Deny Administrator access to Terminal Server Web Access

I have the following situation:
Server 2008 with Terminal Server Gateway and Terminal Server Web access
Server 2008 with Terminal Services

The set-up:
People need to login for specific programs and should not log on directly using remote desktop (this would probably be an Port block. The administrator account should not be allowed to login to the website but should be able to login over normal RDP.

Currently the Terminal Services computer is also an Web access server and open from the Internet, I know i can "deny" rights to login over the Gateway to connect to the server, but I cannot deny login rights for the web access.

Now the real problem, I am able to login to the web page, but I also need to have a port opened for the normal RDP session to the computer since the computer is opened from the Internet.

For short:
1. Is it possible to deny Administrator login to the website, but allow (internal) RDP Sessions.
2. Is it possible to allow only users to login over the webpage but not directly to the RDP.
3. Would it be possible to only have port 443 (https) open for all the connections.
Mindless999Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
NJComputerNetworksConnect With a Mentor Commented:
Now the real problem, I am able to login to the web page, but I also need to have a port opened for the normal RDP session to the computer since the computer is opened from the Internet.

3. Would it be possible to only have port 443 (https) open for all the connections.


Yes, if you are using Terminal Server Gateway... and clients are using the 6.1 RDP client.

http://support.microsoft.com/kb/951616

Terminal Server Gateway servers
A Terminal Server Gateway (TS Gateway) server is a kind of gateway that enables authorized users to connect to remote computers on a corporate network. These authorized users can connect from any computer by using an Internet connection. TS Gateway uses the Remote Desktop Protocol (RDP) together with the HTTPS protocol to help create a more secure encrypted connection.

Earlier versions of RDC cannot connect to remote computers across firewalls and across network address translators. This is because port 3389 is typically blocked to improve network security. Port 3389 is the port that is used for Remote Desktop connections. However, a TS Gateway server uses port 443. Port 443 transmits data through a Secure Sockets Layer (SSL) tunnel.
0
 
NJComputerNetworksCommented:
have you considered using REMOTEAPP

http://www.tricerat.com/blog/166
0
 
nsx106052Commented:
This technet article covers blocking user accounts from using RDP:
http://technet.microsoft.com/en-us/library/cc778391%28WS.10%29.aspx

Something else you might want to consider is having a log in script for RDP.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
nsx106052Commented:
Be sure you deny RDP access through local policy and not group policy.  I forgot to mention that.  
0
 
Mindless999Author Commented:
NJComputerNetworks: I am using REMOTEAPP (also known als Terminal Server Web access) And currently for some reason it still wants to connect over the "RDP" Port.

nsx106052: I do not want to deny access for the complete user, I just want to allow login from certain subnets. and preferably in a way so external users can not guess the password for the administrator account.
0
 
nsx106052Connect With a Mentor Commented:
Locate the [Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment] item.

Check the "Deny logon through terminal services"  and add users you dont want to connect through RDP.
0
 
Mindless999Author Commented:
This completely answered some questions, thanks allot!
0
All Courses

From novice to tech pro — start learning today.