Re: Terminal Services Setup/Flaw

RemyMaza wrote:
Here's what I came up with; I created a test user in the User folder. I believe this is a default folder in AD. This user isn't part of any other group except for the default: Domain User. I was able to login to the Terminal Server with this user and then .rdp into another server on the network using the same credentials. I checked to see who is allowed to .rdp into these servers and only admins are.

I looked in AD to see how the user's are being grouped. I found the Remote Desktop Users group but that's not being used. The one that is being used is in the Users folder: RemoteUsersGroup. I would imagine this has been created. However I was still able to login with my Test user and everyone else in AD was created in a different OU: i.e %companyname%User. This leads me to believe the problem lies in the TSCC.msc or a Group Policy that affects Domain User. I'm not sure if this is right, since I'm not very savvy with TS. I really appreciate your help and if you need more info, I'll get whatever you need!

RemoteUsersGroup was created and may be being used to create your issue.

Without the user being part of the RemoteUsersGroup and neither
the RemoteUsersGroup or Users group not being in any of the local "Remote Desktop Users" group, I am at a loss as to how they
are able to get RDP access.

Maybe someone out there can help point out what I am missing.

moncho

Many Thanks,
Matt

"moncho" wrote:

RemyMaza wrote:
I've checked the settings for remote logins on the servers and only Domain Admins are configured to login. I did check in active directory and every user is in the Remote Authenticated user's group but this is what is needed for them to hit my IP from their home. What do you think is allowing the connection with .rdp to another server?
You need to get SPECIFIC in your description.

What do you mean by "Remote Authenticated User's?" There is no built in
default group called "Remote Authenticated User's" in Windows.

The default groups I know of (regarding this topic) are "Remote Desktop Users," "Users" and "Authenticated Users."

If the "Remote Authenticated Users" group exists this was created by
an admin and may be causing you issues.

I just want to make sure we are talking about the same group names so we do not get off track or we/others assume different meanings.

To help you, create a generic user in A/D that does not belong to
ANY group other than "Users." Then try to RDP into different servers as
this generic user. What are the results?

If no, great. What differentiates a "normal user" from this new generic
user?

If so, check the local RDU group on the local server one more time and see who is a member of that group.

moncho

Regards,
Matt

"moncho" wrote:

RemyMaza wrote:
Yes, it's any authenticated user which would lead me to believe it's allowed through a group policy. What would I modify in that group policy to inhibit this type of login?
In order to RDP into any server, the user or group must be in either
the local server Remote Desktop Users Group or System-> Remote-> Allowed Users, depending up on whether the server is in Application or Administration mode.

Remote Authenticated Users from those groups on the local servers that
you DO NOT want users to RDP into.

moncho
Many Thanks,
Matt

"moncho" wrote:

RemyMaza wrote:
I'm a new hire to a company and I've never used TS before. I was given my domain admin priviledges and went to work last week. I was probing and testing the network for any flaws and I found a big one I'd like to fix. I am able to .rdp into the terminal server and from there I'm able to use .rdp into any other server in the network. The problem lies not with my login but with a normal user's login, I'm able to do this. What can I do to prevent normal user's from logging into any machine they want?

Server '03 SP2
What is a "normal" user?

Do you mean any user in the "Users" or "Authenticated Users" group?

I would start there.

I would check to see if there are any group policies setup to allow
this type of access.

If a "normal" users can RDP in a DC, that is a big issue.

If your own login can RDP to any server, that seems OK since
you are the Domain Admin. If that fits your companies security
policies.

moncho

.

Relevant Pages

  • Re: Terminal Services Setup/Flaw
    ... This still allows everyone to hit the TS Server but denies the login to ... Terminal Server with this user and then .rdp into another server on the ... I found the Remote ...
    (microsoft.public.windows.terminal_services)
  • Re: 2003 Server RDP errors
    ... I have some unique users and a few groups added to the REMOTE DESKTOP ... administrators that can successfully RDP to this server are in this list ... I do receive an error when I try logging in via RDP as another user. ... Terminal Services, allowing multiple users to use RDP simultaniously, called ...
    (microsoft.public.windows.server.general)
  • Re: How is dangerous connect to server over internet with remote d
    ... Vulnerability in Remote Desktop Protocol Could Lead to Denial of ... Microsoft MVP - Windows Security ... encryption and if i connect to server with the same ip (i configure ... Now the only thing that I usually worry about when considering RDP are ...
    (microsoft.public.security)
  • Re: RDP Access to Application Server
    ... Will it work you try to access via RDP as the local administrator of ... of the server that may indicate the problem? ... Remote Desktop users has the needed user right in Local Security Policy ... For a domain user check their user account in Active Directory Users ...
    (microsoft.public.windows.group_policy)
  • Re: Terminal Services Setup/Flaw
    ... Terminal Server with this user and then .rdp into another server on the ... However I was still able to login with my Test user and everyone ... "moncho" wrote: ...
    (microsoft.public.windows.terminal_services)