How can I prevent a TS user from TS or RDP to another server?

G

GX

Big Picture

How can I prevent a TS user from TS or RDP to another server?



Scenario:

Users (Vendors) log into my organization via VPN. They are setup on the VPN
under a group which has only access to one machine and back via RDP. (i.e.
Microsoft Group has access to the Microsoft Server Box, now we setup John on
the Microsoft group and he has only RDP access to the Win2KSVR). In order
for them to get into the Win2KSVR they are also setup on the network as jdoe
(Domain Admins) and that's the way he log into the Win2KSVR.



Concern:

John VPN into organization and RDP to Win2KSVR did what he needed to do and
opened the network neighborhood and saw all the servers we have. Now he
wants to browse and log into the boxes he has no need in loging in.



Question:

How can I prevent a user from login into another machine via TS or RDP when
they are login into a machine via TS or RDP?
 
M

Miha Pihler

Hi,

I am not sure how many (TS) servers you have and how practical this is for
you, but you can do this by managing permissions "Allow logon through
Terminal Services". This is a group policy setting. You can also open
"Terminal Services Configuration" right click on RDP-TCP and select
Properties. Click on Security tab and assign your "guest" user Deny
permission.

Last option that comes to mind -- again I don't know how convenient this is
for you. Setup your TS server in DMZ and deny access from DMZ to LAN on TS
TCP port (TCP port 3389).

I hope this helps,

Mike
 
C

Colin Nash [MVP]

So he's a Domain Admin but you don't want him administering your domain?
Maybe I don't understand...
 
J

John Smith

Sorry, let me try to make it clear...

These people are contractors/vendors (ie. Cisco Engineers hired to
troubleshoot Win2KSVR box with CallManager installaed on it), the VPN into
my workplace and then they can TS or RDP to the specific designated server.
So, I just want them to be able to TS or RDP to this box only and if they
try to open a TS or RDP to another box it would be restricted.
The problem is that they have to be Domain Admins in order to manage this
box. So, is there any way to actually include this user on a OU; let's say
"Vendors" and manage the Terminal Server connection or Remote Desktop
Connection via a GPO setting or so?

Thank you very much....

Hector




and
 
R

Roger Abell

And why do they need to be a Domain Admin in order to
do things on that one server ?
If in fact they need Domain Admin it would be because
they also need to do things on other servers, or to the
definitions of your domain at the controllers.
If that is so, it would seem your concern about them going
around in your domain is ill-founded. You have given them
Domain Admin so that they can do that.
On the other hand, if they only need to be local administrators
on the one server, then you can use standard methods of the
domain user account given them, that is an admin on that one
server, to control where that domain user account may be used.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

RDP access to TS from remore site over site to site VPN 1
RDP for multiple users 2
TS 2003 at SBS 2003 DC 3
Force RDP idle timeout 2
RDP security 2
Vista RDP to Windows 2008 Server 1
RDP "vista to xpsp2" 6
Server 2003 Admin TS logs off console 1

Top