Terminal Server/RDS gateway block XP users

Hello experts,

our customer wants to block all xp computers which are connecting from outside the network to their remote desktop services (through remote desktop services gateway) (all 2008 R2 servers).
We searched for this but where unable to find a solution.
Is this possible somehow?
Thanks in advance.
Who is Participating?
frankhelkConnect With a Mentor Commented:
Hmm - I haven't tried to do such a blocking, but I could nonetheles think about it ;-)

Blocking such a service for a special group of users would usually involve the firewall as filter. Firewalls have usually blocking rules defined by IP addresses (or address ranges) and port numbers (which basically describe the type of protocol is used). Some firewalls do deep packet inspection, which means that they check the content of the packets for suspicious content, too - but not every firewall does that and it's straining the performance to inspect every packet ... and it's impossible for encrypted communications if you're not the NSA.

So let's speculate about IP/PORT filtering. A firewall needs a characteristic pattern on which it could filter the packets. The RDP protocol uses a dedicated port, and that port is the same for all RDP clients - and as far as I know, even the version of the RDP client program (mstsc.exe) or the used protocol version doesn't reveal the OS flavour it runs upon. Since all RDP packets look similar to the firewall, it probably couldn't filter out that XP based traffic ....

If there's a fixed relation between the user and his machine, you might simply block the affected users. If you know the IP addresses of the XP machines you could filter out all RDP traffic from those machines. But with common DHCP practice the machines don't have fixed IPs, or they're masked behind a firewall with NAT.

If there's not an option on your RDP servers which could block XP machines out, I see not much chances to block 'em out by the firewall.

Last chance would be to involve some kind of custom made ("roll-your-own") stunnel-like client that "tunnels" to your RDP servers. That thing doesn't need much bells and whistles, it just serves as a gateway to the servers to achieve the blocking function. In the client side application you could determine the used OS and either block it from tunneling or send the info to the server side where the blocking scheme could be adminstered centrally.

(About stunnel, see here ... it would not help with your problen, but might help to understand the concept)
Gary PattersonVP Technology / Senior Consultant Commented:
In Windows 2000 you could use the tsver.exe (Terminal Services Version Check) utility that came in the resource kit to limit connections to specific client build numbers.

I haven't tested tsver.exe see if it works in 2008, and I can't find any references.  You may want to try the 2000 version of the tool to see if it works under 2008, but I wouldn't count on it.

As far as I know there is no group policy setting for this either, and I'm not aware of any public tools that will do it.

I didn't do a lot of research, but unless tsver works in 2008, I suspect you'd have to build (or have built) a custom tool to do this.  Looks like the Client Build Number is reported to the server, so that probably isn't too difficult to do.

I'm not sure why you need this restriction, but if it is due to security concerns,you may want to consider limiting connections to clients using Network Level Authentication.  XP clients can still connect, but only at XP SP3 with the CredSSP enabled - at least until you can find or develop a tool to block XP clients completely.

frankhelkConnect With a Mentor Commented:
@Gary Patterson:

Given that tsver.exe runs acceptable under Win2k8, the build reporting gives only info about the client bulid, not the OS build. If one uses a newer version of the client under XP, he would operate below the radar.

I think for achieving the goal of locking out anybody with XP, a gateway client would be the most promising solution and should be not that complicated to code ... stunnel would be a good start ....

It would need two components - a server side part that accepts the connections and reroutes it to the server's RDP port and a client part that accepts connections on the localhost and redirects the data to the server side process.

The client side checks the Windows version whenever it's started and refuses to start under XP. Voilá.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

pentheseAuthor Commented:
Hello Experts,

Since we have not found a  viable option to block XP Users from our terminal servers, we have taken it upon ourselves to develop a program which is capable of doing just that. (With great succes as of now)
We do however wish to thank everyone in this topic that has tried to help us.

pentheseAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for penthese's comment #a40041727

for the following reason:

Developing the program ourselves was our choice in handling this matter.
Hmmm ... nobody found an existing solution out there, but I think the participants have pointed you into the direction you've chosen at last. Even while that is not the preferred one - developing sth new is usually the last resort - wouldn't you think the experts have earned some points in that case ?
Gary PattersonVP Technology / Senior Consultant Commented:
I agree with frankhelk.  

Question was "Is this possible somehow?".  Both frankhelk and I suggested mechanisms for doing this, and noted that custom development was probably required - the exact solution you opted to go with.
pentheseAuthor Commented:
Hello experts,
Despite having the costumer service look at this and agree with me, stating that:  "Hello,
You are correct, there is no reward for trying – accepted solutions are accepted solutions."
I will awards you points for pushing me into the direction of development, the program works correctly and we are very happy with it.

Have a good day,

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.