Terminal Server Login Restriction

I'm working with a company that has a Windows 2003 Terminal Server installed and right now in-house users can access it within the office and from home, is there a way to restrict certain users to connect only when in office and some others, that could connect either way, from home and within the office?
LVL 1
jdffAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Davis McCarnOwnerCommented:
Yes; but it will be a little tedious....
Get this and install it on the server: http://www.tweaking.com/content/page/remote_desktop_ip_monitor_blocker.html
The ip block tool makes it easy to block ip addresses and you can either get them from the monitoring tool or from the security events which would show that JohnP, for example, logged in from ip 24.xxx.xxx.xxx.  You can either copy and paste it into the block tool from the event or from the monitoring tool.
I found this several years ago when someone was attempting to compromise an RDP server I was managing.  A little bit of studying of IPsec has allowed me to then modify the block so attackers get their whole ISP range blocked with a couple of keystrokes.
0
CoralonCommented:
The easiest thing to do is to create a security group for these restricted users.. for example, call the group "NoCTXatHome" or something like that.. (name is not important).

You'll set up a directory structure with NTFS permissions.  The structure should be something like this:
c:\RestrictedUserTest\RestrictedDirectory\restrictedfile.txt (content doesn't matter).
At the RestrictedUserTest directory, set that user group to Deny on all permissions.  You'll also deny permissions to the subdirectory and the file.  The subdirectory structure is important if you are not using a Deny permission.

You'll set up a login script (see my article on using UsrLogn1.cmd (see my article: http://www.experts-exchange.com/articles/9235/How-USRLOGON-CMD-processing-works.html).

So, your very first script in there would be to check if the restrictedfile.txt exists and if it does *not* then log the user off.

And the logoff.exe statement with no parameters simply logs off the current user session.

Examples:
Batch file:
LogoffRestrictedUsers.cmd
if exist c:\RestrictedUserTest\RestrictedDirectory\restrictedfile.txt goto END
logoff.exe
:end

Open in new window


Here's an example using my login name (easier than setting up a test group for this example)

From my domain admin account:
C:\>dir /s RestrictedTest
 Volume in drive C has no label.
 Volume Serial Number is 0000-0000

 Directory of C:\RestrictedTest

10/02/2015  01:19 PM    <DIR>          .
10/02/2015  01:19 PM    <DIR>          ..
10/02/2015  01:18 PM    <DIR>          RestrictedDirectory
10/02/2015  01:19 PM                17 TestFile.txt
               1 File(s)             17 bytes

 Directory of C:\RestrictedTest\RestrictedDirectory

10/02/2015  01:18 PM    <DIR>          .
10/02/2015  01:18 PM    <DIR>          ..
10/02/2015  01:18 PM                 8 RestrictedFile.txt
               1 File(s)              8 bytes

C:\>cacls RestrictedTest
C:\RestrictedTest Domain\UserName:(OI)(CI)N
                  BUILTIN\Administrators:(ID)F
                  BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                  NT AUTHORITY\SYSTEM:(ID)F
                  NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                  BUILTIN\Users:(OI)(CI)(ID)R
                  NT AUTHORITY\Authenticated Users:(ID)C
                  NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

Open in new window


and here is my test batch file:
@echo off
if exist c:\restrictedtest\testfile.txt goto TestFile
if exist c:\restrictedtest\restricteddirectory\restrictedfile.txt goto RestrictedFile

GoTo NoneExists

:TestFile
echo TestFile exists!

Goto end

:RestrictedFile
echo RestrictedFile exists!

Goto end

:NoneExists
echo Couldn't find anything!  
echo.
Echo This would be a logoff.exe statement

:end
Echo I'm at the end of the file.. 

Open in new window


So, from my Domain Admin account, I get this:
C:\>test.cmd
TestFile exists!
I'm at the end of the file..

Open in new window


From my regular account that has Deny access, I get this:
C:\>test.cmd
Couldn't find anything!

This would be a logoff.exe statement
I'm at the end of the file..

