JoshuaBuche
MIS
Is there any 'pre-made' GPO's for Remote Desktop Users? I searched MS TechNet site but couldn't find much.
Thanks.
Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
GPO for Remote Desktop Users
- Thread starter JoshuaBuche
- Start date
- Status
What are you looking to configure?
There is no difference between an RDP user and one sitting at the office. Same PC, same applications. If you need to restrict further then you need to be looking at a Terminal Server rather than allowing Remote Desktop.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
There is no difference between an RDP user and one sitting at the office. Same PC, same applications. If you need to restrict further then you need to be looking at a Terminal Server rather than allowing Remote Desktop.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
- Thread starter
- #3
JoshuaBuche
MIS
Yes, you're right.
I guess what I'm really looking for is a super-secure policy that would only give the user access to one or two drives.
I'm new to configuring GPO's that's why I was hoping there would be premade ones available.
I guess what I'm really looking for is a super-secure policy that would only give the user access to one or two drives.
I'm new to configuring GPO's that's why I was hoping there would be premade ones available.
Explain your desire more in terms of the infrastructure.
You want to restrict the user to two mapped drives or two drives on the local system? Is the desired access different from what you want the user to be able to access when physically in the office? If so why?
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
- Thread starter
- #5
JoshuaBuche
MIS
If I could emulate the exact same policies that are in place when he is physically here then that would be fine.
I'm just concerned with any loop-holes/backdoors etc.. that may arise over a remote desktop connection.
Another thing, we're using Script Logic, and I would think it would still run under a remote desktop connection but it doesn't, that's why I was pondering creating a new GPO for him/this connection.
I'm just concerned with any loop-holes/backdoors etc.. that may arise over a remote desktop connection.
Another thing, we're using Script Logic, and I would think it would still run under a remote desktop connection but it doesn't, that's why I was pondering creating a new GPO for him/this connection.
You seem to think that coming in via RDp is any different than when they are sitting int he office, it isn't.
Scripts and GPOs won't hit the user at the connection of the RDP connection, that happens locally at the desktop being controlled. So your same login scripts etc will be in effect.
If the user was already logged on to the system and is taking over their own session, then you won't see any login script processing because it already happened.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Scripts and GPOs won't hit the user at the connection of the RDP connection, that happens locally at the desktop being controlled. So your same login scripts etc will be in effect.
If the user was already logged on to the system and is taking over their own session, then you won't see any login script processing because it already happened.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
- Thread starter
- #7
JoshuaBuche
MIS
Okay, you're right Mark. But when a user connects over RD, they have access to My Computer, and more importantly all the local drives (local to the server) and this obviously cannot happen.
So there seems to be a need to seperate RD users and not allow them to access certain things, and that's what I need help with.
Like you said, SL does indeed run, but where do I lock them down? On SL's side or Windows?
Thanks.
So there seems to be a need to seperate RD users and not allow them to access certain things, and that's what I need help with.
Like you said, SL does indeed run, but where do I lock them down? On SL's side or Windows?
Thanks.
So the question thoug is why do you wish to lock them down from accessing drives the user has rights to when in the office? Suppose you could block access to the server. What is to stop a user from copying a file while in the office and then using Remote Desktop to access their workstation and copy that file home? Same thing.
You need to lock down NTFS security on your server to only allow your users access to resources you want them to have access to under all circumstances.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
You need to lock down NTFS security on your server to only allow your users access to resources you want them to have access to under all circumstances.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
- Thread starter
- #9
JoshuaBuche
MIS
Because when they're logging on under RD they're logging on to the actual server, therefore they have access to the server's local drives.
When they're logging on locally, I'm just mapping drives through SL.
When they're logging on locally, I'm just mapping drives through SL.
OK, so we are battling terms here.
Remote Desktop is typically used to describe a use connecting to their workstation.
Terminal Services is used to describe a use connecting in to the Server.
So you are allowing users to TS into your server. Not a very good idea unless it is a server dedicated to this purpose and NOT a DC.
I would suggest you setup RRAS on the server. Instruct your users to VPN to the server and from there they can RDP to their XP client machines.
Depending on the size of your environment, you might want to look as SBS 2003 as it has a web interface to allow users to connect to their desktops.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Remote Desktop is typically used to describe a use connecting to their workstation.
Terminal Services is used to describe a use connecting in to the Server.
So you are allowing users to TS into your server. Not a very good idea unless it is a server dedicated to this purpose and NOT a DC.
I would suggest you setup RRAS on the server. Instruct your users to VPN to the server and from there they can RDP to their XP client machines.
Depending on the size of your environment, you might want to look as SBS 2003 as it has a web interface to allow users to connect to their desktops.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
- Thread starter
- #11
JoshuaBuche
MIS
Hi Mark, sorry I didn't make it more clear from the begging, my fault.
This user uses a laptop so there would be no client for him to remote into.
I am running SBS 2003 (DC), but setting up RRAS right now might be too much for me, and probably well beyond this forum.
But this is a very simple setup, I just need to give him access to a Public Share drive so he can access files that are going to be too big for email.
Is there no other option, besides RRAS? Of course with respects to the security of the server.
Thanks again.
This user uses a laptop so there would be no client for him to remote into.
I am running SBS 2003 (DC), but setting up RRAS right now might be too much for me, and probably well beyond this forum.
But this is a very simple setup, I just need to give him access to a Public Share drive so he can access files that are going to be too big for email.
Is there no other option, besides RRAS? Of course with respects to the security of the server.
Thanks again.
Do you have a firewall with VPN capability? If so, have him VPN to that and create a shortcut to the share. He will be prompted to enter his network credentials which will authenticate him and he can access those files.
We're doing this with a project manager we have in overseas so that our engineers do not have to email out huge files.
Systems Administrator
We're doing this with a project manager we have in overseas so that our engineers do not have to email out huge files.
Systems Administrator
- Thread starter
- #13
JoshuaBuche
MIS
Yes and No.
It's a long story but I'm going to use Hamachi, which gives me a 'pseudo' IP address, but works just the same.
It's a long story but I'm going to use Hamachi, which gives me a 'pseudo' IP address, but works just the same.
WhoKilledKenny
MIS
Agree with Mark...
'I would suggest you setup RRAS on the server. Instruct your users to VPN to the server and from there they can RDP to their XP client machines.'
You could also entertain secure FTP...
'I would suggest you setup RRAS on the server. Instruct your users to VPN to the server and from there they can RDP to their XP client machines.'
You could also entertain secure FTP...
OK, we are slowly peeling away the onion layers.
So you have SBS, great. You say the user is using Remote Desktop to the Server? This indicates you have given the user admin rights to the server or specifically assigned him log on locally. This is just not necessary.
If you configure RRAS the user's laptop dials in on a VPN and connects to the server. This just gives him an IP Address and does not give him local access to the servers drives. If the user has NTFS permissions to shares then he can map drives to them.
If you know ASP you could engineer a web page that checks the IP address of users and if it is NOT an IP reserved for RRAS then allow them access to a web page that gives them access to the documents they need to access.
Beyond that you should simply not allow any remote access besides OWA or Outlook over HTTP if you feel you can not trust your users.
If you have authorized users to log on locally to your server you need to remove that right ASAP as it gives your users way to much access to your server.
The ToDo list in SBS will setup the RRAS for you if you run through the list.
Also, I assume you are runnign SBS Standard and not Premium.
Last thing, in the future since you are running SBS please post in forum1584.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
- Status
Similar threads
- Locked
- Question
- Locked
- Question
