Link to home
Create AccountLog in
Avatar of Matt Kendall
Matt KendallFlag for United States of America

asked on

Restrict Some Remote Desktop Users to only access from inside the office

Hi,

I have a Windows 2012 R2 Hyper-V server with 3 VMs.  One of the VMs is setup for Remote Desktop Services and we have about 13 users connect into this server to work.  Most of them connect to it from within the office.  Some of the users connect from outside of the office.  The managers asked me if there's a way that I can restrict remote access for some of the users.  They would be able to work at their computer within the office but if they go home and feel like they want to remote into their session, they would be restricted from logging into their session when they're out of the office.  What's the best and most simple way to accomplish this?  Thanks in advance for your help!
ASKER CERTIFIED SOLUTION
Avatar of Ron Malmstead
Ron Malmstead
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
What you are trying to achieve is not possible out of the box functionality
Better you use VPN as suggested above which will allow only those users RDP who can connect through VPN and on VPN you set who can connect through VPN and who cannot
Hope efukly you are not allowing users direct  access from outside the office. Maybe they are using a VPN as already suggested. But at the very least they should be using RD Gateway, which is a core RDS role.  RD Gateway has policies to control access so modifying the RAP/CAP policy should accomish your goal.
On top of everything mentioned here, you can also use the Windows firewall to block RDP etc. based on dynamic rules
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
I do this the way Cliff says, which is via RD Gateway policies. It is native to Windows, and is what you should be using to access RD over the internet. You can also do the same thing with a competent VPN that can filter traffic based upon which group profile a user gets.

You should not directly expose port 3389 to the Internet.
Avatar of Matt Kendall

ASKER

Thanks for the advice!  I setup a VPN to help control access and it works great.