remote desktop policy

[Guest]

win2000 server and clients
what is the best procedure for preventing remote desktop connections between
both workstation-workstation and workstation-server?
I assume there are policies in the GPO and within the actual software itself?

Will this work if the remote deskotp software is being run from software on
a mobile disk?

thanks 4 any advice

 

[Bruce Sanderson]

Computer Configuration
Windows
Security Settings
Local Policies
User Rights Assignment
Allow log on through Terminal Services - turn on the
check mark for "Define these policy settings" but leave the list of user and
groups empty
Deny log on through Terminal Services - turn on the
check mark for "Define these policy settings" and add Everyone to the list
of users and groups

Computer Configuration
Administrative Templates
Windows Components
Terminal Services
Allow users to connect remotely using Terminal Services -
Disable

This should cause all of the computers that have these settings applied (via
GPO) to reject any attempt to log on to them using the Microsoft Remote
Desktop Client (or the older Terminal Services client).

These policies affect the computer that the attempt to connect remotely is
targeted at (that is, the Terminal Services component), on both servers and
workstations (Windows 2000 SP2 or later).

The Remote Desktop Client itself doesn't have any settings to control which
computer it can be targetted at. I suppose you could remove the Remote
Desktop Client (mstsc.exe) from the computers so no one can use it, but if
all the servers and workstations reject the connection attempt, this would
be unnecessary. If the users are administrators on their workstations, then
they could just re-install it. I'm not sure what you mean exactly by
"mobile disk", but in any case, the lock down is on the target computer, not
the source computer, so it doesn't matter where the Remote Desktop Client
software is located.

I'm not sure why exactly one would want to do this. The ability of
administrators to connect to computers remotely, especially servers, is very
valuable. Windows 2003 Server comes with this ability installed by default
(equivalent to the Windows 2000 Terminal Services in Remote Administration
Mode) - the settings above would render this inoperable. For example, all
of our servers are in a remote basement with very tight physical security;
we do all of our administration remotely using the Remote Desktop Client -
in fact, I've never actually physically seen them. Remotely connecting to
workstations is very useful for tracking down problems, installing or
configuring software etc. With workstations in 20 odd remote locations (some
hundreds of miles away), we find it an essential capability. By
appropriately configuring the settings above, you can restrict the ability
to connect remotely to a single user account or a group (of administrators).

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

 

[Guest]

Thanks for the excellent answer, but I dont appear to have the terminal
services option in my GPO. Is there an extra ADM that needs installing?

The reason we are doing is that we are a school and the users are of course
very restricted. I want to access the servers from clients sometimes (so can
I just add domain admin as an allowed user?), but students have been getting
hold of 3rd party remote desktop software and taking control of other
workstations.


Thanks

 

[Bruce Sanderson]

The setting in Local Policies is available for Windows 2000 SP2 or later.

The setting in Administrative Templates, Windows Components is available for
Windows XP and Windows 2003 or later. Sorry, I should have checked that
before making my post.

However, none of these settings will have any affect on third party remote
control software - they apply only to features built into Windows.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.