Terminal service user login

zolf
zolf used Ask the Experts™
on

Hello there,

have some users who connect to my server via terminal service remotely. i want to control from which computer can connect to my server.how can i do it. for e.g. i do not want remote users to connect to the server from their own laptop or from home.

cheers
Zolf
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You should be able to configure this through a firewall setting.
If this server is behind a NAT serve, then it should be straight forward to restrict login into the terminal machine.
If this machine is easily available on the net, install a firewall on this box and then restrict the access.
bbaoIT Consultant

Commented:
do the remote users have the credentials to access your server? do you need to access your server remotely?

commonly, three approaches:

credential based control - remove their credentials for TS access. if their laptops are DHCP based, you better go this way.

protocol based control - block TS access at all (can be for a specific scope only). no one could access the server remotely.

IP based control - block known IPs of their computers and laptops, if they do have static IPs.

which one do you prefer?

Author

Commented:

>>If this machine is easily available on the net, install a firewall on this box and then restrict the access.
how do can restrict the access.can you please tell m emore about it
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

Author

Commented:

>>do the remote users have the credentials to access your server?
yes they have.


 >>do you need to access your server remotely?
yes,but only from theremote office machines

Author

Commented:

>>IP based control - block known IPs of their computers and laptops, if they do have static IPs.
the remote branch office users connect to the server using ADSL,therefore their IP is not static.so i have to go for one of those other 2 options

Author

Commented:

>>credential based control - remove their credentials for TS access. if their laptops are DHCP based, you >>better go this way.

if i remove their credentials,then how can  they connect to the server.

>>protocol based control - block TS access at all (can be for a specific scope only). no one could access >>the server remotely.

you see,these users connect to the server to use my ERP software which I have implemented for the company.the management do not want tusers to be able to run the software outside the company premises

Commented:
If the requirement is that the same user should be able to login from your corporate network and not from home then IP is the only way you have.

Based on the firewall s/w you've installed on your server you can restrict access only to requests coming in for your corporate IP. specify the first 2 or 3 blocks only. Eg. 222.333.xxx.xxx

Specific details on how to restrict based on IP should be available on the documentation of your respective firewall s/w

Author

Commented:

>>If the requirement is that the same user should be able to login from your corporate network and not from >>home then IP is the only way you have.

will this work for ADSL connection
bbaoIT Consultant

Commented:
>>protocol based control - block TS access at all (can be for a specific scope only). no one could access >>the server remotely.
> the management do not want tusers to be able to run the software outside the company premises

the major information is here:

Customizing Windows Firewall
http://www.windowsecurity.com/articles/Customizing-Windows-Firewall.html

you need to check RDP option at the Exception tab of Windows Firewall window, and modify it's scope to the allowed range, say your local subnet only...

FYI - Managing Windows Firewall
http://technet.microsoft.com/en-us/library/cc779561(WS.10).aspx

Author

Commented:

what you referred to is from the client machine.i want remote users to be checked from the server side.

Commented:
simply change the port.

http://support.microsoft.com/kb/306759

Tell those that want access to change their RDP port to the new one.

OR

if you don't want ANY outside access, create a firewall rule to block on that default port
*note: you can still use a different port internally to deter the laptop users.

Author

Commented:

thanks for your comment.

you mean i change the port oof the TS on the server.if yes how do i change the default port on the server 2003.
You could configure Certificate services and only allow computers with the cert to connect

have a look at  http://support.microsoft.com/kb/895433
bbaoIT Consultant

Commented:
> You could configure Certificate services and only allow computers with the cert to connect

good point.

Author

Commented:

cheers

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial