Sign in with
Sign up | Sign in
Your question

How can I prevent a TS user from TS or RDP to another serv..

Last response: in Windows 2000/NT
Share
Anonymous
July 30, 2004 1:03:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Big Picture

How can I prevent a TS user from TS or RDP to another server?



Scenario:

Users (Vendors) log into my organization via VPN. They are setup on the VPN
under a group which has only access to one machine and back via RDP. (i.e.
Microsoft Group has access to the Microsoft Server Box, now we setup John on
the Microsoft group and he has only RDP access to the Win2KSVR). In order
for them to get into the Win2KSVR they are also setup on the network as jdoe
(Domain Admins) and that's the way he log into the Win2KSVR.



Concern:

John VPN into organization and RDP to Win2KSVR did what he needed to do and
opened the network neighborhood and saw all the servers we have. Now he
wants to browse and log into the boxes he has no need in loging in.



Question:

How can I prevent a user from login into another machine via TS or RDP when
they are login into a machine via TS or RDP?

More about : prevent user rdp serv

Anonymous
July 30, 2004 1:03:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

So he's a Domain Admin but you don't want him administering your domain?
Maybe I don't understand...


"GX" <GX@DOMAIN.com> wrote in message
news:9CdOc.333$Hu2.108@tornado.tampabay.rr.com...
> Big Picture
>
> How can I prevent a TS user from TS or RDP to another server?
>
>
>
> Scenario:
>
> Users (Vendors) log into my organization via VPN. They are setup on the
> VPN
> under a group which has only access to one machine and back via RDP. (i.e.
> Microsoft Group has access to the Microsoft Server Box, now we setup John
> on
> the Microsoft group and he has only RDP access to the Win2KSVR). In order
> for them to get into the Win2KSVR they are also setup on the network as
> jdoe
> (Domain Admins) and that's the way he log into the Win2KSVR.
>
>
>
> Concern:
>
> John VPN into organization and RDP to Win2KSVR did what he needed to do
> and
> opened the network neighborhood and saw all the servers we have. Now he
> wants to browse and log into the boxes he has no need in loging in.
>
>
>
> Question:
>
> How can I prevent a user from login into another machine via TS or RDP
> when
> they are login into a machine via TS or RDP?
>
>
Anonymous
July 30, 2004 3:12:50 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I am not sure how many (TS) servers you have and how practical this is for
you, but you can do this by managing permissions "Allow logon through
Terminal Services". This is a group policy setting. You can also open
"Terminal Services Configuration" right click on RDP-TCP and select
Properties. Click on Security tab and assign your "guest" user Deny
permission.

Last option that comes to mind -- again I don't know how convenient this is
for you. Setup your TS server in DMZ and deny access from DMZ to LAN on TS
TCP port (TCP port 3389).

I hope this helps,

Mike

"GX" <GX@DOMAIN.com> wrote in message
news:9CdOc.333$Hu2.108@tornado.tampabay.rr.com...
> Big Picture
>
> How can I prevent a TS user from TS or RDP to another server?
>
>
>
> Scenario:
>
> Users (Vendors) log into my organization via VPN. They are setup on the
VPN
> under a group which has only access to one machine and back via RDP. (i.e.
> Microsoft Group has access to the Microsoft Server Box, now we setup John
on
> the Microsoft group and he has only RDP access to the Win2KSVR). In order
> for them to get into the Win2KSVR they are also setup on the network as
jdoe
> (Domain Admins) and that's the way he log into the Win2KSVR.
>
>
>
> Concern:
>
> John VPN into organization and RDP to Win2KSVR did what he needed to do
and
> opened the network neighborhood and saw all the servers we have. Now he
> wants to browse and log into the boxes he has no need in loging in.
>
>
>
> Question:
>
> How can I prevent a user from login into another machine via TS or RDP
when
> they are login into a machine via TS or RDP?
>
>
Related resources
Anonymous
July 30, 2004 6:51:46 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Sorry, let me try to make it clear...

These people are contractors/vendors (ie. Cisco Engineers hired to
troubleshoot Win2KSVR box with CallManager installaed on it), the VPN into
my workplace and then they can TS or RDP to the specific designated server.
So, I just want them to be able to TS or RDP to this box only and if they
try to open a TS or RDP to another box it would be restricted.
The problem is that they have to be Domain Admins in order to manage this
box. So, is there any way to actually include this user on a OU; let's say
"Vendors" and manage the Terminal Server connection or Remote Desktop
Connection via a GPO setting or so?

