Re: Permissions required to access a different server via RDP in RWW

From: tester (tester_at_testthis.net)
Date: 01/07/05 

Date: Fri, 7 Jan 2005 08:07:05 -0700

SuperGumby, isn't that what I said? Although your explanation is much
better, I have to admit! I appreciate the clarification.

"SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
news:e78gCWJ9EHA.3260@TK2MSFTNGP14.phx.gbl...
> Hi Bill,
>
> I hope I'm not repeating myself here, I hope the last time I threatened
> to do this for another reason was to somebody else. Tell someone to modify
> their 'Default Domain Controller Policy Group Policy' to allow this sort
> of activity again and I'm going to come after you with Susan's gnarly 2*4.
> I'm going to put nails in it and send it to a dark place. I'm going to
> grin from ear to ear the whole time.
>
> Eliot misunderstands the 'logon to' option of a user's properties in
> that he thinks it controls the logon server, whereas it controls which
> machines a user is allowed to logon to.
>
> Bill has assumed the TS is a DC where we have no indications it is.
>
> Eliot, make a standard user for the remote guys. Give that user
> 'mobile' rights. Limit that user via ADUC to logon only to the TS. Make
> the domain\user a member of the local PC's admin group on the TS.
>
> ""Bill Peng [MSFT]"" <v-bpeng@online.microsoft.com> wrote in message
> news:ElM4%23BI9EHA.3048@cpmsftngxa10.phx.gbl...
>> Hi Eliot,
>>
>> I'd like to provide you with the following suggestions.
>>
>> Suggestion 1. Change Default Domain Controller Policy Group Policy.
>>
>> 1. Add the users as Domain Admins.
>> 2. Modify Default Domain Controller GPO.
>>
>> Computer Configuration|Windows Settings|Security Settings|Local
>> Policies|User Rights Assignment
>>
>> a) Deny log on locally.
>> b) Deny log on through Terminal Services.
>> c) Deny access to this computer from the network.
>>
>> Suggestion 2. Change RDP listening port.
>>
>> A possible solution (By using this solution, the specialty vendor is not
>> allowed to log on to any computer in your SBS domain except the 3rd
>> server):
>>
>> 1. Create a local user account on the application server, and add the
>> local
>> user to the Remote Desktop Users group.
>> 2. Configure Terminal Service (Remote Desktop) on the application server
>> to
>> listen on another port, such as 3388.
>>
>> Please refer to:
>>
>> 306759 How to change the listening port for Remote Desktop
>> http://support.microsoft.com/?id=306759
>>
>> 187623 How to Change Terminal Server's Listening Port
>> http://support.microsoft.com/?id=187623
>>
>> 3. Test from an internal client (run "mstsc /v:computername:3388") to
>> make
>> sure the Remote Desktop connection is working.
>>
>> 4. Publish the Remote Desktop on the application server.
>>
>> - If ISA installed on the SBS server:
>>
>> 1) Create a Protocol Definition for the new port in ISA. To do so:
>>
>> a. Open ISA Management, navigate under the servername to Policy
>> Elements\Protocol Definitions.
>> b. Right-click and then click New, click Definition.
>> c. Type this for the name: Remote Desktop 3388 Inbound, click Next.
>>
>> Port number: 3388
>> Protocol type: TCP
>> Direction: Inbound
>>
>> d. Click Next.
>> e. No secondary connections needed, so click Next.
>> f. Click Finish.
>>
>> 2) Create a Server publishing rule for that client. To do so:
>>
>> a. In ISA Management, navigate under the servername to Publishing, Server
>> Publishing Rules.
>> b. Right click Server Publishing Rules, click New, click Rule.
>> c. Type the name "Remote Desktop 3388 to client" (no quotes) and click
>> Next.
>> d. Enter the IP address of the 3rd server in the space labeled "IP
>> address
>> of the internal server", and enter the external IP of the server in the
>> box
>> "External IP address on ISA Server". then click Next.
>> e. Select the Protocol Definition created in step 4 from the drop down
>> list
>> presented, click Next.
>> f. Click Next to select Any Request.
>>
>> 3) Test from an outside client.
>>
>> - If RRAS Basic Firewall is running:
>>
>> On the SBS server, open the Routing and Remote Access MMC from
>> Administrative Tools. Expand your server, IP Routing and select NAT/Basic
>> Firewall. On the right panel select your external/network connection and
