Solved

Terminal Server/RDS gateway block XP users

Posted on 2014-04-29
8
605 Views
Last Modified: 2014-05-07
Hello experts,

our customer wants to block all xp computers which are connecting from outside the network to their remote desktop services (through remote desktop services gateway) (all 2008 R2 servers).
We searched for this but where unable to find a solution.
Is this possible somehow?
Thanks in advance.
0
Comment
Question by:penthese
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 14

Accepted Solution

by:
frankhelk earned 250 total points
ID: 40029998
Hmm - I haven't tried to do such a blocking, but I could nonetheles think about it ;-)

Blocking such a service for a special group of users would usually involve the firewall as filter. Firewalls have usually blocking rules defined by IP addresses (or address ranges) and port numbers (which basically describe the type of protocol is used). Some firewalls do deep packet inspection, which means that they check the content of the packets for suspicious content, too - but not every firewall does that and it's straining the performance to inspect every packet ... and it's impossible for encrypted communications if you're not the NSA.

So let's speculate about IP/PORT filtering. A firewall needs a characteristic pattern on which it could filter the packets. The RDP protocol uses a dedicated port, and that port is the same for all RDP clients - and as far as I know, even the version of the RDP client program (mstsc.exe) or the used protocol version doesn't reveal the OS flavour it runs upon. Since all RDP packets look similar to the firewall, it probably couldn't filter out that XP based traffic ....

If there's a fixed relation between the user and his machine, you might simply block the affected users. If you know the IP addresses of the XP machines you could filter out all RDP traffic from those machines. But with common DHCP practice the machines don't have fixed IPs, or they're masked behind a firewall with NAT.

If there's not an option on your RDP servers which could block XP machines out, I see not much chances to block 'em out by the firewall.

Last chance would be to involve some kind of custom made ("roll-your-own") stunnel-like client that "tunnels" to your RDP servers. That thing doesn't need much bells and whistles, it just serves as a gateway to the servers to achieve the blocking function. In the client side application you could determine the used OS and either block it from tunneling or send the info to the server side where the blocking scheme could be adminstered centrally.

(About stunnel, see here ... it would not help with your problen, but might help to understand the concept)
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 40030295
In Windows 2000 you could use the tsver.exe (Terminal Services Version Check) utility that came in the resource kit to limit connections to specific client build numbers.

I haven't tested tsver.exe see if it works in 2008, and I can't find any references.  You may want to try the 2000 version of the tool to see if it works under 2008, but I wouldn't count on it.

As far as I know there is no group policy setting for this either, and I'm not aware of any public tools that will do it.

I didn't do a lot of research, but unless tsver works in 2008, I suspect you'd have to build (or have built) a custom tool to do this.  Looks like the Client Build Number is reported to the server, so that probably isn't too difficult to do.

I'm not sure why you need this restriction, but if it is due to security concerns,you may want to consider limiting connections to clients using Network Level Authentication.  XP clients can still connect, but only at XP SP3 with the CredSSP enabled - at least until you can find or develop a tool to block XP clients completely.

http://technet.microsoft.com/en-us/library/cc732713.aspx
0
 
LVL 14

Assisted Solution

by:frankhelk
frankhelk earned 250 total points
ID: 40031763
@Gary Patterson:

Given that tsver.exe runs acceptable under Win2k8, the build reporting gives only info about the client bulid, not the OS build. If one uses a newer version of the client under XP, he would operate below the radar.

I think for achieving the goal of locking out anybody with XP, a gateway client would be the most promising solution and should be not that complicated to code ... stunnel would be a good start ....

It would need two components - a server side part that accepts the connections and reroutes it to the server's RDP port and a client part that accepts connections on the localhost and redirects the data to the server side process.

The client side checks the Windows version whenever it's started and refuses to start under XP. Voilá.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:penthese
ID: 40041727
Hello Experts,

Since we have not found a  viable option to block XP Users from our terminal servers, we have taken it upon ourselves to develop a program which is capable of doing just that. (With great succes as of now)
We do however wish to thank everyone in this topic that has tried to help us.

Penthese.
0
 

Author Comment

by:penthese
ID: 40043814
I've requested that this question be closed as follows:

Accepted answer: 0 points for penthese's comment #a40041727

for the following reason:

Developing the program ourselves was our choice in handling this matter.
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 40043815
Hmmm ... nobody found an existing solution out there, but I think the participants have pointed you into the direction you've chosen at last. Even while that is not the preferred one - developing sth new is usually the last resort - wouldn't you think the experts have earned some points in that case ?
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 40044671
I agree with frankhelk.  

Question was "Is this possible somehow?".  Both frankhelk and I suggested mechanisms for doing this, and noted that custom development was probably required - the exact solution you opted to go with.
0
 

Author Comment

by:penthese
ID: 40046463
Hello experts,
Despite having the costumer service look at this and agree with me, stating that:  "Hello,
You are correct, there is no reward for trying – accepted solutions are accepted solutions."
I will awards you points for pushing me into the direction of development, the program works correctly and we are very happy with it.

Have a good day,

Penthese.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question