?
Solved

Terminal Server/RDS gateway block XP users

Posted on 2014-04-29
8
Medium Priority
?
610 Views
Last Modified: 2014-05-07
Hello experts,

our customer wants to block all xp computers which are connecting from outside the network to their remote desktop services (through remote desktop services gateway) (all 2008 R2 servers).
We searched for this but where unable to find a solution.
Is this possible somehow?
Thanks in advance.
0
Comment
Question by:penthese
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 14

Accepted Solution

by:
frankhelk earned 500 total points
ID: 40029998
Hmm - I haven't tried to do such a blocking, but I could nonetheles think about it ;-)

Blocking such a service for a special group of users would usually involve the firewall as filter. Firewalls have usually blocking rules defined by IP addresses (or address ranges) and port numbers (which basically describe the type of protocol is used). Some firewalls do deep packet inspection, which means that they check the content of the packets for suspicious content, too - but not every firewall does that and it's straining the performance to inspect every packet ... and it's impossible for encrypted communications if you're not the NSA.

So let's speculate about IP/PORT filtering. A firewall needs a characteristic pattern on which it could filter the packets. The RDP protocol uses a dedicated port, and that port is the same for all RDP clients - and as far as I know, even the version of the RDP client program (mstsc.exe) or the used protocol version doesn't reveal the OS flavour it runs upon. Since all RDP packets look similar to the firewall, it probably couldn't filter out that XP based traffic ....

If there's a fixed relation between the user and his machine, you might simply block the affected users. If you know the IP addresses of the XP machines you could filter out all RDP traffic from those machines. But with common DHCP practice the machines don't have fixed IPs, or they're masked behind a firewall with NAT.

If there's not an option on your RDP servers which could block XP machines out, I see not much chances to block 'em out by the firewall.

Last chance would be to involve some kind of custom made ("roll-your-own") stunnel-like client that "tunnels" to your RDP servers. That thing doesn't need much bells and whistles, it just serves as a gateway to the servers to achieve the blocking function. In the client side application you could determine the used OS and either block it from tunneling or send the info to the server side where the blocking scheme could be adminstered centrally.

(About stunnel, see here ... it would not help with your problen, but might help to understand the concept)
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 40030295
In Windows 2000 you could use the tsver.exe (Terminal Services Version Check) utility that came in the resource kit to limit connections to specific client build numbers.

I haven't tested tsver.exe see if it works in 2008, and I can't find any references.  You may want to try the 2000 version of the tool to see if it works under 2008, but I wouldn't count on it.

As far as I know there is no group policy setting for this either, and I'm not aware of any public tools that will do it.

I didn't do a lot of research, but unless tsver works in 2008, I suspect you'd have to build (or have built) a custom tool to do this.  Looks like the Client Build Number is reported to the server, so that probably isn't too difficult to do.

I'm not sure why you need this restriction, but if it is due to security concerns,you may want to consider limiting connections to clients using Network Level Authentication.  XP clients can still connect, but only at XP SP3 with the CredSSP enabled - at least until you can find or develop a tool to block XP clients completely.

http://technet.microsoft.com/en-us/library/cc732713.aspx
0
 
LVL 14

Assisted Solution

by:frankhelk
frankhelk earned 500 total points
ID: 40031763
@Gary Patterson:

Given that tsver.exe runs acceptable under Win2k8, the build reporting gives only info about the client bulid, not the OS build. If one uses a newer version of the client under XP, he would operate below the radar.

I think for achieving the goal of locking out anybody with XP, a gateway client would be the most promising solution and should be not that complicated to code ... stunnel would be a good start ....

It would need two components - a server side part that accepts the connections and reroutes it to the server's RDP port and a client part that accepts connections on the localhost and redirects the data to the server side process.

The client side checks the Windows version whenever it's started and refuses to start under XP. Voilá.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:penthese
ID: 40041727
Hello Experts,

Since we have not found a  viable option to block XP Users from our terminal servers, we have taken it upon ourselves to develop a program which is capable of doing just that. (With great succes as of now)
We do however wish to thank everyone in this topic that has tried to help us.

Penthese.
0
 

Author Comment

by:penthese
ID: 40043814
I've requested that this question be closed as follows:

Accepted answer: 0 points for penthese's comment #a40041727

for the following reason:

Developing the program ourselves was our choice in handling this matter.
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 40043815
Hmmm ... nobody found an existing solution out there, but I think the participants have pointed you into the direction you've chosen at last. Even while that is not the preferred one - developing sth new is usually the last resort - wouldn't you think the experts have earned some points in that case ?
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 40044671
I agree with frankhelk.  

Question was "Is this possible somehow?".  Both frankhelk and I suggested mechanisms for doing this, and noted that custom development was probably required - the exact solution you opted to go with.
0
 

Author Comment

by:penthese
ID: 40046463
Hello experts,
Despite having the costumer service look at this and agree with me, stating that:  "Hello,
You are correct, there is no reward for trying – accepted solutions are accepted solutions."
I will awards you points for pushing me into the direction of development, the program works correctly and we are very happy with it.

Have a good day,

Penthese.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question