Hi,
i'm running a Windows 2003 enivronment with XP SP1 desktops. I'm
searching for a group policy object to control access to the "remote desktop
client (mstsc.exe) on the XP workstations. Meaning, allow a specific domain
group the ability to launch "remote desktop client". I've tried the "dont
run specified Windows applications" in User Configuration\Administrative
Templates\System which works nicely to restricts the mstsc.exe from
"running". However, it does not allow restriction by groups. Does anyone
know of a custom ADM with the restrict application by group option? Or is
there a better method to control users from launching the mstsc.exe file.

Help!

Thanks,

Michael

"Michael Hum" <(E-Mail Removed)> wrote in message
news:0C7BD084-94B4-4281-B84A-(E-Mail Removed)...
> Hi,
> i'm running a Windows 2003 enivronment with XP SP1 desktops. I'm
> searching for a group policy object to control access to the "remote
desktop
> client (mstsc.exe) on the XP workstations. Meaning, allow a specific
domain
> group the ability to launch "remote desktop client". I've tried the "dont
> run specified Windows applications" in User Configuration\Administrative
> Templates\System which works nicely to restricts the mstsc.exe from
> "running". However, it does not allow restriction by groups. Does anyone
> know of a custom ADM with the restrict application by group option? Or is
> there a better method to control users from launching the mstsc.exe file.
>
> Help!
>
> Thanks,
>
> Michael

Instead of preventing users from running mstsc.exe, you could
set a domain policy on the server itself that allows only suitably
authorised users to logon under RDP. It's one of the many
domain policies available to you.

Hi,

Yes we are restricting access to the servers by groups with a domain
level policy (i.e. who can connect via remote desktop to the servers).
However, and this is where the "twist" emerges... We have a group of
consultants working at our company who routinely connect to servers which are
physically located at their premise and are not administered by us. We've
been tasked to perform the role of "policemen", to prevent the MSTSC from
launching on the desktop (which is under our administration) to servers
which are not under our administration. I know what you're thinking, I
thought the same thing too.

Michael


"Pegasus (MVP)" wrote:

>
> "Michael Hum" <(E-Mail Removed)> wrote in message
> news:0C7BD084-94B4-4281-B84A-(E-Mail Removed)...
> > Hi,
> > i'm running a Windows 2003 enivronment with XP SP1 desktops. I'm
> > searching for a group policy object to control access to the "remote
> desktop
> > client (mstsc.exe) on the XP workstations. Meaning, allow a specific
> domain
> > group the ability to launch "remote desktop client". I've tried the "dont
> > run specified Windows applications" in User Configuration\Administrative
> > Templates\System which works nicely to restricts the mstsc.exe from
> > "running". However, it does not allow restriction by groups. Does anyone
> > know of a custom ADM with the restrict application by group option? Or is
> > there a better method to control users from launching the mstsc.exe file.
> >
> > Help!
> >
> > Thanks,
> >
> > Michael
>
> Instead of preventing users from running mstsc.exe, you could
> set a domain policy on the server itself that allows only suitably
> authorised users to logon under RDP. It's one of the many
> domain policies available to you.
>
>
>

Restricting access to mstsc.exe is not really the answer -
your consultants would soon realise that they can get
around your restriction by renaming mstsc.exe to tsc.exe.

A far more effective method would be to block RDP
at your firewall. I use a simple Netgear FVS318 firewall,
and it lets me block specified services for blocks of
IP addresses. To prevent the consultants from moving
to an RDP port other than 3389, you would probably
have to block all traffic from their IP addresses with
the exception of those ports that relate to activities
that you permit, e.g. Internet access.


