3

I am currently locking down a companies remote desktop access via a VPN. What I need to do is disable remote printing, file transfer and clipboard via active directory for the workstations that will be accessed. I am having trouble figuring out which GPO's are used to restrict this.

My basic approach is to restrict VPN users to port 3389 so the will be able to access their work computers remotely but nothing else (I will look into layer 7 scanning later). With this I want to ensure they are unable to transfer and data via files, printing or the clipboard.

The environment is Windows Server 2003

Brettski
  • 942
  • 3
  • 20
  • 30
  • Do you want to use VPN or RDP? What is the goal here? VPN is not port 3389 that is the default RDP port which should be changed to a non standard port for security. VPN uses 1723 I do not believe you can or want to change that. – Campo Jun 02 '10 at 19:09
  • 1
    The goal here is to grant access for remote users to rdp into their workstations. Rdp is not exposed to the outside, so a restricted vpn tunnel will be used to allow the rdp traffic to users workstations. – Brettski Jun 02 '10 at 19:40
  • Gotcha makes sense. +1 – Campo Jun 02 '10 at 19:42

3 Answers3

4

So if I understand your requirements, you have the VPN setup so when users connect, they are behind a firewall that restricts all traffic except for 3389 which is used for MS RDP to their desktops to do their work. You also want to restrict users from printing from their work PC's to any external printers, prevent them from cutting and pasting via the RDP session clipboard and transferring files off their PC's.

I think you need to look at this from a network perspective as well as policy settings.

You can create a policy and prevent LPT port redirection under the GPO computer setting "Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do Not Allow LPT Port Redirection". You can also configure the clipboard in the same location.

As far as transferring files from that PC to somewhere else, you will have to restrict protocols at the network layer to prevent SMB, HTTP, HTTPS, FTP, etc from your internal network to anywhere external. If that is already in place then nothing related to the RDP should change that. AFAIK, cutting and pasting of files via RDP is not supported.

Remember if you allow them to access email from their desktop, they can always email files and such out unless you block it on the email server.

BoxerBucks
  • 1,374
  • 1
  • 9
  • 19
  • There's also a setting in the same GPO location for not allowing users to map their local drives to remote computers; but as boxerbucks said, there's many ways to transfer files. – Chris S Jun 02 '10 at 19:31
  • For file transfer I was talking about the built-in ability of terminal services (remote desktop) to redirect the clients drives to the host computer (at work computer). From what I have found is this is also in the same GPO location you specified, but the problem I am having is that these objects are not listed under templates, I don't know how to add them. What TechNet indicates is: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection. The Client/Server data redirection is not there, can it be added and work? – Brettski Jun 02 '10 at 19:33
  • @Chris S - Yep, good call on that. You need to block SMB anyway though to prevent them from \\computername\c$ and copying that way too. – BoxerBucks Jun 02 '10 at 19:33
  • Yes, I understand about the other ways to transfer files, I am focusing on Terminal Services (Remote Desktop) at the moment. Thank you much for the input. – Brettski Jun 02 '10 at 19:35
  • @Brettski - I was looking at the Windows 2003/Windows XP adm templates. If you don't have them, you can download them from http://www.microsoft.com/downloads/details.aspx?FamilyID=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en and select the ones that you want. You add them in by right clicking on the Administrative Templates then selecting Add/Remove templates and browsing to the adm files. I thin by default they are in Windows\Inf – BoxerBucks Jun 02 '10 at 19:39
  • @boxerbucks Thanks for the link to the adm templates. I grabbed the one for Windows 2003 sp1 and it contained the entries for terminial services. I still have not tested it out. – Brettski Jun 02 '10 at 19:53
  • Actually the object was already there, I was looking under user configuration templates not Computer Configuration templates. Doh! – Brettski Jun 02 '10 at 20:25
1

Have you considered adding a 2008 server and setting up the Remote Desktop Gateway? In the Remote Desktop Gateway policy you can disable devices redirection.

With A Remote Desktop Gateway the users will not need a VPN client, and you won't have to do anything to the workstations.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • That is a very good suggestion, though, as usual, there is no budget for added equipment at this time. I will certainly look into the solution. I am curious on it's security controls. – Brettski Jun 02 '10 at 20:11
  • yes w2k8+'s rdp solution is quite good and very easy to configure. – tony roth Jun 02 '10 at 20:26
0

The vpn should be established prior to connection to rdp, so rdp should not be exposed to the internet so you don't have to worry about rdp's port useage.

as far as gpo settings look within gpmc

computer/admin templates/windows components/terminal services etc...

tony roth
  • 3,844
  • 17
  • 14