Re: Controlling access to MSTSC.exe
- From: "Michael Hum" <MichaelHum@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 7 May 2005 10:06:02 -0700
I agree with your idea to restrict ip traffic at the port level with a
firewall. Which would solve this problem. However, there will be other
programs (in the future) where I will need the ability to restrict by domain
group (i.e. here's a bad example, solitare.exe can only be run by the
managers)
So I "take it", there is no work-around for this Group Policy object setting
to allow/deny by domain group (short of creating mulitple GPOs and filter by
Domain group)?
Thanks for your help.
"Pegasus (MVP)" wrote:
> Restricting access to mstsc.exe is not really the answer -
> your consultants would soon realise that they can get
> around your restriction by renaming mstsc.exe to tsc.exe.
>
> A far more effective method would be to block RDP
> at your firewall. I use a simple Netgear FVS318 firewall,
> and it lets me block specified services for blocks of
> IP addresses. To prevent the consultants from moving
> to an RDP port other than 3389, you would probably
> have to block all traffic from their IP addresses with
> the exception of those ports that relate to activities
> that you permit, e.g. Internet access.
>
>
> "Michael Hum" <MichaelHum@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:6D0BD5DB-160F-4E6D-BA1F-2351B7F00705@xxxxxxxxxxxxxxxx
> > Hi,
> >
> > Yes we are restricting access to the servers by groups with a domain
> > level policy (i.e. who can connect via remote desktop to the servers).
> > However, and this is where the "twist" emerges... We have a group of
> > consultants working at our company who routinely connect to servers which
> are
> > physically located at their premise and are not administered by us. We've
> > been tasked to perform the role of "policemen", to prevent the MSTSC
> from
> > launching on the desktop (which is under our administration) to servers
> > which are not under our administration. I know what you're thinking, I
> > thought the same thing too.
> >
> > Michael
> >
> >
> > "Pegasus (MVP)" wrote:
> >
> > >
> > > "Michael Hum" <MichaelHum@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > > news:0C7BD084-94B4-4281-B84A-2F0502302844@xxxxxxxxxxxxxxxx
> > > > Hi,
> > > > i'm running a Windows 2003 enivronment with XP SP1 desktops. I'm
> > > > searching for a group policy object to control access to the "remote
> > > desktop
> > > > client (mstsc.exe) on the XP workstations. Meaning, allow a specific
> > > domain
> > > > group the ability to launch "remote desktop client". I've tried the
> "dont
> > > > run specified Windows applications" in User
> Configuration\Administrative
> > > > Templates\System which works nicely to restricts the mstsc.exe from
> > > > "running". However, it does not allow restriction by groups. Does
> anyone
> > > > know of a custom ADM with the restrict application by group option?
> Or is
> > > > there a better method to control users from launching the mstsc.exe
> file.
> > > >
> > > > Help!
> > > >
> > > > Thanks,
> > > >
> > > > Michael
> > >
> > > Instead of preventing users from running mstsc.exe, you could
> > > set a domain policy on the server itself that allows only suitably
> > > authorised users to logon under RDP. It's one of the many
> > > domain policies available to you.
> > >
> > >
> > >
>
>
>
.
- Follow-Ups:
- Re: Controlling access to MSTSC.exe
- From: Mark
- Re: Controlling access to MSTSC.exe
- References:
- Controlling access to MSTSC.exe
- From: Michael Hum
- Re: Controlling access to MSTSC.exe
- From: Pegasus \(MVP\)
- Re: Controlling access to MSTSC.exe
- From: Michael Hum
- Re: Controlling access to MSTSC.exe
- From: Pegasus \(MVP\)
- Controlling access to MSTSC.exe
- Prev by Date: Re: registry problems
- Next by Date: RE: Force XP to use only IE and disable start menu
- Previous by thread: Re: Controlling access to MSTSC.exe
- Next by thread: Re: Controlling access to MSTSC.exe
- Index(es):
Relevant Pages
|
|
