1

So you're on a domain.

I know that Remote Desktop needs an authorized user's credentials (e.g admin) to log in with a remote computer. But can you also place a condition that you need to be using a certain computer(s) in the domain to log into it? That way you wouldn't be able to use Remote Desktop with just the admin username and password, you'd also need access to the admin's computer.

Newlo Newly
  • 145
  • 1
  • 1
  • 6

2 Answers2

1

This can be done using Windows Firewall

  • Open Windows Firewall with Advanced Security
  • Click on Inbound Rules
  • Locate the RDP Rule
  • Right click the rule, go to Properties, switch to the Scope tab.
  • Add your IP addresses or IP address ranges
davekats
  • 23
  • 4
  • I was thinking more along the lines of selecting the domain computer names. – Newlo Newly Aug 18 '17 at 15:51
  • I don't believe that is possible using Windows native tools, but if you want something more sticky than IP addresses you can also restrict by user groups or accounts. – davekats Aug 18 '17 at 16:08
0

What I recommend here is to use a VPN service or otherwise assign a fixed IP# to the admin computer on the network. If you are using DHCP in your network, you would need to allocate an ip from the pool outside the regular IP# pool, and assign it to the computer. Likewise an account with an VPN provider like Strong VPN would give you a fixed IP.

Then restrict by firewall access the the IP# that belongs to the admin(s) computer.

This would require the login to come from only one IP #, even if you had the account/password you would not get access to the service.

This has the effect of adding a 2nd factor for login: the IP#. It is quite secure for this reason.

I personally use the VPN provider approach. My admin team all have static IP#s. All admin services on the network like RDP/SSH/CI-CD servers are secured against a tight list of known IPs.

Rodrigo Murillo
  • 1,927
  • 11
  • 17