Solved

Terminal Server/RDS gateway block XP users

Posted on 2014-04-29
8
593 Views
Last Modified: 2014-05-07
Hello experts,

our customer wants to block all xp computers which are connecting from outside the network to their remote desktop services (through remote desktop services gateway) (all 2008 R2 servers).
We searched for this but where unable to find a solution.
Is this possible somehow?
Thanks in advance.
0
Comment
Question by:penthese
  • 3
  • 3
  • 2
8 Comments
 
LVL 13

Accepted Solution

by:
frankhelk earned 250 total points
ID: 40029998
Hmm - I haven't tried to do such a blocking, but I could nonetheles think about it ;-)

Blocking such a service for a special group of users would usually involve the firewall as filter. Firewalls have usually blocking rules defined by IP addresses (or address ranges) and port numbers (which basically describe the type of protocol is used). Some firewalls do deep packet inspection, which means that they check the content of the packets for suspicious content, too - but not every firewall does that and it's straining the performance to inspect every packet ... and it's impossible for encrypted communications if you're not the NSA.

So let's speculate about IP/PORT filtering. A firewall needs a characteristic pattern on which it could filter the packets. The RDP protocol uses a dedicated port, and that port is the same for all RDP clients - and as far as I know, even the version of the RDP client program (mstsc.exe) or the used protocol version doesn't reveal the OS flavour it runs upon. Since all RDP packets look similar to the firewall, it probably couldn't filter out that XP based traffic ....

If there's a fixed relation between the user and his machine, you might simply block the affected users. If you know the IP addresses of the XP machines you could filter out all RDP traffic from those machines. But with common DHCP practice the machines don't have fixed IPs, or they're masked behind a firewall with NAT.

If there's not an option on your RDP servers which could block XP machines out, I see not much chances to block 'em out by the firewall.

Last chance would be to involve some kind of custom made ("roll-your-own") stunnel-like client that "tunnels" to your RDP servers. That thing doesn't need much bells and whistles, it just serves as a gateway to the servers to achieve the blocking function. In the client side application you could determine the used OS and either block it from tunneling or send the info to the server side where the blocking scheme could be adminstered centrally.

(About stunnel, see here ... it would not help with your problen, but might help to understand the concept)
0
 
LVL 34

Expert Comment

by:Gary Patterson
ID: 40030295
In Windows 2000 you could use the tsver.exe (Terminal Services Version Check) utility that came in the resource kit to limit connections to specific client build numbers.

I haven't tested tsver.exe see if it works in 2008, and I can't find any references.  You may want to try the 2000 version of the tool to see if it works under 2008, but I wouldn't count on it.

As far as I know there is no group policy setting for this either, and I'm not aware of any public tools that will do it.

I didn't do a lot of research, but unless tsver works in 2008, I suspect you'd have to build (or have built) a custom tool to do this.  Looks like the Client Build Number is reported to the server, so that probably isn't too difficult to do.

I'm not sure why you need this restriction, but if it is due to security concerns,you may want to consider limiting connections to clients using Network Level Authentication.  XP clients can still connect, but only at XP SP3 with the CredSSP enabled - at least until you can find or develop a tool to block XP clients completely.

http://technet.microsoft.com/en-us/library/cc732713.aspx
0
 
LVL 13

Assisted Solution

by:frankhelk
frankhelk earned 250 total points
ID: 40031763
@Gary Patterson:

Given that tsver.exe runs acceptable under Win2k8, the build reporting gives only info about the client bulid, not the OS build. If one uses a newer version of the client under XP, he would operate below the radar.

I think for achieving the goal of locking out anybody with XP, a gateway client would be the most promising solution and should be not that complicated to code ... stunnel would be a good start ....

It would need two components - a server side part that accepts the connections and reroutes it to the server's RDP port and a client part that accepts connections on the localhost and redirects the data to the server side process.

The client side checks the Windows version whenever it's started and refuses to start under XP. Voilá.
0
 

Author Comment

by:penthese
ID: 40041727
Hello Experts,

Since we have not found a  viable option to block XP Users from our terminal servers, we have taken it upon ourselves to develop a program which is capable of doing just that. (With great succes as of now)
We do however wish to thank everyone in this topic that has tried to help us.

Penthese.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:penthese
ID: 40043814
I've requested that this question be closed as follows:

Accepted answer: 0 points for penthese's comment #a40041727

for the following reason:

Developing the program ourselves was our choice in handling this matter.
0
 
LVL 13

Expert Comment

by:frankhelk
ID: 40043815
Hmmm ... nobody found an existing solution out there, but I think the participants have pointed you into the direction you've chosen at last. Even while that is not the preferred one - developing sth new is usually the last resort - wouldn't you think the experts have earned some points in that case ?
0
 
LVL 34

Expert Comment

by:Gary Patterson
ID: 40044671
I agree with frankhelk.  

Question was "Is this possible somehow?".  Both frankhelk and I suggested mechanisms for doing this, and noted that custom development was probably required - the exact solution you opted to go with.
0
 

Author Comment

by:penthese
ID: 40046463
Hello experts,
Despite having the costumer service look at this and agree with me, stating that:  "Hello,
You are correct, there is no reward for trying – accepted solutions are accepted solutions."
I will awards you points for pushing me into the direction of development, the program works correctly and we are very happy with it.

Have a good day,

Penthese.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now