"Michael Hum" <(E-Mail Removed)> wrote in message
news:6D0BD5DB-160F-4E6D-BA1F-(E-Mail Removed)...
> Hi,
>
> Yes we are restricting access to the servers by groups with a domain
> level policy (i.e. who can connect via remote desktop to the servers).
> However, and this is where the "twist" emerges... We have a group of
> consultants working at our company who routinely connect to servers which
are
> physically located at their premise and are not administered by us. We've
> been tasked to perform the role of "policemen", to prevent the MSTSC
from
> launching on the desktop (which is under our administration) to servers
> which are not under our administration. I know what you're thinking, I
> thought the same thing too.
>
> Michael
>
>
> "Pegasus (MVP)" wrote:
>
> >
> > "Michael Hum" <(E-Mail Removed)> wrote in message
> > news:0C7BD084-94B4-4281-B84A-(E-Mail Removed)...
> > > Hi,
> > > i'm running a Windows 2003 enivronment with XP SP1 desktops. I'm
> > > searching for a group policy object to control access to the "remote
> > desktop
> > > client (mstsc.exe) on the XP workstations. Meaning, allow a specific
> > domain
> > > group the ability to launch "remote desktop client". I've tried the
"dont
> > > run specified Windows applications" in User
Configuration\Administrative
> > > Templates\System which works nicely to restricts the mstsc.exe from
> > > "running". However, it does not allow restriction by groups. Does
anyone
> > > know of a custom ADM with the restrict application by group option?
Or is
> > > there a better method to control users from launching the mstsc.exe
file.
> > >
> > > Help!
> > >
> > > Thanks,
> > >
> > > Michael
> >
> > Instead of preventing users from running mstsc.exe, you could
> > set a domain policy on the server itself that allows only suitably
> > authorised users to logon under RDP. It's one of the many
> > domain policies available to you.
> >
> >
> >

I agree with your idea to restrict ip traffic at the port level with a
firewall. Which would solve this problem. However, there will be other
programs (in the future) where I will need the ability to restrict by domain
group (i.e. here's a bad example, solitare.exe can only be run by the
managers)

So I "take it", there is no work-around for this Group Policy object setting
to allow/deny by domain group (short of creating mulitple GPOs and filter by
Domain group)?

Thanks for your help.




"Pegasus (MVP)" wrote:

> Restricting access to mstsc.exe is not really the answer -
> your consultants would soon realise that they can get
> around your restriction by renaming mstsc.exe to tsc.exe.
>
> A far more effective method would be to block RDP
> at your firewall. I use a simple Netgear FVS318 firewall,
> and it lets me block specified services for blocks of
> IP addresses. To prevent the consultants from moving
> to an RDP port other than 3389, you would probably
> have to block all traffic from their IP addresses with
> the exception of those ports that relate to activities
> that you permit, e.g. Internet access.
>
>
> "Michael Hum" <(E-Mail Removed)> wrote in message
> news:6D0BD5DB-160F-4E6D-BA1F-(E-Mail Removed)...
> > Hi,
> >
> > Yes we are restricting access to the servers by groups with a domain
> > level policy (i.e. who can connect via remote desktop to the servers).
> > However, and this is where the "twist" emerges... We have a group of
> > consultants working at our company who routinely connect to servers which
> are
> > physically located at their premise and are not administered by us. We've
> > been tasked to perform the role of "policemen", to prevent the MSTSC
> from
> > launching on the desktop (which is under our administration) to servers
> > which are not under our administration. I know what you're thinking, I
> > thought the same thing too.
> >
> > Michael
> >
> >
> > "Pegasus (MVP)" wrote:
> >
> > >
> > > "Michael Hum" <(E-Mail Removed)> wrote in message
> > > news:0C7BD084-94B4-4281-B84A-(E-Mail Removed)...
> > > > Hi,
> > > > i'm running a Windows 2003 enivronment with XP SP1 desktops. I'm
> > > > searching for a group policy object to control access to the "remote
> > > desktop
> > > > client (mstsc.exe) on the XP workstations. Meaning, allow a specific
> > > domain
> > > > group the ability to launch "remote desktop client". I've tried the
> "dont
> > > > run specified Windows applications" in User
> Configuration\Administrative
> > > > Templates\System which works nicely to restricts the mstsc.exe from
> > > > "running". However, it does not allow restriction by groups. Does
> anyone
> > > > know of a custom ADM with the restrict application by group option?
> Or is
> > > > there a better method to control users from launching the mstsc.exe
> file.
> > > >
> > > > Help!
> > > >
> > > > Thanks,
> > > >
> > > > Michael
> > >
> > > Instead of preventing users from running mstsc.exe, you could
> > > set a domain policy on the server itself that allows only suitably
> > > authorised users to logon under RDP. It's one of the many
> > > domain policies available to you.
> > >
> > >
> > >
>
>
>

Not 100% sure about this now, but can you not play about with the firewall
settings for windows (Assuming your are running Windows XP SP2 or 2003 SP1).
Not probably that likely a scenario, but something you will probably be
moving towards in the future. Ive been mucking about in the GPO's for 2003
SP1 and found a lot of settings regarding firewall exceptions, im sure that
by applying different exceptions for different user groups would have the
desired effect. Only thing will be that you will need to stop users from
changing exceptions which will mean a little more overhead for yourself
(possibly in the form of a Domain GPO, for the apps which legitimately need
to get through the windows firewall.

