Solved

Remote desktop user permissions over RRAS / VPN

Posted on 2011-09-29
8
395 Views
Last Modified: 2012-05-12
Hi there

This is the plan:

Users authenticate using their domain credentials over RRAS.
They use RDP to connect to their workstation - they know the internal DNS name of that workstation.
Everyone's happy.

Is it possible to configure specific user accounts within Active Directory to only be able to connect into certain internal resources/devices via some kind of firewall?

e.g. user1 would only be allowed to use RDP on computer1.internal.domain.com and shared drive on server1.internal.domain.com and wouldn't be able to see/scan any other devices

Thanks in advance
0
Comment
Question by:butterhook
  • 4
  • 4
8 Comments
 
LVL 4

Expert Comment

by:WilsonsITDept
ID: 36813562
Hi.

Which OS are the workstations running?

I'm on XP Pro.

If you go to the System applet in Control Panel and go to the Remote tab, then click Select Remote Users, you can select the users who can connect to that machine. This will limit who can connect to what.

BUT

Would you need to roll this out via Group Policy? How many machines are you looking at?



As for the server shares, that's a case of setting the permission on the shares at the server.

Are they basic Windows file shares?

Thanks

Tom
0
 
LVL 1

Author Comment

by:butterhook
ID: 36813589
Yeah it'd be group policy, I imagine from various Windows client OS, some Macs too!

Around 14 users.

So you reckon that their domain credentials would be enough?

I'd just rather the network couldn't be scanned or accessed other than what that user is specifically allowed.

0
 
LVL 4

Accepted Solution

by:
WilsonsITDept earned 500 total points
ID: 36813659
I meant which workstation OSs are people remote desktopping to, not from.


The problem you've got with the group policy side of things is that you don't just have a user or computer poilicy to set, it's per user and per computer at the same time.

You don't want a situation where you've got a ploicy for every computer, stating that only one user can log onto it. That's a headache when you need to troubleshoot or tweak a configuration.

Is there any way you can put all the users into a group, and allow only that group access to RDP to every computer? Or does it have to be literally PC1/User1, PC2/Users2 etc?


With the user shares, it's easy enough to grant permissions on a per user basis. It might be better to put the folder they need secure access to in their profile directory, that way it'll assume the default permissions for that folder and should lock everyone else out.

I'm fairly sure you can restrict users/groups of users from expanding the network in network nieghbourhood, but you can't stop then browsing around if they already know the dns name of the server.  If nothing's been shared out with low security permissions, you should be ok.


It sounds like Citrix would be a good solution for you, but obviously expensive.


Tom
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:butterhook
ID: 36814097

Target machines are XP/7/2008

Thanks for the info. I'm thinking now that it's a case of a group of people that are allowed to use RDP/VPN.

Is this better as an organisational unit, or as a security group do you think?
0
 
LVL 4

Assisted Solution

by:WilsonsITDept
WilsonsITDept earned 500 total points
ID: 36814114
The users would go into a security group, then the group would be added to the list of allowed users under the Remote Desktop setting on the PCs via Group Policy.


The Group Policy to add the group would have to be applied to an OU, though, or several OUs.

What's the layout of your active directory? Arethe PCs all in one OU?You might have to make a top level policy.


Tom


0
 
LVL 1

Author Comment

by:butterhook
ID: 36814211
We've got different OUs for different machine types - but I've got enough information now to figure out how to do it. Thanks so much!
0
 
LVL 1

Author Closing Comment

by:butterhook
ID: 36814213
ta
0
 
LVL 4

Expert Comment

by:WilsonsITDept
ID: 36814217
No problem at all!

Just post back here if you get any other problems.


Tom
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AD and Exchnage 2010 Photos 3 44
Domain Administrator locked out "Again" 7 58
VPN Ports 8 33
Shared Mailboxes in Exchange 2010 2 26
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question