Deny Administrator access to Terminal Server Web Access

I have the following situation:
Server 2008 with Terminal Server Gateway and Terminal Server Web access
Server 2008 with Terminal Services

The set-up:
People need to login for specific programs and should not log on directly using remote desktop (this would probably be an Port block. The administrator account should not be allowed to login to the website but should be able to login over normal RDP.

Currently the Terminal Services computer is also an Web access server and open from the Internet, I know i can "deny" rights to login over the Gateway to connect to the server, but I cannot deny login rights for the web access.

Now the real problem, I am able to login to the web page, but I also need to have a port opened for the normal RDP session to the computer since the computer is opened from the Internet.

For short:
1. Is it possible to deny Administrator login to the website, but allow (internal) RDP Sessions.
2. Is it possible to allow only users to login over the webpage but not directly to the RDP.
3. Would it be possible to only have port 443 (https) open for all the connections.
Mindless999Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NJComputerNetworksCommented:
have you considered using REMOTEAPP

http://www.tricerat.com/blog/166
0
nsx106052Commented:
This technet article covers blocking user accounts from using RDP:
http://technet.microsoft.com/en-us/library/cc778391%28WS.10%29.aspx

Something else you might want to consider is having a log in script for RDP.
0
nsx106052Commented:
Be sure you deny RDP access through local policy and not group policy.  I forgot to mention that.  
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Mindless999Author Commented:
NJComputerNetworks: I am using REMOTEAPP (also known als Terminal Server Web access) And currently for some reason it still wants to connect over the "RDP" Port.

nsx106052: I do not want to deny access for the complete user, I just want to allow login from certain subnets. and preferably in a way so external users can not guess the password for the administrator account.
0
nsx106052Commented:
Locate the [Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment] item.

Check the "Deny logon through terminal services"  and add users you dont want to connect through RDP.
0
NJComputerNetworksCommented:
Now the real problem, I am able to login to the web page, but I also need to have a port opened for the normal RDP session to the computer since the computer is opened from the Internet.

3. Would it be possible to only have port 443 (https) open for all the connections.


Yes, if you are using Terminal Server Gateway... and clients are using the 6.1 RDP client.

http://support.microsoft.com/kb/951616

Terminal Server Gateway servers
A Terminal Server Gateway (TS Gateway) server is a kind of gateway that enables authorized users to connect to remote computers on a corporate network. These authorized users can connect from any computer by using an Internet connection. TS Gateway uses the Remote Desktop Protocol (RDP) together with the HTTPS protocol to help create a more secure encrypted connection.

Earlier versions of RDC cannot connect to remote computers across firewalls and across network address translators. This is because port 3389 is typically blocked to improve network security. Port 3389 is the port that is used for Remote Desktop connections. However, a TS Gateway server uses port 443. Port 443 transmits data through a Secure Sockets Layer (SSL) tunnel.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mindless999Author Commented:
This completely answered some questions, thanks allot!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.