We help IT Professionals succeed at work.

Restrict Some Remote Desktop Users to only access from inside the office

127 Views
Last Modified: 2019-01-19
Hi,

I have a Windows 2012 R2 Hyper-V server with 3 VMs.  One of the VMs is setup for Remote Desktop Services and we have about 13 users connect into this server to work.  Most of them connect to it from within the office.  Some of the users connect from outside of the office.  The managers asked me if there's a way that I can restrict remote access for some of the users.  They would be able to work at their computer within the office but if they go home and feel like they want to remote into their session, they would be restricted from logging into their session when they're out of the office.  What's the best and most simple way to accomplish this?  Thanks in advance for your help!
Comment
Watch Question

Information Services Manager
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
What you are trying to achieve is not possible out of the box functionality
Better you use VPN as suggested above which will allow only those users RDP who can connect through VPN and on VPN you set who can connect through VPN and who cannot
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Hope efukly you are not allowing users direct  access from outside the office. Maybe they are using a VPN as already suggested. But at the very least they should be using RD Gateway, which is a core RDS role.  RD Gateway has policies to control access so modifying the RAP/CAP policy should accomish your goal.
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
On top of everything mentioned here, you can also use the Windows firewall to block RDP etc. based on dynamic rules
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
I do this the way Cliff says, which is via RD Gateway policies. It is native to Windows, and is what you should be using to access RD over the internet. You can also do the same thing with a competent VPN that can filter traffic based upon which group profile a user gets.

You should not directly expose port 3389 to the Internet.
Matt KendallTech / Business owner operator

Author

Commented:
Thanks for the advice!  I setup a VPN to help control access and it works great.