>> open the Properties. Go to the Services and Ports tab, click Add, provide
>> a
>> name, select TCP as the protocol, the incoming port (3388), the IP
>> address
>> of the 3rd server behind SBS and the outgoing port (3388). Click Ok to
>> save
>> the changes. This should allow the port to come into the 3rd server
>> through
>> the SBS server.
>>
>> 5. Open the port (3388) on your hardware router/firewall.
>>
>> I hope the above info helps.
>>
>> If you have any update, please feel free to let me know.
>>
>> Have a nice day!
>>
>> Bill Peng
>> MCSE 2000, MCDBA
>> Microsoft Online Partner Support
>>
>> Get Secure! - www.microsoft.com/security
>> =====================================================
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>> =====================================================
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> --------------------
>>>From: "Eliot Sennett" <eliot102@hotmail.com>
>>>References: <u3WCxAq8EHA.2156@TK2MSFTNGP10.phx.gbl>
>> <10tm1dgnpovqja9@corp.supernews.com>
>>>Subject: Re: Permissions required to access a different server via RDP in
>> RWW
>>>Date: Wed, 5 Jan 2005 16:04:41 -0500
>>>Lines: 66
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>>>Message-ID: <uAtYuo28EHA.2876@TK2MSFTNGP12.phx.gbl>
>>>Newsgroups: microsoft.public.windows.server.sbs
>>>NNTP-Posting-Host: ip67-89-20-226.z20-89-67.customer.algx.net
>>>67.89.20.226
>>>Path:
>> cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
>> phx.gbl
>>>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.sbs:134608
>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>
>>>Great thought, I appreciate it. Unfortunately, it doesn't work. I'm kinda
>>>rusty on this, but my recollection of the "Log On To" button is that you
>> use
>>>it for non-AD-aware (i.e., pre Windows 2000) clients to specify the logon
>>>server they should access - so they don't follow the process of selecting
>>>a
>>>logon server that happens automatically. In AD-aware clients, I believe
>>>forcing clients to use a particular login server is accomplished through
>>>group policy, although, as I said, I'm rusty on this.
>>>
>>>--Eliot
>>>
>>>"tester" <tester@testthis.net> wrote in message
>>>news:10tm1dgnpovqja9@corp.supernews.com...
>>>> Have you thought of restricting their account to only the server they
>> need
>>>> access to? (Users, dclick the account, account tab, log onto button)
>>>just
>>>> a thought
>>>>
>>>>
>>>>
>>>>
>>>> "Eliot Sennett" <eliot102@hotmail.com> wrote in message
>>>> news:u3WCxAq8EHA.2156@TK2MSFTNGP10.phx.gbl...
>>>> > I've got an installation with an SBS03 Server, a W2K3 Terminal Server
>>>and
>>>> > a
>>>> > third W2K3 Server running an application. That application is
>>>> > supported
>>>by
>>>> > a
>>>> > specialty vendor who needs access to the server's desktop.
>>>> >
>>>> > We do not want to open RDP directly through the firewall (we prefer
>>>> > to
>>>use
>>>> > RWW).
>>>> >
>>>> > In order to allow this company to log in to access their server, we
>> need
>>>> > either to 1) make them a member of domain admins - in which case RWW
>>>will
>>>> > show the "connect to server desktops" option, or 2) make them domain
>>>users
>>>> > and members of the Remote Web Workplace Users security group, in
>>>> > which
>>>> > case
>>>> > they can log into the TS via RWW's "connect to my company's
>>>> > application
>>>> > servers" link and, from there, launch an RDP or Remote Desktops
>>>connection
>>>> > to their server. The first option is way to risky, and the second
>> option
>>>> > is
>>>> > a pain for them, and still too risky in my view.
>>>> >
>>>> > I'm looking for where the underlying privileges are set so I could
>>>> > add
>>>> > this
>>>> > specific user to a security group like "Special Visitors", remove
>>>> > them
>>>> > from
>>>> > the Domain Users group to facilitate NTFS security management, and
>>>> > add
>>>> > specific rights to that group such that the "server desktops" link
>>>appears
>>>> > for them. Even though they'd see the SBS Server, they wouldn't be
>>>> > able
>>>to
>>>> > login to it.
>>>> >
>>>> > Anyone know where this type of thing is controlled? TIA
>>>> >
>>>> >
>>>>
>>>>
>>>
>>>
>>>
>>
>
>