Block Terminal Service

[bairdt]

Is there a way to setup the remote administration piece of terminal service to block people from being able to access it? It's not enough that you have to know the administrator userid and password any longer. We want to lock it down tighter than its current state. Any suggestions?

 

[TechMerlin]

Under Terminal Services Configuration (Start,Programs, Administrative Tools) click the Security tab and you can set permissions there accordingly

Mark Morton, MCSA, MCP, SNA, CCA

 

[ReddLefty]

Won't the logon screen still appear? I think that's what he's trying to avoid also.

You could also block the port from your TCP settings on the Terminal Server itself (Port: TCP 3389)



"In space, nobody can hear you click..."

 

[bairdt]

Yeah what we would love to see happen is if someone tries to TS into a box for remote administration and the user doesn't have permission to even being there to log it into the event viewer / security and "not" prompt them but tell them you aren't allowed here. Even if the prompting notification can't be done at least forbid them from attempting to get into TS to begin with.

 

[ReddLefty]

Well, you can try both options.. in order to get a security log, they have to try and log in... unless you find a way to capture the IP when they get to the TS screen.... I don't see how you can do that without some sort of 3rd party software.



"In space, nobody can hear you click..."

 

[TechMerlin]

See if you block 3389 anyone using that machine will not be able to connect so in this case the "unwanted" user could go to a different terminal and get in. If you are using a client with NTFS you could restrict access to the RDP client based on the user this not allowing them to even access the logon screen

Mark Morton, MCSA, MCP, SNA, CCA