Restricted remote access to some users

[simoncarter2003]

Hi All,

I've got a particular scenario and I'm after possible solutions or suggestions.

A standalone windows 2008 machine which has a series of 'Restricted' accounts which are used to run different services/applications and they require *some* user interaction. Access to this box is primarily via RDP. I have a group of 7/8 users which I don't want to have full admin rights over the box but need to be able to get onto these 'Restricted' Accounts.

Ideally I wouldn't give these users the RDP passwords for each of these accounts as the passwords would then need to be changed each time a user leaves/changes role. My ideal solution is some kind of approach where the users have their own RDP accounts (and hence can be audited), and can then remote into the 'Restricted' accounts.

My problem is that RDP 'Remote Control' doesn't work on disconnected sessions; so my next idea was to allow them to have the RDP passwords but the 'Restricted' accounts can only connect from the local machine, forcing them to login as themselves, and then Jumping over to the 'Restricted' account - but I'm not able to find a method of doing this.

Any alternative solutions or methods of applying my above approach are welcome.

Many Thanks,
Simon

 

[w33mhz]

You could set the "Restricted" accounts access to logon locally but not via terminal services, this can be done by going to the machine and going into the Local Security Policy (start > control panel > administrative tools > local security policy), then go to Local Polices > User Rights Assignments there is the "Deny log on through Remorte Desktop services" add the "Restricted" Accounts to this.

Windows Haiku:

Serious error.
All shortcuts have disappeared.
Screen. Mind. Both are blank.

 

[simoncarter2003]

Hi w33mhz,

Thanks for your reply, I've tried implementing this, and whilst it does prevent the 'Restricted' accounts from being accessed remotely direct - It also prevents users from connecting to these accounts using RDP from an RDP account that can login remotely. How would you suggest users connect to these 'Restricted' accounts to manage them, once they've been denied remote logon rights without access to the physical machine?

Thanks again,

 

[w33mhz]

Have you checked the remote control settings? Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration > in the middle there should be a connections list and assuming defaults there should be a RDP-Tcp connection listed right-click > properties > remote control tab > Select Use remote control with the following settings uncheck the Require user's permission and select interact with the session.

There is an alternative route with 3rd party software, but I don't know if that is a resonable solution for you or not.

3rd party solution, install VNC Server on the machine, and create a VNC session on a unique port for each of the restricted users. Then the admin users install vnc on their client machines setup a connection to the server with the appropriate port i.e.
RistrictedUser1 vnc port 5901 >> vnc connection <remoteserver>:1
RistrictedUser1 vnc port 5902 >> vnc connection <remoteserver>:2
etc...
You can setup password for the connection and play with the encryption as well its pretty easy if you need a bit more stricter security.

Windows Haiku:

Serious error.
All shortcuts have disappeared.
Screen. Mind. Both are blank.