Link to home
Start Free TrialLog in
Avatar of penthese
pentheseFlag for Saint Martin, (French part)

asked on

Terminal Server/RDS gateway block XP users

Hello experts,

our customer wants to block all xp computers which are connecting from outside the network to their remote desktop services (through remote desktop services gateway) (all 2008 R2 servers).
We searched for this but where unable to find a solution.
Is this possible somehow?
Thanks in advance.
ASKER CERTIFIED SOLUTION
Avatar of Frank Helk
Frank Helk
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
In Windows 2000 you could use the tsver.exe (Terminal Services Version Check) utility that came in the resource kit to limit connections to specific client build numbers.

I haven't tested tsver.exe see if it works in 2008, and I can't find any references.  You may want to try the 2000 version of the tool to see if it works under 2008, but I wouldn't count on it.

As far as I know there is no group policy setting for this either, and I'm not aware of any public tools that will do it.

I didn't do a lot of research, but unless tsver works in 2008, I suspect you'd have to build (or have built) a custom tool to do this.  Looks like the Client Build Number is reported to the server, so that probably isn't too difficult to do.

I'm not sure why you need this restriction, but if it is due to security concerns,you may want to consider limiting connections to clients using Network Level Authentication.  XP clients can still connect, but only at XP SP3 with the CredSSP enabled - at least until you can find or develop a tool to block XP clients completely.

http://technet.microsoft.com/en-us/library/cc732713.aspx
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of penthese

ASKER

Hello Experts,

Since we have not found a  viable option to block XP Users from our terminal servers, we have taken it upon ourselves to develop a program which is capable of doing just that. (With great succes as of now)
We do however wish to thank everyone in this topic that has tried to help us.

Penthese.
I've requested that this question be closed as follows:

Accepted answer: 0 points for penthese's comment #a40041727

for the following reason:

Developing the program ourselves was our choice in handling this matter.
Hmmm ... nobody found an existing solution out there, but I think the participants have pointed you into the direction you've chosen at last. Even while that is not the preferred one - developing sth new is usually the last resort - wouldn't you think the experts have earned some points in that case ?
I agree with frankhelk.  

Question was "Is this possible somehow?".  Both frankhelk and I suggested mechanisms for doing this, and noted that custom development was probably required - the exact solution you opted to go with.
Hello experts,
Despite having the costumer service look at this and agree with me, stating that:  "Hello,
You are correct, there is no reward for trying – accepted solutions are accepted solutions."
I will awards you points for pushing me into the direction of development, the program works correctly and we are very happy with it.

Have a good day,

Penthese.