sunhux
asked on
Allowing a local account for incoming Rdp but not outgoing Rdp
We are using a privileged account tool (Cyberark) where an app user is given an approved link where he clicks on it
& from the Cyberark server, he is RDP'ed into the target server with a specific local non-privileged account (in the
target server) he's is approved for access so that activities that he's doing in the target server is "video recorded".
After login to the target server, we wanted to ensure he can't RDP out to other servers by running mstsc to login
to other servers. How can we achieve this just for his account?
I can think of setting up Windows Firewall rules that block RDP out but can such firewall rules be applied only to
a specific account or it's server-wide (as firewall rules is based on source+destination plus port) ? Other users
who login to this server will still need to be able to RDP out.
Target server is running Win2008 R2
& from the Cyberark server, he is RDP'ed into the target server with a specific local non-privileged account (in the
target server) he's is approved for access so that activities that he's doing in the target server is "video recorded".
After login to the target server, we wanted to ensure he can't RDP out to other servers by running mstsc to login
to other servers. How can we achieve this just for his account?
I can think of setting up Windows Firewall rules that block RDP out but can such firewall rules be applied only to
a specific account or it's server-wide (as firewall rules is based on source+destination plus port) ? Other users
who login to this server will still need to be able to RDP out.
Target server is running Win2008 R2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to restrict RDP client using group policy.
How about changing permissions for the mstsc.exe itself?
You can copy/paste mstsc.exe to your desktop...
... if you gain access to it. AppLocker could detect and block the EXE.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's a local account, so does GPO policy still help?
>changing permissions for the mstsc.exe itself?
Can I use icacls & what's the exact command?
>changing permissions for the mstsc.exe itself?
Can I use icacls & what's the exact command?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What's the shortcomings/potential unexpected disruptions if I do the following :
icacls c:\windows\system32\mstsc. exe /deny Users:(RX) <== for local accounts?
icacls c:\windows\system32\mstsc. exe /deny “Authenticated Users":(RX) <== for domain accounts?
I tried doing "icacls ..\system32\mstsc.exe /remove:g “Authenticated Users":(RX)
but it simply doesn't process (ie doesn't remove that ACE)
icacls c:\windows\system32\mstsc.
icacls c:\windows\system32\mstsc.
I tried doing "icacls ..\system32\mstsc.exe /remove:g “Authenticated Users":(RX)
but it simply doesn't process (ie doesn't remove that ACE)
ASKER
I'll need approval to install applocker, so exploring icacls first
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Revisiting this thread, I'd like to correct myself: You wouldn't need to setup ipsec to use firewall rules per user, so that is surely even an easy way: Block all outgoing ports for these users apart from those needed.
Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
Find and double click "Deny logon through Remote Desktop Services"
Add the user and / or the group that you would like to dny access.
Click ok.
Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.
Check on that user "Log On To" in the user property attribute
Also I am thinking to modify the built-in inbound firewall rule for remote desktop, only allow those IP addresses authorised but not from that target server instance. In short deny the target system from doing any further RDP regardless on user identity. e.g. Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Allow inbound Remote Desktop exceptions: Enabled, Allow unsolicited incoming messages from these IP addresses (stated the static IP specified).
Having IPsec enforced on other system will be good too but indeed non-trivial.