Solved

Policy to Disable RDP for users on a specific server

Posted on 2013-05-23
16
516 Views
Last Modified: 2013-05-29
I have 2 servers one is a 2003 server the other a 2008 server (they are both terminal servers).  I need a way to prevent users - not admins from using  (Accessing) MSTSC.exe or RDP to connect to their machines.  How can this be done?
0
Comment
Question by:WellingtonIS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 22

Accepted Solution

by:
Haresh Nikumbh earned 500 total points
ID: 39190962
1- With a Software Restriction policy (Computer Configuration - Windows Settings - Security Settings - Software restriction policies)
Either a Path or Hash rule for mstsc.exe located in (C:\Windows\System32)
2- Configuring Deny logon through Terminal services user right in (Computer Configuration - Windows Settings - Security Settings - Local Policies - User rights assignements)


http://www.petri.co.il/forums/showthread.php?t=43016
0
 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39190992
0
 

Author Comment

by:WellingtonIS
ID: 39191041
If you deny login via local policies won't that stop the users from connecting to the machine too?  Also I have yet to get the Software restriction policy to work regardless of what I do.   Not sure why because it's that complicated...  Maybe because it's 2003 and not 2008.
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39191062
yes you can configure this policy on local machine too
0
 

Author Comment

by:WellingtonIS
ID: 39191105
I also created a hash registry setting to block MSTSC.exe I checked the policy and it's there too. But I can open RDP and connect to my computer...
0
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39191156
I have tested on my pc and its working

have a look
mstsc.jpg
5-23-2013-8-31-41-PM.jpg
0
 

Author Comment

by:WellingtonIS
ID: 39191219
I have the EXACT same thing except I did it for users instead of computers.  Maybe it's just time.  I'm updating the machine now with about 30 updates I'll reboot it and try again.  Thanks.  I also did the application blocker - see attached too.. It works on a windows 7 machine but no on 2003 server???
hash.png
app.png
0
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39191234
looks good,
0
 

Author Comment

by:WellingtonIS
ID: 39191243
Tried it on 2008 terminal server and it's not working there either???  Maybe you can't block it on a server?
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39191260
change the permission of mstsc.exe file itself.........
0
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39191261
I have applied policy on the local machine,  RDP screenshot which i have attached for my local machine.. which can not take RDP connection for any machine.
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39191323
as i said before just edit the permission of the local mstsc.exe file.

no other users that you want can use the RDP.
0
 

Author Comment

by:WellingtonIS
ID: 39191496
If I do that then no one will be able to use RDP not even admins?
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39195290
no.......... you can edit the permission to who or what group(s) can access mstsc.exe the file itself.

for example full control for Domain Admins and deny access to a group of users.

remember deny access will override granted access, so becareful with that.
0
 

Author Comment

by:WellingtonIS
ID: 39204870
I finally got this to work with the registry setting.
0
 

Author Closing Comment

by:WellingtonIS
ID: 39204882
I wasn't sucessful blocking with a hash rule in the app blocker, however when I did it in the registry setting it worked.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question