ban admin from remote desktop

  • Thread starter Thread starter poltrone
  • Start date Start date
P

poltrone

For security reasons i would like to make it impossible to login
via Remote Desktop as an administrator. Unfortunatly admins are
allowed to do so by default.

Is there a way to ban members of the admin group from logging in
via Remote Desktop?

poltrone
 
AFAIK that is not possible...

Hmmm....Usually its the other way around...ie. you can't trust limited users
and can trust admins...sounds like an office revolution to me...:-)

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
 
Hmmm....Usually its the other way around...ie. you can't trust limited users
and can trust admins...sounds like an office revolution to me...:-)
Click to expand...

Sure you have to trust your admin. But when the machine in question is
accessible through the internet, it might be more secure to allow remote
logins only to restricted users...
 
Try using a Virtual Private Network (VPN) or Secure Shell (SSH)...

Personally I use SSH to securely access my home LAN via a limited user
account. I use a private/public key pair encrypted with a strong pass phrase
versus a password (strong or otherwise) to authenticate the SSH log in. Once
I log in with that I can reach any PC on my home LAN with Remote Desktop as
either a administrator or a limited user (who obviously has been added to
the Remote Desktop Users Group). In my case I also use an "AllowUsers" list
in the sshd_config file to explicitly only allow the limited user account to
log in and a "DenyUsers" list in the same sshd_config file to explicitly
deny all other user accounts log in privileges on the SSH server PC (an XP
Pro box in my case).

The advantage is I only need to open one port on my router and I can access
multiple PCs through that one port. The SSH tunnel is totally encrypted from
start to finish and I use strong authentication.

How-I-Did-it...

http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html
http://theillustratednetwork.mvps.org/Ssh/Private-publicKey.html
http://www.itefix.no/phpws/index.php?module=faq&FAQ_op=view&FAQ_id=62

I am sure you could do something similar with a VPN and only allow certain
users to log in via the VPN...Others can speak to that issue...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
 
poltrone said:
For security reasons i would like to make it impossible to login
via Remote Desktop as an administrator. Unfortunatly admins are
allowed to do so by default.

Is there a way to ban members of the admin group from logging in
via Remote Desktop?

poltrone
Click to expand...


The following groups have the right to log on via Remote Desktop:

-Administrators ( Members of the 'Administrators' group );

-Additional users who you grant access via the:
System Properties | 'Remote' tab | 'Select Remote Users' button.
( Members of the 'Remote Desktop Users' group ).

To change this default behaviour, go to:
Start | Run | secpol.msc;
Security Settings | Local Policies | User Rights Assignment
The 5th policy down is 'Allow logon through Terminal Services'.
Double-click it.

As you expect, the groups 'Administrators' and 'Remote Desktop Users' are
listed here. Simply remove 'Administrators', and then only people you have
explicitly chosen using the 'Select Remote Users' button ( the 'Remote
Desktop Users' group )are left.

If you want to look at, or edit, the contents of the 'Remote Desktop Users'
group directly, rather than via the 'Select Remote Users' button, then go to
Start | Run | lusrmgr.msc, and expand up the groups.
 
Good point...:-)

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
 
I guess the only problem I have with disabling Administrator access to
Remote Desktop is sometimes an admin simply needs to log onto a PC as an
admin to do tasks. I run 95% of the time as a limited user on my home PCs
and also log onto my remote PCs as a limited user. I usually use "Run as" to
perform needed admin tasks. There are times, however, when I simply need to
get on as an admin user. So with that said I still think the VPN or SSH
tunnel solution is best...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

IPad remote 10
Remote desktop and shutdown 5
Remote Desktop Inactivity Log-off... 1
WndProc not working on remote desktop 1
Remote Desktop Connection problem 3
Remote Desktop 1
Remote registry access between two Win XP Pro computers 2
Remote Desktop connection help 1

Back
Top