e.
    > Microsoft Group has access to the Microsoft Server Box, now we setup John
    on
    > the Microsoft group and he has only RDP access to the Win2KSVR). In order
    > for them to get into the Win2KSVR they are also setup on the network as
    jdoe
    > (Domain Admins) and that's the way he log into the Win2KSVR.
    >
    >
    >
    > Concern:
    >
    > John VPN into organization and RDP to Win2KSVR did what he needed to do
    and
    > opened the network neighborhood and saw all the servers we have. Now he
    > wants to browse and log into the boxes he has no need in loging in.
    >
    >
    >
    > Question:
    >
    > How can I prevent a user from login into another machine via TS or RDP
    when
    > they are login into a machine via TS or RDP?
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Sorry, let me try to make it clear...

    These people are contractors/vendors (ie. Cisco Engineers hired to
    troubleshoot Win2KSVR box with CallManager installaed on it), the VPN into
    my workplace and then they can TS or RDP to the specific designated server.
    So, I just want them to be able to TS or RDP to this box only and if they
    try to open a TS or RDP to another box it would be restricted.
    The problem is that they have to be Domain Admins in order to manage this
    box. So, is there any way to actually include this user on a OU; let's say
    "Vendors" and manage the Terminal Server connection or Remote Desktop
    Connection via a GPO setting or so?

    Thank you very much....

    Hector


    and
    "Colin Nash [MVP]" <cnash x@x mvps.org> wrote in message
    news:e1hc0obdEHA.244@TK2MSFTNGP12.phx.gbl...
    > So he's a Domain Admin but you don't want him administering your domain?
    > Maybe I don't understand...
    >
    >
    > "GX" <GX@DOMAIN.com> wrote in message
    > news:9CdOc.333$Hu2.108@tornado.tampabay.rr.com...
    > > Big Picture
    > >
    > > How can I prevent a TS user from TS or RDP to another server?
    > >
    > >
    > >
    > > Scenario:
    > >
    > > Users (Vendors) log into my organization via VPN. They are setup on the
    > > VPN
    > > under a group which has only access to one machine and back via RDP.
    (i.e.
    > > Microsoft Group has access to the Microsoft Server Box, now we setup
    John
    > > on
    > > the Microsoft group and he has only RDP access to the Win2KSVR). In
    order
    > > for them to get into the Win2KSVR they are also setup on the network as
    > > jdoe
    > > (Domain Admins) and that's the way he log into the Win2KSVR.
    > >
    > >
    > >
    > > Concern:
    > >
    > > John VPN into organization and RDP to Win2KSVR did what he needed to do
    > > and
    > > opened the network neighborhood and saw all the servers we have. Now he
    > > wants to browse and log into the boxes he has no need in loging in.
    > >
    > >
    > >
    > > Question:
    > >
    > > How can I prevent a user from login into another machine via TS or RDP
    > > when
    > > they are login into a machine via TS or RDP?
    > >
    > >
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    And why do they need to be a Domain Admin in order to
    do things on that one server ?
    If in fact they need Domain Admin it would be because
    they also need to do things on other servers, or to the
    definitions of your domain at the controllers.
    If that is so, it would seem your concern about them going
    around in your domain is ill-founded. You have given them
    Domain Admin so that they can do that.
    On the other hand, if they only need to be local administrators
    on the one server, then you can use standard methods of the
    domain user account given them, that is an admin on that one
    server, to control where that domain user account may be used.
    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "John Smith" <someone@microsoft.com> wrote in message
    news:6JiOc.16033$DZ.1345900@twister.tampabay.rr.com...
    > Sorry, let me try to make it clear...
    >
    > These people are contractors/vendors (ie. Cisco Engineers hired to
    > troubleshoot Win2KSVR box with CallManager installaed on it), the VPN into
    > my workplace and then they can TS or RDP to the specific designated
    server.
    > So, I just want them to be able to TS or RDP to this box only and if they
    > try to open a TS or RDP to another box it would be restricted.
    > The problem is that they have to be Domain Admins in order to manage this
    > box. So, is there any way to actually include this user on a OU; let's say
    > "Vendors" and manage the Terminal Server connection or Remote Desktop
    > Connection via a GPO setting or so?
    >
    > Thank you very much....
    >
    > Hector
    >
    >
    >
    >
    > and
    > "Colin Nash [MVP]" <cnash x@x mvps.org> wrote in message
    > news:e1hc0obdEHA.244@TK2MSFTNGP12.phx.gbl...
    > > So he's a Domain Admin but you don't want him administering your domain?
    > > Maybe I don't understand...
    > >
    > >
    > > "GX" <GX@DOMAIN.com> wrote in message
    > > news:9CdOc.333$Hu2.108@tornado.tampabay.rr.com...
    > > > Big Picture
    > > >
    > > > How can I prevent a TS user from TS or RDP to another server?
    > > >
    > > >
    > > >
    > > > Scenario:
    > > >
    > > > Users (Vendors) log into my organization via VPN. They are setup on
    the
    > > > VPN
    > > > under a group which has only access to one machine and back via RDP.
    > (i.e.
    > > > Microsoft Group has access to the Microsoft Server Box, now we setup
    > John
    > > > on
    > > > the Microsoft group and he has only RDP access to the Win2KSVR). In
    > order
    > > > for them to get into the Win2KSVR they are also setup on the network
    as
    > > > jdoe
    > > > (Domain Admins) and that's the way he log into the Win2KSVR.
    > > >
    > > >
    > > >
    > > > Concern:
    > > >
    > > > John VPN into organization and RDP to Win2KSVR did what he needed to
    do
    > > > and
    > > > opened the network neighborhood and saw all the servers we have. Now
    he
    > > > wants to browse and log into the boxes he has no need in loging in.
    > > >
    > > >
    > > >
    > > > Question:
    > > >
    > > > How can I prevent a user from login into another machine via TS or RDP
    > > > when
    > > > they are login into a machine via TS or RDP?
    > > >
    > > >
    > >
    > >
    > >
    >
    >
Ask a new question

Read More

Microsoft Servers Windows