Re: Terminal Services Setup/Flaw

I've checked the settings for remote logins on the servers and only Domain
Admins are configured to login. I did check in active directory and every
user is in the Remote Authenticated user's group but this is what is needed
for them to hit my IP from their home. What do you think is allowing the
connection with .rdp to another server?

Regards,
Matt

"moncho" wrote:

RemyMaza wrote:
Yes, it's any authenticated user which would lead me to believe it's allowed
through a group policy. What would I modify in that group policy to inhibit
this type of login?

In order to RDP into any server, the user or group must be in either
the local server Remote Desktop Users Group or System-> Remote-> Allowed
Users, depending up on whether the server is in Application or
Administration mode.

Remote Authenticated Users from those groups on the local servers that
you DO NOT want users to RDP into.

moncho

Many Thanks,
Matt

"moncho" wrote:

RemyMaza wrote:
I'm a new hire to a company and I've never used TS before. I was given my
domain admin priviledges and went to work last week. I was probing and
testing the network for any flaws and I found a big one I'd like to fix. I
am able to .rdp into the terminal server and from there I'm able to use .rdp
into any other server in the network. The problem lies not with my login but
with a normal user's login, I'm able to do this. What can I do to prevent
normal user's from logging into any machine they want?

Server '03 SP2
What is a "normal" user?

Do you mean any user in the "Users" or "Authenticated Users" group?

I would start there.

I would check to see if there are any group policies setup to allow
this type of access.

If a "normal" users can RDP in a DC, that is a big issue.

If your own login can RDP to any server, that seems OK since
you are the Domain Admin. If that fits your companies security
policies.

moncho


.

Relevant Pages

  • Re: getting me ducks in a row - concepts
    ... Don't create local login accounts for users, ... >> admin types know the local administrator credentials on all PCs. ... You don't load QB on the server - the registry keys or files/folders would ...
    (microsoft.public.windows.server.sbs)
  • Re: RDP limited but RWW just fine
    ... administrative access to the server for the purpose of server management, ... RDP client) to get to session 0. ... admin rights, 1 with poweruser, and the rest ... I use a domain administrator account to log into the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Failed login attempts, anything else I can do?
    ... are the usual attemps at trying to login with various usernames (local, ... the server. ... I am wondering if there is anything else I can do to secure the ... I have changed the admin name, ...
    (microsoft.public.windows.server.sbs)
  • gdm hangs
    ... gdm will hang 9 of 10 times when logging out. ... with or without the client having been connected to the Server. ... # Timed login, useful for kiosks. ... Must output the chosen host on stdout, ...
    (Debian-User)
  • Re: Weird TS Problem
    ... I'll look in the server registry and see what I can find, ... > Try scanning the registry for this login name. ... > RDP client. ... >> I have also cleared the default.rdp connection file, ...
    (microsoft.public.windows.server.general)