prevent remote desktop connections

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

win2000 network

students are bringing in remote desktop software on disk and then gaining
control of other win2000 workstations. Is there not a simple setting in local
security or GPO or something that prevents all remote desktop connections?

please don't answer with 'use only allowed windows apps' in a GPO, as this
is not an option.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

If they are gaining control of other workstations then you have a problem with
user group membership or passwords. You can use Domain Security Policy to
enforce that users use passwords, enforce the complexity, and maximum password
age. Other option are to disable file and print sharing on student computers or
change the user right for access this computer from the network to be only
domain admins for these computer. That can be done via Group Policy for specific
groups of computers such as those in an OU. Ipsec filtering policy can also be
configured via Group Policy to prevent student computers from accessing each
other but still allow access to domain controllers and authorized computers that
they need to access. The link below explains ipsec filtering more. --- Steve

http://www.securityfocus.com/infocus/1559

"Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
news:B7B221EF-556A-4B80-940A-56DB36E4709C@microsoft.com...
> win2000 network
>
> students are bringing in remote desktop software on disk and then gaining
> control of other win2000 workstations. Is there not a simple setting in local
> security or GPO or something that prevents all remote desktop connections?
>
> please don't answer with 'use only allowed windows apps' in a GPO, as this
> is not an option.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I am not sure if I understand you question and for a complete answer I could
use some more information.

Would you like to completely disable access to terminal services or would
you like to enable them just for few users?

If you would like to enable this only for few users (administrators), you
could create a group and add this group to "Allow logon locally" to GPO for
the server or on Windows XP and Windows 2003 server add this group to "Allow
access through Terminal Services". Any users that would not be member of
groups added to such policy would not be allowed to logon to server using
Terminal Service...

--
Mike
Microsoft MVP - Windows Security

"Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
news:B7B221EF-556A-4B80-940A-56DB36E4709C@microsoft.com...
> win2000 network
>
> students are bringing in remote desktop software on disk and then gaining
> control of other win2000 workstations. Is there not a simple setting in
> local
> security or GPO or something that prevents all remote desktop connections?
>
> please don't answer with 'use only allowed windows apps' in a GPO, as this
> is not an option.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Fabrussio wrote:
> win2000 network
>
> students are bringing in remote desktop software on disk and then gaining
> control of other win2000 workstations. Is there not a simple setting in local
> security or GPO or something that prevents all remote desktop connections?
>
> please don't answer with 'use only allowed windows apps' in a GPO, as this
> is not an option.

1) Does your acceptable use policy forbid the running of non-authorised
software? If it doesn't, then it ought to. You then have a student
discipline issue which can be dealt with in the usual way, with any luck
management will regard it as a very serious offence.

2) You have no reason why they should run software from disks, therefore
use security policies to prevent them running applications from this
location (ditto anywhere else YOU haven't installed software).