Terminal service user login


Hello there,

have some users who connect to my server via terminal service remotely. i want to control from which computer can connect to my server.how can i do it. for e.g. i do not want remote users to connect to the server from their own laptop or from home.

cheers
Zolf
zolfAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sandeshjCommented:
You should be able to configure this through a firewall setting.
If this server is behind a NAT serve, then it should be straight forward to restrict login into the terminal machine.
If this machine is easily available on the net, install a firewall on this box and then restrict the access.
bbaoIT ConsultantCommented:
do the remote users have the credentials to access your server? do you need to access your server remotely?

commonly, three approaches:

credential based control - remove their credentials for TS access. if their laptops are DHCP based, you better go this way.

protocol based control - block TS access at all (can be for a specific scope only). no one could access the server remotely.

IP based control - block known IPs of their computers and laptops, if they do have static IPs.

which one do you prefer?
zolfAuthor Commented:

>>If this machine is easily available on the net, install a firewall on this box and then restrict the access.
how do can restrict the access.can you please tell m emore about it
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

zolfAuthor Commented:

>>do the remote users have the credentials to access your server?
yes they have.


 >>do you need to access your server remotely?
yes,but only from theremote office machines
zolfAuthor Commented:

>>IP based control - block known IPs of their computers and laptops, if they do have static IPs.
the remote branch office users connect to the server using ADSL,therefore their IP is not static.so i have to go for one of those other 2 options
zolfAuthor Commented:

>>credential based control - remove their credentials for TS access. if their laptops are DHCP based, you >>better go this way.

if i remove their credentials,then how can  they connect to the server.

>>protocol based control - block TS access at all (can be for a specific scope only). no one could access >>the server remotely.

you see,these users connect to the server to use my ERP software which I have implemented for the company.the management do not want tusers to be able to run the software outside the company premises
sandeshjCommented:
If the requirement is that the same user should be able to login from your corporate network and not from home then IP is the only way you have.

Based on the firewall s/w you've installed on your server you can restrict access only to requests coming in for your corporate IP. specify the first 2 or 3 blocks only. Eg. 222.333.xxx.xxx

Specific details on how to restrict based on IP should be available on the documentation of your respective firewall s/w
zolfAuthor Commented:

>>If the requirement is that the same user should be able to login from your corporate network and not from >>home then IP is the only way you have.

will this work for ADSL connection
bbaoIT ConsultantCommented:
>>protocol based control - block TS access at all (can be for a specific scope only). no one could access >>the server remotely.
> the management do not want tusers to be able to run the software outside the company premises

the major information is here:

Customizing Windows Firewall
http://www.windowsecurity.com/articles/Customizing-Windows-Firewall.html

you need to check RDP option at the Exception tab of Windows Firewall window, and modify it's scope to the allowed range, say your local subnet only...

FYI - Managing Windows Firewall
http://technet.microsoft.com/en-us/library/cc779561(WS.10).aspx
zolfAuthor Commented:

what you referred to is from the client machine.i want remote users to be checked from the server side.
SPC_75Commented:
simply change the port.

http://support.microsoft.com/kb/306759

Tell those that want access to change their RDP port to the new one.

OR

if you don't want ANY outside access, create a firewall rule to block on that default port
*note: you can still use a different port internally to deter the laptop users.
zolfAuthor Commented:

thanks for your comment.

you mean i change the port oof the TS on the server.if yes how do i change the default port on the server 2003.
VoodoocrazyCommented:
You could configure Certificate services and only allow computers with the cert to connect

have a look at  http://support.microsoft.com/kb/895433

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bbaoIT ConsultantCommented:
> You could configure Certificate services and only allow computers with the cert to connect

good point.
zolfAuthor Commented:

cheers
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Project Management

From novice to tech pro — start learning today.