DLH DLH
asked on
RDP access with least privileges
What is the best way to give a user rights to RDP to a server with the least privileges? They would like to view directories and view the registry. I have read several articles depicting using GPO or placing the user in the Remote Desktop Users group.
DLH
DLH
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Implementing Least-Privilege Administrative Models
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models
Implementing Least Privilege Security:
https://www.lepide.com/blog/implementing-least-privilege-security/
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models
Implementing Least Privilege Security:
https://www.lepide.com/blog/implementing-least-privilege-security/
If you have a lot of server that they are going to need access to your still going to have a lot of work to do.
Adding them to the remote desktop users group will likely still not provide them access to all your directories specifically on shared directories that already have restrictive rights.
If you want to give them remote desktop access you can create a GPO and use the Computer config\policies\windows settings\security settings\restricted groups.
When you do you will get 2 different settings "Members of this group" and "Group is a member of"
The difference is "Members of this group" will remove all current members and make only the list you provide a member of that group.
Group is a member of will add a group to another group. (I would recommend using this one)
so create a new group with the members you want to grant rights to then add that group to the remote desktop users group using the "Group is a member of: Remote desktop users"
As for locking down permissions on each server Naveen has posted a few good articles on that but basically you will need to create a group and restrict what rights it has on your servers to limit their access to the things that you do not want them to be able to do that a normal user on the server has by default.
Adding them to the remote desktop users group will likely still not provide them access to all your directories specifically on shared directories that already have restrictive rights.
If you want to give them remote desktop access you can create a GPO and use the Computer config\policies\windows settings\security settings\restricted groups.
When you do you will get 2 different settings "Members of this group" and "Group is a member of"
The difference is "Members of this group" will remove all current members and make only the list you provide a member of that group.
Group is a member of will add a group to another group. (I would recommend using this one)
so create a new group with the members you want to grant rights to then add that group to the remote desktop users group using the "Group is a member of: Remote desktop users"
As for locking down permissions on each server Naveen has posted a few good articles on that but basically you will need to create a group and restrict what rights it has on your servers to limit their access to the things that you do not want them to be able to do that a normal user on the server has by default.
ASKER
After reading a few articles, please tell me if this thought is correct.
Adding the user or group to the "Built In" Remote Desktop Users gives them the remote log-on capability for all Domain Controllers in the Domain. If I want to give them the capability to RDP to a member server, I need to add them on the local server.
Adding the user or group to the "Built In" Remote Desktop Users gives them the remote log-on capability for all Domain Controllers in the Domain. If I want to give them the capability to RDP to a member server, I need to add them on the local server.
That is correct if you add them to the "Built In" group in AD it will allow them access to the DC's.
You would want to limit it to adding them to the LOCAL Remote desktop users group on the member servers (that is unless you want them to have rdp access on the DC)
You would want to limit it to adding them to the LOCAL Remote desktop users group on the member servers (that is unless you want them to have rdp access on the DC)
I hope you are thinking of adding a group the local Remote Desktop Users on those servers and not individual user accounts: that could get difficult to manage with over 100 servers.
It would be better to create an AD group for those users who need this access. Then, all you need to do is add that group to the LOCAL Remote Desktop Users group on each server. Then, you don't have to go around to 100+ servers if you need to add or remove someone's access: you just need to remove their account from that AD group.
It would be better to create an AD group for those users who need this access. Then, all you need to do is add that group to the LOCAL Remote Desktop Users group on each server. Then, you don't have to go around to 100+ servers if you need to add or remove someone's access: you just need to remove their account from that AD group.
ASKER
I think what I will do is to create a group and give them access to a C drive share and remote registry permissions. It appears that as a user, they are able to access or run applications and create folders. It is basically the Info Security group that needs to be able to view whether or not there was a reg change or application installed for vulnerability management.
ASKER
What you are saying is that I would have to allow remote registry on all my servers including Domain Controllers. I am researching this but thinking I have to logon to each to allow this.
RDP will allow them to use the applications and create directories.