Solved

Terminal Server/RDS gateway block XP users

Posted on 2014-04-29
8
602 Views
Last Modified: 2014-05-07
Hello experts,

our customer wants to block all xp computers which are connecting from outside the network to their remote desktop services (through remote desktop services gateway) (all 2008 R2 servers).
We searched for this but where unable to find a solution.
Is this possible somehow?
Thanks in advance.
0
Comment
Question by:penthese
  • 3
  • 3
  • 2
8 Comments
 
LVL 14

Accepted Solution

by:
frankhelk earned 250 total points
ID: 40029998
Hmm - I haven't tried to do such a blocking, but I could nonetheles think about it ;-)

Blocking such a service for a special group of users would usually involve the firewall as filter. Firewalls have usually blocking rules defined by IP addresses (or address ranges) and port numbers (which basically describe the type of protocol is used). Some firewalls do deep packet inspection, which means that they check the content of the packets for suspicious content, too - but not every firewall does that and it's straining the performance to inspect every packet ... and it's impossible for encrypted communications if you're not the NSA.

So let's speculate about IP/PORT filtering. A firewall needs a characteristic pattern on which it could filter the packets. The RDP protocol uses a dedicated port, and that port is the same for all RDP clients - and as far as I know, even the version of the RDP client program (mstsc.exe) or the used protocol version doesn't reveal the OS flavour it runs upon. Since all RDP packets look similar to the firewall, it probably couldn't filter out that XP based traffic ....

If there's a fixed relation between the user and his machine, you might simply block the affected users. If you know the IP addresses of the XP machines you could filter out all RDP traffic from those machines. But with common DHCP practice the machines don't have fixed IPs, or they're masked behind a firewall with NAT.

If there's not an option on your RDP servers which could block XP machines out, I see not much chances to block 'em out by the firewall.

Last chance would be to involve some kind of custom made ("roll-your-own") stunnel-like client that "tunnels" to your RDP servers. That thing doesn't need much bells and whistles, it just serves as a gateway to the servers to achieve the blocking function. In the client side application you could determine the used OS and either block it from tunneling or send the info to the server side where the blocking scheme could be adminstered centrally.

(About stunnel, see here ... it would not help with your problen, but might help to understand the concept)
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 40030295
In Windows 2000 you could use the tsver.exe (Terminal Services Version Check) utility that came in the resource kit to limit connections to specific client build numbers.

I haven't tested tsver.exe see if it works in 2008, and I can't find any references.  You may want to try the 2000 version of the tool to see if it works under 2008, but I wouldn't count on it.

As far as I know there is no group policy setting for this either, and I'm not aware of any public tools that will do it.

I didn't do a lot of research, but unless tsver works in 2008, I suspect you'd have to build (or have built) a custom tool to do this.  Looks like the Client Build Number is reported to the server, so that probably isn't too difficult to do.

I'm not sure why you need this restriction, but if it is due to security concerns,you may want to consider limiting connections to clients using Network Level Authentication.  XP clients can still connect, but only at XP SP3 with the CredSSP enabled - at least until you can find or develop a tool to block XP clients completely.

http://technet.microsoft.com/en-us/library/cc732713.aspx
0
 
LVL 14

Assisted Solution

by:frankhelk
frankhelk earned 250 total points
ID: 40031763
@Gary Patterson:

Given that tsver.exe runs acceptable under Win2k8, the build reporting gives only info about the client bulid, not the OS build. If one uses a newer version of the client under XP, he would operate below the radar.

I think for achieving the goal of locking out anybody with XP, a gateway client would be the most promising solution and should be not that complicated to code ... stunnel would be a good start ....

It would need two components - a server side part that accepts the connections and reroutes it to the server's RDP port and a client part that accepts connections on the localhost and redirects the data to the server side process.

The client side checks the Windows version whenever it's started and refuses to start under XP. Voilá.
0
Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

 

Author Comment

by:penthese
ID: 40041727
Hello Experts,

Since we have not found a  viable option to block XP Users from our terminal servers, we have taken it upon ourselves to develop a program which is capable of doing just that. (With great succes as of now)
We do however wish to thank everyone in this topic that has tried to help us.

Penthese.
0
 

Author Comment

by:penthese
ID: 40043814
I've requested that this question be closed as follows:

Accepted answer: 0 points for penthese's comment #a40041727

for the following reason:

Developing the program ourselves was our choice in handling this matter.
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 40043815
Hmmm ... nobody found an existing solution out there, but I think the participants have pointed you into the direction you've chosen at last. Even while that is not the preferred one - developing sth new is usually the last resort - wouldn't you think the experts have earned some points in that case ?
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 40044671
I agree with frankhelk.  

Question was "Is this possible somehow?".  Both frankhelk and I suggested mechanisms for doing this, and noted that custom development was probably required - the exact solution you opted to go with.
0
 

Author Comment

by:penthese
ID: 40046463
Hello experts,
Despite having the costumer service look at this and agree with me, stating that:  "Hello,
You are correct, there is no reward for trying – accepted solutions are accepted solutions."
I will awards you points for pushing me into the direction of development, the program works correctly and we are very happy with it.

Have a good day,

Penthese.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Join with a SQL Server STUFF 5 48
Unable to take ownership of long file names 8 72
Blocking access to Windows 10 Store on Windows 10 Pro. 5 50
Robocopy parameters. 6 39
Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question