Link to home
Start Free TrialLog in
Avatar of Harold
HaroldFlag for United States of America

asked on

Controlling LAN access in Windows 7 that is a RDP machine.

We have machine sitting for RDP connections on our LAN(I know security). What we want to do is, have it accessible internally for Admin purposes but block it from a remote users on it, accessing LAN nodes. Is that possible?
Avatar of Kimputer
Kimputer

If you mean, access from lan okay, access from the internet not okay, just block rdp on the firewall, with the only exception, the internal ip numbers.
If you mean, users can log in from the internet, but have to stay on the machine and not being able to browse the local network, that's highly impractical, and maybe even impossible. The only thing I can imagine, is use a a local account, and don't have this account have access to the network resources.
Avatar of Harold

ASKER

Why I posted the question, I was asked to do it and couldn't come up with a way and yes it is, to have a user connect from the internet and only access the machine they remote into, which is connected to the LAN.
You can specify the users who can connect. Follow tutorial here, http://4sysops.com/archives/how-to-setup-remote-desktop-with-windows-7/
Avatar of Harold

ASKER

joinaunion: this was already done, now I need to block the machine from internal LAN access. Thanks
SOLUTION
Avatar of Kimputer
Kimputer

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Harold

ASKER

joinaunion: either config offered above, removed from domain, local standard user and creating this rule, after logging in you can still click Network and see all the domain machines.
Is this what your trying to do? You will need to force update to users after the changes  gpupdate /force

http://www.thewindowsclub.com/hide-show-add-remove-control-panel-applets

http://technet.microsoft.com/en-us/library/ee617167%28v=ws.10%29.aspx
Avatar of Harold

ASKER

No, we need administrative access to the machine, therefore it would have access from our side, but yet, when the user logs in the access they will have is THE machine NO WHERE else.

Thinking about building a VLAN, put it there and an Admin machine as well, then it'll be segmented.
Doing my suggestion in my last post won't block you from admin rights to there machine it will hide the network icons or any icon you choose to hide from the user.

The only other option I can think of is to turn off network discovery and only allow admins to change it on there machines.
Avatar of Harold

ASKER

joinaunion: let me take another look at these over the weekend. I'll give it a shot.
Avatar of Harold

ASKER

joinaunion: I've tried this and see that it is a full machine change, no matter who is logged in. So, does this mean we have to activate the GPO changes each time, when logged in to do maintenance on the machine? In other words, if logged in as Admin, we can have the features there and not for Standard user?
If I understand correctly the changes will apply to the user account only.
Admin account will not apply as its a separate account and you will be able to make whatever changes need be.

You can also trigger gpo each time the user/users log on.
Avatar of Harold

ASKER

When I'm logged in as Admin and remove, say NIC access, Network leaves the menu.
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
Avatar of Harold

ASKER

thank you