Thank you very much....

Hector




and
"Colin Nash [MVP]" <cnash x@x mvps.org> wrote in message
news:e1hc0obdEHA.244@TK2MSFTNGP12.phx.gbl...
> So he's a Domain Admin but you don't want him administering your domain?
> Maybe I don't understand...
>
>
> "GX" <GX@DOMAIN.com> wrote in message
> news:9CdOc.333$Hu2.108@tornado.tampabay.rr.com...
> > Big Picture
> >
> > How can I prevent a TS user from TS or RDP to another server?
> >
> >
> >
> > Scenario:
> >
> > Users (Vendors) log into my organization via VPN. They are setup on the
> > VPN
> > under a group which has only access to one machine and back via RDP.
(i.e.
> > Microsoft Group has access to the Microsoft Server Box, now we setup
John
> > on
> > the Microsoft group and he has only RDP access to the Win2KSVR). In
order
> > for them to get into the Win2KSVR they are also setup on the network as
> > jdoe
> > (Domain Admins) and that's the way he log into the Win2KSVR.
> >
> >
> >
> > Concern:
> >
> > John VPN into organization and RDP to Win2KSVR did what he needed to do
> > and
> > opened the network neighborhood and saw all the servers we have. Now he
> > wants to browse and log into the boxes he has no need in loging in.
> >
> >
> >
> > Question:
> >
> > How can I prevent a user from login into another machine via TS or RDP
> > when
> > they are login into a machine via TS or RDP?
> >
> >
>
>
>
Anonymous
July 30, 2004 6:51:47 AM

Archived from groups: microsoft.public.win2000.security (More info?)

And why do they need to be a Domain Admin in order to
do things on that one server ?
If in fact they need Domain Admin it would be because
they also need to do things on other servers, or to the
definitions of your domain at the controllers.
If that is so, it would seem your concern about them going
around in your domain is ill-founded. You have given them
Domain Admin so that they can do that.
On the other hand, if they only need to be local administrators
on the one server, then you can use standard methods of the
domain user account given them, that is an admin on that one
server, to control where that domain user account may be used.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"John Smith" <someone@microsoft.com> wrote in message
news:6JiOc.16033$DZ.1345900@twister.tampabay.rr.com...
> Sorry, let me try to make it clear...
>
> These people are contractors/vendors (ie. Cisco Engineers hired to
> troubleshoot Win2KSVR box with CallManager installaed on it), the VPN into
> my workplace and then they can TS or RDP to the specific designated
server.
> So, I just want them to be able to TS or RDP to this box only and if they
> try to open a TS or RDP to another box it would be restricted.
> The problem is that they have to be Domain Admins in order to manage this
> box. So, is there any way to actually include this user on a OU; let's say
> "Vendors" and manage the Terminal Server connection or Remote Desktop
> Connection via a GPO setting or so?
>
> Thank you very much....
>
> Hector
>
>
>
>
> and
> "Colin Nash [MVP]" <cnash x@x mvps.org> wrote in message
> news:e1hc0obdEHA.244@TK2MSFTNGP12.phx.gbl...
> > So he's a Domain Admin but you don't want him administering your domain?
> > Maybe I don't understand...
> >
> >
> > "GX" <GX@DOMAIN.com> wrote in message
> > news:9CdOc.333$Hu2.108@tornado.tampabay.rr.com...
> > > Big Picture
> > >
> > > How can I prevent a TS user from TS or RDP to another server?
> > >
> > >
> > >
> > > Scenario:
> > >
> > > Users (Vendors) log into my organization via VPN. They are setup on
the
> > > VPN
> > > under a group which has only access to one machine and back via RDP.
> (i.e.
> > > Microsoft Group has access to the Microsoft Server Box, now we setup
> John
> > > on
> > > the Microsoft group and he has only RDP access to the Win2KSVR). In
> order
> > > for them to get into the Win2KSVR they are also setup on the network
as
> > > jdoe
> > > (Domain Admins) and that's the way he log into the Win2KSVR.
> > >
> > >
> > >
> > > Concern:
> > >
> > > John VPN into organization and RDP to Win2KSVR did what he needed to
do
> > > and
> > > opened the network neighborhood and saw all the servers we have. Now
he
> > > wants to browse and log into the boxes he has no need in loging in.
> > >
> > >
> > >
> > > Question:
> > >
> > > How can I prevent a user from login into another machine via TS or RDP
> > > when
> > > they are login into a machine via TS or RDP?
> > >
> > >
> >
> >
> >
>
>
!