Windows 2000 Terminal Services security....

mzinzi
mzinzi used Ask the Experts™
on
We have an NT 4.0 domain, and I have 2 Windows 2000 member servers set up with terminal services.  Right now, anyone can start a session to the servers.  I installed the terminal services client on a regular users Win 2000 Pro machine, and he was able to establish a connection to the server.  This user has no administrative rights what so ever.  How do I restrict users to be able to establish a connection to the terminal server.  I want the message to come up that you do not have access.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
On the server, go to Control Panel->Administrative Tools->Local Security Policy. Expand Local Policies->User Rights Assignment. In the right pane, scroll down and double-click on "Log on Locally". Uncheck the boxes beside any users or groups you don't want to be able to establish a terminal session.

Author

Commented:
OK...did what you suggested, but I am still able to create a connection to the term server.  I went into the local security policy of the term server and removed "users" from the "log on locally" permission.  This left only "Administrators" and my domain account as the only users who have access to log on locally to the term server.  However, I attempted to create a connection from a standard users Win 2000 pro machine and I am able to create the connection.  What am I doing wrong?

Author

Commented:
OK...did what you suggested, but I am still able to create a connection to the term server.  I went into the local security policy of the term server and removed "users" from the "log on locally" permission.  This left only "Administrators" and my domain account as the only users who have access to log on locally to the term server.  However, I attempted to create a connection from a standard users Win 2000 pro machine and I am able to create the connection.  What am I doing wrong?
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Author

Commented:
Yes, I established the connection and was able to log on with a regular user account.  Isn't there a way to prevent a user from even being able to establish a connection to the term server...i.e. , I want it to say "access denied" when I click on a particular Terminal Server in the Terminal Services Client screen.  I could have sworn there was a way.  Any ideas?    
You must have a domain, OU or Site policy which is overriding the local policy. Go back in and make sure there isn't a check in the Effective Policy column beside a user or group you are trying to prevent from logging on.

There is no way to make the Terminal Service Client give an access denied message. They won't get access denied until they enter their logon credentials.

Author

Commented:
jjmck...

Ok...just so I completely understand...

If a Win 2000 Pro machine has the ternminal services client installed, no matter what user account is logged onto the machine, they will be able to establish a connection with the terminal server so that the logon screen appears, right?

So the only security for Terminal services is at the actual logon screen during the terminal session, there is no way to prevent a user from actually establishing the connection?
Yes the only security you'll have is the login screen.
But you can install a firewall (ISA Server) and
restrict ip adresse.
Yes, what simonsezstech said is correct. The only way to prevent a connection would be to block it at the network level.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial