how to restrict remote desktop control applications

[sb]

we have a multi-sited complicated system standing on an
w2k active directory. in every sites there are groups of
admins managing desktops. they are in local admin groups
of PCs in their sites.
because these local admins have administrative privileges
they can connect and remotely view what is going on the
screen using "remote desktop control applications".
i need to know how to centrally restrict the use of remote
desktop control applications.

best regards
thanks in adv.
..

 

[Steven L Umbach]

If they are connecting from the internet, then you need to block their access at the
firewall controlling which ip address can or can not access the port that application
uses. --- Steve

 

[suat bilben]

no there is no internet connection. these local admins are
at their LAN and I want to restrict their remote
access/view capability in their area. suat bilben

-----Original Message-----
If they are connecting from the internet, then you need to block their access at the
firewall controlling which ip address can or can not

access the port that application

 

[Steven L Umbach]

Are they using Windows XP and are all the computers in a domain? -- Steve

 

[Steven L Umbach]

OK. Reason I asked was that I was wondering if they were using built in Windows
Remote Desktop or a third party application. Sounds like it is a third party
application. You should be able to use ipsec filtering to control access at the
machine level. For instance Terminal Service/Remote Desktop uses tcp port 3389 on the
target computer. You could create ipsec filtering polices that would restrict access
to the port used for your remote access application only from authorized ip addresses
or block certain address ranges. Ipsec policies can be administered via group policy
and local administrators could not override them. If you are having an abuse of
privileges issue, you may also want to enable auditing of logon events on domain
computers which should show when these "administrators" are accessing other
computers. I don't know if it would intefere with their adminstrative functions, but
domain computers can also be configured via security policy/local policies/user
rights assignments for allow and deny access to this computer from the network. ---
Steve

 

[suat bilben]

Steve thanks a lot. It was a great help and exactly what I
was looking for. But unfortunately my foresight has been
wrong. I thought almost all of these remote view \ admin
applications were using RDP as an integral protocol stack
including ITU T.120 series. But they are running on
different services & ports (dynamic ports which means
these ports can be changed).
So it seems problem is getting complicated. I will think
about restricting of access to computers from network.
Thanks,
Best regards,
Suat Bilben

-----Original Message-----
OK. Reason I asked was that I was wondering if they were using built in Windows
Remote Desktop or a third party application. Sounds like it is a third party
application. You should be able to use ipsec filtering to control access at the
machine level. For instance Terminal Service/Remote

Desktop uses tcp port 3389 on the