1

Currently we have a SBS Server, and a Terminal Server (both 2008R2) where users locally and remotely login to the Terminal Server, and work.

We need to restrict the ability to login remotely to only a few users.

Is there a way to restrict this? we have previously seen (in another organization) "the requested session access is denied" when a user tries to log on remotely when they do now have the access.

Does anyone know of the way to re-create this? A TS Gateway and changing the RDP ports unfortunately aren't an option in this instance.

Thanks,

user3045068
  • 51
  • 8

3 Answers3

2

Close the RDP ports on your firswall and have those few users that need it connect through a VPN.

With the number of bots hammering at RDP servers these days I get nervous exposing it to the internet in the first place. Even if all your users have great passwords attackers can still flood logs or trigger lockout policies. So this also removes come security concerns at the same time. Putting it behind a TS gateway or VPN helps.

Grant
  • 17,671
  • 14
  • 69
  • 101
  • Thanks for that, however sadly ts gateway and vpn aren't an option. As remote users use thin clients that do not have the capability. – user3045068 Dec 02 '14 at 01:28
  • 2
    @user3045068 in that case I would look at replacing them with thin clients that support modern security, or with cheap low end desktops. Then use a ts gateway or vpn. The rdp client on my CELL PHONE supports ts gateways - there is no excuse for devices that dont. – Grant Dec 02 '14 at 01:32
  • We could, and it would probably be a good idea. But funding would not be possible, the directors want what we have seen at other companies. – user3045068 Dec 02 '14 at 02:04
  • @user3045068 Well, if you cant change how people connect, and cant spend any money, that really limits your options. The message you want is what you get if you arent allowed to use the terminal server at all - it doesnt distinguish between lan and wan. – Grant Dec 02 '14 at 02:16
  • Somehow, in the other organisation we have seen, we have seen it differentiate between the LAN and WAN. that error message is received when logging in remotely. But locally you are fine – user3045068 Dec 02 '14 at 02:29
  • @user3045068 Can you or your directors say for 100% that the "other org" **doesn't** have a RDS gateway or VPN? Does the other org have more money than you? If you can't rule those out, *ask for more money to implement the solution*. – Andrew Dec 02 '14 at 02:39
  • I can say myself 100% they dont have an rds or vpn. I worked myself in the orginsation for a period of time (kicking myself that i didnt find out how they did it while i was there) – user3045068 Dec 02 '14 at 02:41
  • @user3045068 If you have contacts there (and are on speaking terms) can you ask them what / how they are doing this? – Andrew Dec 02 '14 at 05:02
  • Or better, go ask them for a job since your place is too cheap. – Magellan Dec 02 '14 at 07:37
  • @Andrew onsite staff have no idea, and the IT company that took over have no idea how the previous company has set it up – user3045068 Dec 02 '14 at 23:41
0

Due to your budget, make a firewall rule on your router to allow only the 3389 traffic coming from the WAN IP of those worker. SOHO cant do that, you need an business entry router, and that mean static IP for them.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • Thanks for the reply! However in our situation it can't be done either, the remote workers are connecting via 3G that we cannot get s static service on. (Good idea though!) – user3045068 Dec 02 '14 at 04:34
  • 1
    @user3045068 you should be able to restrict it to a subnet rather than a specific IP. Not great, but better than leaving it open to the whole world. – HopelessN00b Dec 02 '14 at 04:40
0

Creative solution time: have users log in to a webpage that adds the ip of their device to the list of firewall exceptions temporarily before using RDP. Any users that don't first log in to this won't be able to access RDP from the outside. Maybe even include a pick your own TTL option for users that know how long they'll need the connection. You can include logging to be able to include a method for removing all the exceptions created by X, in case that's ever needed.

You can even require client certificates for authentication to the server, and distribute keys to each user to add to their devices, for added security.

austinian
  • 1,699
  • 2
  • 15
  • 29