I'm looking for a way to limit access to launch or use the Remote Desktop client for some users on my network. I can't block the RDP port, as it *is* used by some people, but I'd like to find a way to either remove the RDP client entirely, or limit users who can access it. The client PCs are Fat32. Can anyone think of a solution?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Remove Access to Remote Desktop Client
- Thread starter Griggen
- Start date
JockMullin
MIS
Hi, Griggen
Hide, rename or change the access rights to
%SystemRoot%\System32\mstsc.exe
on the machines in question.
Jock
Hide, rename or change the access rights to
%SystemRoot%\System32\mstsc.exe
on the machines in question.
Jock
Can Group Policy do anything for you?
What about using the "Remote Desktop Users group" as a control mechanism?
Remote Desktop - enable with GPO
thread779-979719
Remote desktop connection "The local policy of this system does not permit you to logon interactively"
How to Disable Remote Desktop by Using Group Policy
What about using the "Remote Desktop Users group" as a control mechanism?
Remote Desktop - enable with GPO
thread779-979719
Remote desktop connection "The local policy of this system does not permit you to logon interactively"
How to Disable Remote Desktop by Using Group Policy
- Thread starter
- #4
As I said, these are Fat32 stations, so enforcing NTFS rights on the executable is not an option.
Hiding the file will not prevent the shortcut from working.
Renaming or deleting it does not work, as the OS remakes the executable if it does not exist and the file is referenced by a run command or shortcut.
@linney: Disabling remote desktop by using group policy, your third link, is a GPO setting that disallows remote access TO a computer. I want to keep them from being able to run the client to make connections out.
Your second link, the "does not permit you to logon interactively" is the same. Adding users to the remote desktop users group on a particular workstation restricts who may connect TO that workstation, not remote OUT from it.
Your first link is much the same. They are enabling remote desktop across all their workstations, but the default is to disallow remote connects to contact an XP workstation. What is listed in this link also seems to be a method for globally enabling that connection to be made, and is not something I can reverse engineer into a restriction.
I am looking for a way to either keep the users from launching the application, or remote it entirely. Port blocking is not an option in my situation, and i cannot restrict file access through NTFS.
Hiding the file will not prevent the shortcut from working.
Renaming or deleting it does not work, as the OS remakes the executable if it does not exist and the file is referenced by a run command or shortcut.
@linney: Disabling remote desktop by using group policy, your third link, is a GPO setting that disallows remote access TO a computer. I want to keep them from being able to run the client to make connections out.
Your second link, the "does not permit you to logon interactively" is the same. Adding users to the remote desktop users group on a particular workstation restricts who may connect TO that workstation, not remote OUT from it.
Your first link is much the same. They are enabling remote desktop across all their workstations, but the default is to disallow remote connects to contact an XP workstation. What is listed in this link also seems to be a method for globally enabling that connection to be made, and is not something I can reverse engineer into a restriction.
I am looking for a way to either keep the users from launching the application, or remote it entirely. Port blocking is not an option in my situation, and i cannot restrict file access through NTFS.
- Thread starter
- #5
gpalmer711
IS-IT--Management
You could use my appkiller program to do that - i'd just need to add it to the available list of programs.
Let me know if you are interested and I'll get it done before the weekend.
Greg Palmer
Freeware Utilities for Windows Administrators.
Let me know if you are interested and I'll get it done before the weekend.
Greg Palmer
Freeware Utilities for Windows Administrators.
- Thread starter
- #8
The NTFS/FAT thing was a decision made above my head to "resolve" a different problem. Basically it's a lazy fix for something else and now I'm stuck with it.
I said previously, though it may have gotten lost in my longer post.. Using RDP to get OUT is not a service, just an application, so it can't be disabled. If you rename or delete the EXE, the OS simply repopulates it. Try it. c:\windows\system32\mstsc.exe
delete or rename it and then try to run it from the shortcut, run command.. heck i think just refreshing the directory is enough to repopulate the executable.
I'll look at your appkiller program, and see if it's something I can implement without getting fired.
Thanks for the responses.
As a side note.. I can't believe this is something that's not restrictable easily with a GPO or uninstallable from windows, but it's just not there. I was pretty suprised.
I said previously, though it may have gotten lost in my longer post.. Using RDP to get OUT is not a service, just an application, so it can't be disabled. If you rename or delete the EXE, the OS simply repopulates it. Try it. c:\windows\system32\mstsc.exe
delete or rename it and then try to run it from the shortcut, run command.. heck i think just refreshing the directory is enough to repopulate the executable.
I'll look at your appkiller program, and see if it's something I can implement without getting fired.
Thanks for the responses.As a side note.. I can't believe this is something that's not restrictable easily with a GPO or uninstallable from windows, but it's just not there. I was pretty suprised.
See if Greg Palmer, "programmer extraordinare" can come up with the goods, he has done it before with his Run As Administrator application.
The reason mstsc.exe is replaced is because of the Windows File Protection. This can be turned off but you may not consider it worth the effort. Alternatively any action on mstsc.exe may also have to be performed on the version that always replaces the original version via WFP, and that is the backup version probably residing in the C:\WINDOWS\system32\DllCache folder.