Open in new window


If you aren't using Deny for your group (and I would recommend using it), then in the case that they look for c:\restrictedusertest\testfile.txt, then it may show as existing.  However, but using a subdirectory also you guarantee that even without a deny your users are properly blocked.

If you wanted to use Kix, then that would be even simpler:
if ingroup("NoCTXatHome") then
     logoff.exe
endif 

Open in new window


Coralon
0
jdffAuthor Commented:
Coralon,
Where will I create this directory? What is the concept behind the idea, I'm not sure if I understand it very well.

Thank you.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

CoralonCommented:
You can create the directory anywhere on the TS box.. Just reference that path in the script.

The theory is very simple --
By using NTFS security on the directory structure, it is a way to basically instantly check group membership without all the hoops of looking up the group membership out of AD etc..  You let the Windows security subsystem take care of it for you.

Once you find out they are in the 'bad' group, you force them to run logoff.exe which boots them out.  I've used it several times over the years -- works like a champ.

If you want a vbscript version, it would be something like this:
option explicit

dim wshShell, fso
dim sTestFile

sTestFile = "c:\restrictedtest\restricteddirectory\RestrictedFile.txt"

set fso = CreateObject("scripting.filesystemobject")
set wshShell = CreateObject("wscript.shell")

if fso.FileExists(sTestFile) then
      wshShell.Run logoff.exe,0,vbfalse
end if

set wshShell = nothing
set fso = nothing

Open in new window




Coralon
0
jdffAuthor Commented:
Ok, but I need all the users to have access to the ts server, what I'm looking is to restrain some users from login from home! However once they are in the office they can still login to the ts server.

Thank you.
0
CoralonCommented:
ok.. then you can add a few bits to the script.. You'll probably want to use vbscript..

You'll add something like:

option explicit

dim wshShell, fso
dim sTestFile, sIPAddress

sTestFile = "c:\restrictedtest\restricteddirectory\RestrictedFile.txt"

set fso = CreateObject("scripting.filesystemobject")
set wshShell = CreateObject("wscript.shell")

sIPAddress = wshShell.RegRead ("HKCU\Volatile Environment\CLIENTADDRESS")
if mid(sIPAddress,1,6) = "10.1.1") then
     set fso = nothing
     set wshShell = nothing
     wscript.quit()
end if

if fso.FileExists(sTestFile) then
      wshShell.Run logoff.exe,0,vbfalse
end if

set wshShell = nothing
set fso = nothing

Open in new window


Obviously, you'll put in your correct subnet for the mid( ) piece.. If you have several networks, the you'll do the same thing with a switch statement.

Coralon
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Davis McCarnOwnerCommented:
How many users do you want to block?
If it is a relatively small number, my method may be easier.....
0
jdffAuthor Commented:
Davis, how would I know what ip range to block is the user may want to login from different locations?
0
Davis McCarnOwnerCommented:
I use Nirsoft's IPNetInfo which does a WHOIS lookup on the ip address: http://www.nirsoft.net/utils/ipnetinfo.html
Most people's home ip tends to stay the same, these days so I wouldn't worry too much about ranges.
0
jdffAuthor Commented:
Ok, so lets say that the user will access it from his house and then from a starbucks cafe how would the system know that it is ok to accept the connection?
0
Davis McCarnOwnerCommented:
Your only choice would be to block all of that regions Starbuck's.  Would you want to do that?
0
jdffAuthor Commented:
I guess VPN for the external users will be the most intelligent way, don't you think?
0
Davis McCarnOwnerCommented:
Personally, I'm not a fan of VPN's; they tend to get gescrewdefay quite easily and RDP since XP has been encrypted, anyway.
Besides; if the unwanted users connection allows the VPN, you won't be blocking it, at all.
0
jdffAuthor Commented:
Davis, the unwanted user won't connect to the vpn, cause they won't have a vpn user to connect with.
0
Davis McCarnOwnerCommented:
If its only one user, use VPN if you want to.
0
jdffAuthor Commented:
Did not use this suggestion, but sounds doable, instead I will be suing a VPN only for the outside users.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.