Re: Controlling access to MSTSC.exe
- From: "Mark" <markmckillop@xxxxxxxxxxx>
- Date: Mon, 9 May 2005 01:01:55 +0100
Not 100% sure about this now, but can you not play about with the firewall
settings for windows (Assuming your are running Windows XP SP2 or 2003 SP1).
Not probably that likely a scenario, but something you will probably be
moving towards in the future. Ive been mucking about in the GPO's for 2003
SP1 and found a lot of settings regarding firewall exceptions, im sure that
by applying different exceptions for different user groups would have the
desired effect. Only thing will be that you will need to stop users from
changing exceptions which will mean a little more overhead for yourself
(possibly in the form of a Domain GPO, for the apps which legitimately need
to get through the windows firewall.
A second more complicated solution could be through the use of Router ACL's,
permitting and denying RDP access from or towards specific IPs. i.e. Permit
a certain range of IPs to access the destination IP's and deny all others,
like Pegasus said. This does however mean some manual configuration of
client IPs, unless you are going to permit an entire subnet (e.g. Segment
priviliged users)... Again this runs into a lot of configuration for
something that should be pretty simple!!
Thirdly, If you have a big cisco environment you could also create a less
static configuration by using VLANS in conjunction with a VLAN Policy Server
(allows VLAN membership based on Windows Groups), Then use VLAN ACL's to
block/permit groups. Maybe im getting carried away tho, kinna expensive
equipment i for one dont have!! :)
Mark.
MCSE 2000
"Michael Hum" <MichaelHum@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4BB7FFD4-25A6-4AFF-8201-C8F29D58E8E2@xxxxxxxxxxxxxxxx
>I agree with your idea to restrict ip traffic at the port level with a
> firewall. Which would solve this problem. However, there will be other
> programs (in the future) where I will need the ability to restrict by
> domain
> group (i.e. here's a bad example, solitare.exe can only be run by the
> managers)
>
> So I "take it", there is no work-around for this Group Policy object
> setting
> to allow/deny by domain group (short of creating mulitple GPOs and filter
> by
> Domain group)?
>
> Thanks for your help.
>
>
>
>
> "Pegasus (MVP)" wrote:
>
>> Restricting access to mstsc.exe is not really the answer -
>> your consultants would soon realise that they can get
>> around your restriction by renaming mstsc.exe to tsc.exe.
>>
>> A far more effective method would be to block RDP
>> at your firewall. I use a simple Netgear FVS318 firewall,
>> and it lets me block specified services for blocks of
>> IP addresses. To prevent the consultants from moving
>> to an RDP port other than 3389, you would probably
>> have to block all traffic from their IP addresses with
>> the exception of those ports that relate to activities
>> that you permit, e.g. Internet access.
>>
>>
>> "Michael Hum" <MichaelHum@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:6D0BD5DB-160F-4E6D-BA1F-2351B7F00705@xxxxxxxxxxxxxxxx
>> > Hi,
>> >
>> > Yes we are restricting access to the servers by groups with a domain
>> > level policy (i.e. who can connect via remote desktop to the servers).
>> > However, and this is where the "twist" emerges... We have a group of
>> > consultants working at our company who routinely connect to servers
>> > which
>> are
>> > physically located at their premise and are not administered by us.
>> > We've
>> > been tasked to perform the role of "policemen", to prevent the MSTSC
>> from
>> > launching on the desktop (which is under our administration) to
>> > servers
>> > which are not under our administration. I know what you're thinking,
>> > I
>> > thought the same thing too.
>> >
>> > Michael
>> >
>> >
>> > "Pegasus (MVP)" wrote:
>> >
>> > >
>> > > "Michael Hum" <MichaelHum@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > > news:0C7BD084-94B4-4281-B84A-2F0502302844@xxxxxxxxxxxxxxxx
>> > > > Hi,
>> > > > i'm running a Windows 2003 enivronment with XP SP1 desktops. I'm
>> > > > searching for a group policy object to control access to the
>> > > > "remote
>> > > desktop
>> > > > client (mstsc.exe) on the XP workstations. Meaning, allow a
>> > > > specific
>> > > domain
>> > > > group the ability to launch "remote desktop client". I've tried
>> > > > the
>> "dont
>> > > > run specified Windows applications" in User
>> Configuration\Administrative
>> > > > Templates\System which works nicely to restricts the mstsc.exe from
>> > > > "running". However, it does not allow restriction by groups. Does
>> anyone
>> > > > know of a custom ADM with the restrict application by group option?
>> Or is
>> > > > there a better method to control users from launching the mstsc.exe
>> file.
>> > > >
>> > > > Help!
>> > > >
>> > > > Thanks,
>> > > >
>> > > > Michael
>> > >
>> > > Instead of preventing users from running mstsc.exe, you could
>> > > set a domain policy on the server itself that allows only suitably
>> > > authorised users to logon under RDP. It's one of the many
>> > > domain policies available to you.
>> > >
>> > >
>> > >
>>
>>
>>
.
- References:
- Controlling access to MSTSC.exe
- From: Michael Hum
- Re: Controlling access to MSTSC.exe
- From: Pegasus \(MVP\)
- Re: Controlling access to MSTSC.exe
- From: Michael Hum
- Re: Controlling access to MSTSC.exe
- From: Pegasus \(MVP\)
- Re: Controlling access to MSTSC.exe
- From: Michael Hum
- Controlling access to MSTSC.exe
- Prev by Date: Re: Driver rollback require activation
- Next by Date: RE: Product Key Number for Windows XP Pro
- Previous by thread: Re: Controlling access to MSTSC.exe
- Next by thread: Clean install on system partition without deleting other partition
- Index(es):
Relevant Pages
|