Disable Windows File Protection
222193 - Description of the Windows File Protection Feature
904677 You receive a "Windows File Protection: Files that are required for windows to run properly have been replaced by unknown versions" error in Windows Server 2003, Windows XP, or Windows 2000
The reason mstsc.exe is replaced is because of the Windows File Protection. This can be turned off but you may not consider it worth the effort. Alternatively any action on mstsc.exe may also have to be performed on the version that always replaces the original version via WFP, and that is the backup version probably residing in the C:\WINDOWS\system32\DllCache folder.
Disable Windows File Protection
222193 - Description of the Windows File Protection Feature
904677 You receive a "Windows File Protection: Files that are required for windows to run properly have been replaced by unknown versions" error in Windows Server 2003, Windows XP, or Windows 2000
Could you not just restrict the users who are allowed to connect to systems via remote desktop, then running the client would be pointless as only authorised users would be able to log in?
By default, administrators and members of the Remote Desktop Users group are able to connect via RDP. Just ensure that only the accounts you want to be able to connect are in one of these groups.
John
By default, administrators and members of the Remote Desktop Users group are able to connect via RDP. Just ensure that only the accounts you want to be able to connect are in one of these groups.
John
- Thread starter
- #11
@jbarnett-
The issue at hand here is our users are remoting to their home PCs with RDP to run torrent downloaders, some games, other things of that nature, so of course I have no control over their home systems.
Many people in my office DO need to remote out for multiple business reasons, so blocking the ports isn't an option.
So I can't block the traffic, I can't restrict file permissions to the executable, and it's apparently not uninstallable or easily deletable.
If Greg can build in the RDP service to his appkiller, that's looking like my best choice right now.
The issue at hand here is our users are remoting to their home PCs with RDP to run torrent downloaders, some games, other things of that nature, so of course I have no control over their home systems.
Many people in my office DO need to remote out for multiple business reasons, so blocking the ports isn't an option.
So I can't block the traffic, I can't restrict file permissions to the executable, and it's apparently not uninstallable or easily deletable.
If Greg can build in the RDP service to his appkiller, that's looking like my best choice right now.
gpalmer711
IS-IT--Management
I'll work on it tonight (i'm in the uk) and post back when it is added.
Greg Palmer
Freeware Utilities for Windows Administrators.
Greg Palmer
Freeware Utilities for Windows Administrators.
- Thread starter
- #13
gpalmer711
IS-IT--Management
Griggen,
I have updated the install to include Remote Desktop.
The help system should explain everything - if not let me know and I'll help you out.
I have tested this on WinXP Pro with SP2 installed. It should work on all Windows O/S's but i've not had time to test whether it closes RD on anything else. Effectivly what the software will do is allow the user to open the RD client - then after a second or so it will close.
Hope this helps
Greg Palmer
Freeware Utilities for Windows Administrators.
I have updated the install to include Remote Desktop.
The help system should explain everything - if not let me know and I'll help you out.
I have tested this on WinXP Pro with SP2 installed. It should work on all Windows O/S's but i've not had time to test whether it closes RD on anything else. Effectivly what the software will do is allow the user to open the RD client - then after a second or so it will close.
Hope this helps
Greg Palmer
Freeware Utilities for Windows Administrators.
Greg, will your program work in Windows 2003 Terminal Server?
I have users connecting with RDP to our TS but they don't realize that the Outlook in Terminal Server has nothing to do with the Outlook on their local machine (so they keep launching it to try to send emails). I don't want to corrupt anything though if I start blocking apps.
I have users connecting with RDP to our TS but they don't realize that the Outlook in Terminal Server has nothing to do with the Outlook on their local machine (so they keep launching it to try to send emails). I don't want to corrupt anything though if I start blocking apps.
gpalmer711
IS-IT--Management
AOConsulting,
TO be honest this is not a configuration that I have tried. Basically what the application does is close applications on the local machine based on the class names of the main window of the application. This way it doesn't matter what the name of the exe file is. For that reason I don't think it would work as the machine would probably only see the TS window as a local window.
It would not hurt to try it though if you wanted to.
Greg Palmer
Freeware Utilities for Windows Administrators.
TO be honest this is not a configuration that I have tried. Basically what the application does is close applications on the local machine based on the class names of the main window of the application. This way it doesn't matter what the name of the exe file is. For that reason I don't think it would work as the machine would probably only see the TS window as a local window.
It would not hurt to try it though if you wanted to.
Greg Palmer
Freeware Utilities for Windows Administrators.
A little late, but FWIW, Doug Knox's Security Console can also block specific applications.
facelesscl0ck
Technical User
I am having the same issue as Griggen.
I tried the AppKiller program but with no success.
I tried the AppKiller program but with no success.
gpalmer711
IS-IT--Management
What didn't work with the Appkiller program?
Greg Palmer
Freeware Utilities for Windows Administrators.
Greg Palmer
Freeware Utilities for Windows Administrators.
- Status