A second more complicated solution could be through the use of Router ACL's,
permitting and denying RDP access from or towards specific IPs. i.e. Permit
a certain range of IPs to access the destination IP's and deny all others,
like Pegasus said. This does however mean some manual configuration of
client IPs, unless you are going to permit an entire subnet (e.g. Segment
priviliged users)... Again this runs into a lot of configuration for
something that should be pretty simple!!

Thirdly, If you have a big cisco environment you could also create a less
static configuration by using VLANS in conjunction with a VLAN Policy Server
(allows VLAN membership based on Windows Groups), Then use VLAN ACL's to
block/permit groups. Maybe im getting carried away tho, kinna expensive
equipment i for one dont have!!

Mark.
MCSE 2000

"Michael Hum" <(E-Mail Removed)> wrote in message
news:4BB7FFD4-25A6-4AFF-8201-(E-Mail Removed)...
>I agree with your idea to restrict ip traffic at the port level with a
> firewall. Which would solve this problem. However, there will be other
> programs (in the future) where I will need the ability to restrict by
> domain
> group (i.e. here's a bad example, solitare.exe can only be run by the
> managers)
>
> So I "take it", there is no work-around for this Group Policy object
> setting
> to allow/deny by domain group (short of creating mulitple GPOs and filter
> by
> Domain group)?
>
> Thanks for your help.
>
>
>
>
> "Pegasus (MVP)" wrote:
>
>> Restricting access to mstsc.exe is not really the answer -
>> your consultants would soon realise that they can get
>> around your restriction by renaming mstsc.exe to tsc.exe.
>>
>> A far more effective method would be to block RDP
>> at your firewall. I use a simple Netgear FVS318 firewall,
>> and it lets me block specified services for blocks of
>> IP addresses. To prevent the consultants from moving
>> to an RDP port other than 3389, you would probably
>> have to block all traffic from their IP addresses with
>> the exception of those ports that relate to activities
>> that you permit, e.g. Internet access.
>>
>>
>> "Michael Hum" <(E-Mail Removed)> wrote in message
>> news:6D0BD5DB-160F-4E6D-BA1F-(E-Mail Removed)...
>> > Hi,
>> >
>> > Yes we are restricting access to the servers by groups with a domain
>> > level policy (i.e. who can connect via remote desktop to the servers).
>> > However, and this is where the "twist" emerges... We have a group of
>> > consultants working at our company who routinely connect to servers
>> > which
>> are
>> > physically located at their premise and are not administered by us.
>> > We've
>> > been tasked to perform the role of "policemen", to prevent the MSTSC
>> from
>> > launching on the desktop (which is under our administration) to
>> > servers
>> > which are not under our administration. I know what you're thinking,
>> > I
>> > thought the same thing too.
>> >
>> > Michael
>> >
>> >
>> > "Pegasus (MVP)" wrote:
>> >
>> > >
>> > > "Michael Hum" <(E-Mail Removed)> wrote in message
>> > > news:0C7BD084-94B4-4281-B84A-(E-Mail Removed)...
>> > > > Hi,
>> > > > i'm running a Windows 2003 enivronment with XP SP1 desktops. I'm
>> > > > searching for a group policy object to control access to the
>> > > > "remote
>> > > desktop
>> > > > client (mstsc.exe) on the XP workstations. Meaning, allow a
>> > > > specific
>> > > domain
>> > > > group the ability to launch "remote desktop client". I've tried
>> > > > the
>> "dont
>> > > > run specified Windows applications" in User
>> Configuration\Administrative
>> > > > Templates\System which works nicely to restricts the mstsc.exe from
>> > > > "running". However, it does not allow restriction by groups. Does
>> anyone
>> > > > know of a custom ADM with the restrict application by group option?
>> Or is
>> > > > there a better method to control users from launching the mstsc.exe
>> file.
>> > > >
>> > > > Help!
>> > > >
>> > > > Thanks,
>> > > >
>> > > > Michael
>> > >
>> > > Instead of preventing users from running mstsc.exe, you could
>> > > set a domain policy on the server itself that allows only suitably
>> > > authorised users to logon under RDP. It's one of the many
>> > > domain policies available to you.
>> > >
>> > >
>> > >
>>
>>
>>

[dennism]

So i take it no one has an answer for this, you guys are coming up with ridiculous answers involving blocking the app via firewall and etc. this is not the answer.

He(and now i) specifically want to know how to block mstsc.exe via a GPO or etc to be able to easily mangage which users have access to it.