Allow certain users to access RDP, only from certain IPs

Posted on 2013-09-10
Medium Priority
Last Modified: 2013-09-15
I have a bunch of users sharing a terminal server in a business. Everyone needs access to the terminal server when they are on the premises, but only some should be allowed to access it remotely (from home, etc).

How do I lock it down so not all users can access the server from outside? I cant remove their remote access rights, they need that to access from their desks... and I can't firewall it off because some users DO need remote access.
Question by:Dr_Snapid
  • 2

Expert Comment

ID: 39482243
You can use your firewall rules to only allow RDP access in based on IP *but* you'd have to know the IP's of your allowed users and have a way to keep up with said IP's as they change (home users = DHCP internet connections).

Without using a separate RDP gateway for external access there's no good way to do what you're looking for on a single server.  You could run two terminal servers with one only being accessible from your LAN and the other being externally accessible with a restricted user access list.  

Another option would be to setup VPN access for the users that should have remote access so that only they can connect to the LAN from outside and then have RDP access.  It is pretty simple to setup routing and remote access services on Windows Server if you want to go the cheap and easy way.  Not sure about your firewall options but you may have solutions available to you there as well.

Does this make sense?

Author Comment

ID: 39482276
Yes it does make sense, thanks. Your explanation mirrors my own knowledge of the situation. I was hoping there was something I did not know.

I cannot block RDP based on IP because certain users WILL need remote access - even from the same IP as other users may be blocked from. (we have manager and another staff member who live together, one must be allowed, the other blocked...)

Essentially what I need is a way to allow users to login to the terminal server only from IP addresses that I has specifically allowed for THAT SPECIFIC USER.... everyone allowed from local subnet, but only certain users from the internet. I dont know how to do that, or if its even possible

Accepted Solution

jpgobert earned 2000 total points
ID: 39482296
No it isn't possible.

The only way to accomplish this is by going alternate routes for external connectivity like those I mentioned.  Doing that gives you a way to maintain that separate user access list you need for external connectivity without causing problems for all users during the day (or vice versa).

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question