Solved

Block only incoming XP RDP sessions

Posted on 2014-04-16
10
353 Views
Last Modified: 2014-05-02
Is there a way to block incoming XP RDP connections? We have some users who connect from home or elsewhere to PCs running HVAC controls in the off hours rather than drive in to see what the issue is. Most do have a post-XP OS but I want to keep XP out. I know I can set NLA authentication but that still allows XP SP3 in.

Any other way to do this? They don't always connect from the same PC so an IP filter would not work. I have done some reading on NAP, but that does not look so simple to implement.
0
Comment
Question by:LarryDAH
  • 4
  • 4
  • 2
10 Comments
 
LVL 6

Expert Comment

by:insidetech
ID: 40004245
This would be a workaround to the exclusion of the XP clients.
Change the RDP  default port number on the hosts and make the appropriate change for all the NON XP clients.
This way, only the "chosen" ones will connect.
0
 

Author Comment

by:LarryDAH
ID: 40004403
We have to provide access for these guys so they are the 'chosen' already, I cannot force them to upgrade their home PCs or stay of XP PCs they come across elsewhere that they want to remote in with so I am looking for a way to block XP from connecting by RDP.
0
 
LVL 12

Expert Comment

by:Sandeep
ID: 40004503
You mean to say they only should able to connect via RDP from Office? and not from Home??

If not then why not block all the RDP sessions for the said PC?

https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/rdesktop_disable.mspx?mfr=true
0
 

Author Comment

by:LarryDAH
ID: 40004516
No, they need to RDP from home to their work PC, but I want to block them if they still are running XP.
0
 
LVL 12

Expert Comment

by:Sandeep
ID: 40004532
Now I understood what you exactly want. But sorry to day I don't think such changes can be done to identify the requests are coming from which machine etc?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 6

Expert Comment

by:insidetech
ID: 40004536
I am curious, what is so bad about the XP that would cause you to deny the access?
As far as I know, once the RDP connection is complete the client PC is completly isolated from the host.
I take it that you can not trust the users to follow instructions by telling them to NOT use remote access if they have an XP, but you trust them to access the corporate PC with non XP computers?
0
 

Author Comment

by:LarryDAH
ID: 40004583
Well, I have to trust them to a certain extent, at work or at home, otherwise we would give them all pencils and legal pads to do their job. And I can tell them to not use XP to remote in but when it comes to an alert at 2 am and the choice is drive 30 miles into town or log in with XP to see why the temp in a storage area is 81 degrees and not 80 degrees, I am pretty sure they would just log in.

There are some exploits out there that use RDP and I have no way of knowing how  well patched these home PCs are, if AV is installed and up to date, etc.

If they couldn't use XP to remote in now that it has been dropped by MS then that puts the onus on them to update or replace their PC, not on me to hope that it is safe to connect.
0
 
LVL 6

Accepted Solution

by:
insidetech earned 500 total points
ID: 40004633
Take a look at http://www.splashtop.com

It is a fantastic product, it offers a better granularity of the user access and also you will have a log of the users access. Even though they do not have an option to block specific OS clients the security of the connection is far more strict and it may eliminate your security concern with the XP.
0
 
LVL 6

Assisted Solution

by:insidetech
insidetech earned 500 total points
ID: 40004643
Further with the Splashtop solution your remote workers would be able to safely remote in using their hand held devices so your overall response should be much better and your remote access would be truly OS independent.
0
 

Author Closing Comment

by:LarryDAH
ID: 40038175
We are doing a demo of Spashtop and I like it so far...
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
In this article, I'll explain how to setup a Plex Media Server (https://plex.tv/) on a Redhat (Centos) 7 based NAS with screenshots to help those looking for assistance.  What is Plex? If you aren't familiar with Plex, it’s a DLNA media serv…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now