Solved

Login Time Restriction for Remote Desktop Users

Posted on 2014-03-02
12
427 Views
Last Modified: 2016-07-15
We need to automate the denial of logging into a terminal server (RDP sessions only) - not AD Login because users access their Exchange server which is in this Windows domain.  For example, we tried restricting AD login times, but their email clients on their smart phones started complaining. So we just want to block them from logging into the terminal server only during off hours so we can properly do backups, updates, etc.
0
Comment
Question by:GlennRhodes
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Create a GPO to restrict logon hours for a group of users and apply it to your Terminal Servers.

MO
0
 

Author Comment

by:GlennRhodes
Comment Utility
We have an OU in already place with no  type of login restrictions, - what policy restricts only their ability to login to the terminal server and not restrict Active Directory for their Exchange access?

As a note: I wanted to test restricting RDP login into our Terminal Server, so went into ADCU last week, went to properties of a user and restricted login time access to 8-5 M-F, but soon got the call that his email stopped working that night. Had to put it back. So I cant restrict AD login as a way to restrict TS login.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Hi.

You could use the local policy to set/reset logon privileges on a schedule. Also you would have to use rwinsta.exe to log off users at that time. The local privileges can be modified using ntrights.exe from the resource kit.

Need further instructions?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
another approache is via firewall if the TS is located at a different subnet of RDP clients. of course, the firewall should be able apply rules based on given time restrictions.
0
 

Author Comment

by:GlennRhodes
Comment Utility
bbao: We need more granular approach to denying RDP logons. Our Watchguard firewall is good, but not good enough to do that because of the various servers we have on the same subnet.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:GlennRhodes
Comment Utility
McKnife: If you have instructions on this, yes it would be appreciated to see some detail on what you are describing.  Isn't rwinsta.exe used to just reset a session? We would want to deny RDP logons during specified times, but not kill AD logins.
 Wouldn't this be a nice utility for Sys Admins to run along side ADUC's ? Seems like Microsoft left a window of opportunity in their software for someone to fill..
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
> Our Watchguard firewall is good,
> the various servers we have on the same subnet.

if your firewall does support time based ACL, that should work as the control can be against a single host (IP) or a group of hosts (IPs) rather than the whole subnet.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
Comment Utility
Hi.

Instructions were partially given, I hoped you would at least try out ntrights, so I could assist on Problems that already arose. You haven't and you haven't tried rwinsta either? OK...

Download ntrights from here http://www.dynawell.com/de/support-de/resource-kits/160-windows-resource-kits/resource-kit-for-windows-2000/362-ntrights , please note that it works on all Windows platforms, not only on win2000. Then please read the instructions on http://ss64.com/nt/ntrights.html - there you will see that the privilege SeRemoteInteractiveLogonRight is the one it's all about.
On an elevated command prompt, the command in order to grant someone that privilege would be
Ntrights.exe -u username +r SeRemoteInteractiveLogonRight

But you need to revoke ("-r") that privilege. So based on what group you have entitled to logon via RDP, you need to use
Ntrights.exe -u groupname -r SeRemoteInteractiveLogonRight

This can be done via windows' scheduler at the times you like. Right afterwards, you could disconnect all current sessions using rwinsta. rwinsta syntax is... no, please try it yourself first.
0
 

Author Comment

by:GlennRhodes
Comment Utility
McKnife: I will give this a try. I checked out ntrights.exe, and this looks like a workable solution along with scheduler.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Introduction People like FTP.  It's a solid, stable, robust protocol for quickly transferring files between two hosts using TCP/IP.  In most cases it's much faster than SMB or CIFS, and certainly much easier to set up between organizations.  This…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now