How to limit access to Remote Desktop to mobile users?

I am running Windows Small Business Server 2k3.  I have a vpn setup using remote access and the windows xp client.   Everything on the vpn is working fine.  The problem I am having is restricting access to the mobile users group.  I have 1 client that needs access to remote desktop through the vpn and that works fine.  I don't want the other 3 clients to have access to remote desktop at all.  I also don't want them to have any access to the few file shares I have inside the network.  Actually the only access they need is to the internal webserver and my MS sql server via access.  Any help would be greatly appreciated.  Thanks.
allanhendershotAsked:
Who is Participating?
 
mikeleebrlaCommented:
perhaps i am missing something, but when you allow remote desktop connections you have to option to select which users can connect to the server.  All you have to do is select which users you want to allow, and don't allow the others.  This is done on the remote tab of the system properties. (rightclick my computer and choose properties to get to the system properties).
0
 
Rich RumbleSecurity SamuraiCommented:
A personal firewall on the pc's would be good, it would allow you to block the access to the servers/ports you specify, no matter where they are coming from.
You may consider changing the port for TS/RD to a non standard port the other clients wouldn't be aware of, and useing the XP RemoteDesktop client (which can be installed on most M$ os's) will allow you to have the user specify the port to use
Conntect to: serverX:1234 (1234 would be the destination port on the TS/RD server you changed the listening port to)
http://support.microsoft.com/default.aspx?scid=kb;en-us;306759
This doesn't eliminate the share issue, which could be resolved with using share and NTFS permissions to keep the unwanted account off of them.
-rich
0
 
allanhendershotAuthor Commented:
The remote desktop solution presented above will work in the short term but the problem is that the users in question are in another state and I don't know who else will have access to their system.  Hiding the port will help in the short term but a simple port scan would reveal the remote desktop port  as open and potentially lead to a system compramise.   I was hoping to limit access either through some sort of policy or through active directory maybe.   I am just not sure how to go about it.  I have tried creating a severaly limited group in active directory and setting it up to have access to the vpn but little else, but they can still log into local machines through remote desktop with their user accounts.  
0
 
Rich RumbleSecurity SamuraiCommented:
mikeleebrla is correct, i totally missed this solution, KISS (keep it simple stupid)
-rich
0
 
allanhendershotAuthor Commented:
Thanks.  that answeres the question.  I was overcomplicating things.  So obvious and simple I completely missed it.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.