Re: Terminal Services Setup/Flaw
- From: RemyMaza <RemyMaza@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 13 Nov 2007 09:54:00 -0800
Just to follow up with you, what I found was in gpedit.msc, you can deny
logins through TS. I did that for all groups except for the admins that need
it. This still allows everyone to hit the TS Server but denies the login to
other servers. I have to configure this for each one though, so a lil
tedious, but it's stopping the flaw! Thank you so much for your input. You
really helped me out a lot and I appreciate your feedback!
Best Regards,
Matt
"moncho" wrote:
RemyMaza wrote:.
Here's what I came up with; I created a test user in the User folder. I
believe this is a default folder in AD. This user isn't part of any other
group except for the default: Domain User. I was able to login to the
Terminal Server with this user and then .rdp into another server on the
network using the same credentials. I checked to see who is allowed to .rdp
into these servers and only admins are.
I looked in AD to see how the user's are being grouped. I found the Remote
Desktop Users group but that's not being used. The one that is being used is
in the Users folder: RemoteUsersGroup. I would imagine this has been
created. However I was still able to login with my Test user and everyone
else in AD was created in a different OU: i.e %companyname%User. This leads
me to believe the problem lies in the TSCC.msc or a Group Policy that affects
Domain User. I'm not sure if this is right, since I'm not very savvy with
TS. I really appreciate your help and if you need more info, I'll get
whatever you need!
RemoteUsersGroup was created and may be being used to create your issue.
Without the user being part of the RemoteUsersGroup and neither
the RemoteUsersGroup or Users group not being in any of the local
"Remote Desktop Users" group, I am at a loss as to how they
are able to get RDP access.
Maybe someone out there can help point out what I am missing.
moncho
Many Thanks,
Matt
"moncho" wrote:
RemyMaza wrote:
I've checked the settings for remote logins on the servers and only DomainYou need to get SPECIFIC in your description.
Admins are configured to login. I did check in active directory and every
user is in the Remote Authenticated user's group but this is what is needed
for them to hit my IP from their home. What do you think is allowing the
connection with .rdp to another server?
What do you mean by "Remote Authenticated User's?" There is no built in
default group called "Remote Authenticated User's" in Windows.
The default groups I know of (regarding this topic) are "Remote Desktop
Users," "Users" and "Authenticated Users."
If the "Remote Authenticated Users" group exists this was created by
an admin and may be causing you issues.
I just want to make sure we are talking about the same group names so we
do not get off track or we/others assume different meanings.
To help you, create a generic user in A/D that does not belong to
ANY group other than "Users." Then try to RDP into different servers as
this generic user. What are the results?
If no, great. What differentiates a "normal user" from this new generic
user?
If so, check the local RDU group on the local server one more time and
see who is a member of that group.
moncho
Regards,
Matt
"moncho" wrote:
RemyMaza wrote:
Yes, it's any authenticated user which would lead me to believe it's allowedIn order to RDP into any server, the user or group must be in either
through a group policy. What would I modify in that group policy to inhibit
this type of login?
the local server Remote Desktop Users Group or System-> Remote-> Allowed
Users, depending up on whether the server is in Application or
Administration mode.
Remote Authenticated Users from those groups on the local servers that
you DO NOT want users to RDP into.
moncho
Many Thanks,
Matt
"moncho" wrote:
RemyMaza wrote:
I'm a new hire to a company and I've never used TS before. I was given myWhat is a "normal" user?
domain admin priviledges and went to work last week. I was probing and
testing the network for any flaws and I found a big one I'd like to fix. I
am able to .rdp into the terminal server and from there I'm able to use .rdp
into any other server in the network. The problem lies not with my login but
with a normal user's login, I'm able to do this. What can I do to prevent
normal user's from logging into any machine they want?
Server '03 SP2
Do you mean any user in the "Users" or "Authenticated Users" group?
I would start there.
I would check to see if there are any group policies setup to allow
this type of access.
If a "normal" users can RDP in a DC, that is a big issue.
If your own login can RDP to any server, that seems OK since
you are the Domain Admin. If that fits your companies security
policies.
moncho
- Follow-Ups:
- Re: Terminal Services Setup/Flaw
- From: moncho
- Re: Terminal Services Setup/Flaw
- References:
- Re: Terminal Services Setup/Flaw
- From: moncho
- Re: Terminal Services Setup/Flaw
- From: moncho
- Re: Terminal Services Setup/Flaw
- From: RemyMaza
- Re: Terminal Services Setup/Flaw
- From: moncho
- Re: Terminal Services Setup/Flaw
- From: RemyMaza
- Re: Terminal Services Setup/Flaw
- From: moncho
- Re: Terminal Services Setup/Flaw
- Prev by Date: Re: Windows 2000 TS, restricting users to 1 session
- Next by Date: How to make the terminalservice log waht happens
- Previous by thread: Re: Terminal Services Setup/Flaw
- Next by thread: Re: Terminal Services Setup/Flaw
- Index(es):
Relevant Pages
|
|
