Avatar of Matt Kendall
Matt Kendall
Flag for United States of America asked on

Restrict Some Remote Desktop Users to only access from inside the office

Hi,

I have a Windows 2012 R2 Hyper-V server with 3 VMs.  One of the VMs is setup for Remote Desktop Services and we have about 13 users connect into this server to work.  Most of them connect to it from within the office.  Some of the users connect from outside of the office.  The managers asked me if there's a way that I can restrict remote access for some of the users.  They would be able to work at their computer within the office but if they go home and feel like they want to remote into their session, they would be restricted from logging into their session when they're out of the office.  What's the best and most simple way to accomplish this?  Thanks in advance for your help!
Remote AccessMicrosoft Server OSWindows OSWindows Server 2012Hyper-V

Avatar of undefined
Last Comment
Matt Kendall

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Ron Malmstead

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Mahesh

What you are trying to achieve is not possible out of the box functionality
Better you use VPN as suggested above which will allow only those users RDP who can connect through VPN and on VPN you set who can connect through VPN and who cannot
Cliff Galiher

Hope efukly you are not allowing users direct  access from outside the office. Maybe they are using a VPN as already suggested. But at the very least they should be using RD Gateway, which is a core RDS role.  RD Gateway has policies to control access so modifying the RAP/CAP policy should accomish your goal.
Shaun Vermaak

On top of everything mentioned here, you can also use the Windows firewall to block RDP etc. based on dynamic rules
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
kevinhsieh

I do this the way Cliff says, which is via RD Gateway policies. It is native to Windows, and is what you should be using to access RD over the internet. You can also do the same thing with a competent VPN that can filter traffic based upon which group profile a user gets.

You should not directly expose port 3389 to the Internet.
Matt Kendall

ASKER
Thanks for the advice!  I setup a VPN to help control access and it works great.