0
Ok, Why ?
There is some users on the local network that are accessing an remote desktop servers
But some of these user also required an way to connect to the remote desktop but from internet. That alternate port is forwarded to the internet
The way I added the second listening port is this way http://jvhconsulting.wordpress.com/2010/11/16/adding-or-changing-remote-desktop-listening-port/
Is there a way to let Only certain user access the alternate port using the original windows "Remote Desktop Connection"
Perhaps there is a way to select witch user have the right to connect to port 3389 and witch user can connect to port 3399 Perhaps something like local serurity policy have a setting some where.
Thanks for any help :)
Nicolas Racine
Posted 2014-07-25T18:29:53.430
Reputation: 223
ok, I'm not sure what you mean by port, but Transport layer ports (TCP/UDP) cannot be restricted to "users" only to packet characteristics occurring at the transport layer or lower. if you want to filter access by criteria on a higher level, you will have to leave authentication and authorization up to the application itself, in this case RDP. – Frank Thomas – 2014-07-25T18:32:32.950
Yes, this is what i mean. Is there a way rdp can let only certain users to connect to it alternate port that it listening. – Nicolas Racine – 2014-07-25T18:34:20.470
no, because ports don't know what user is trying to connect, and RDP doesn't care what port you're coming in on. You could probably setup IP restrictions for the port in your firewall(s), so only certain IPs are able to access the port, but that means any user from that IP can get in, and if an allowed user moves someplace else (or their IP changes), they won't be allowed in. – Ƭᴇcʜιᴇ007 – 2014-07-25T18:49:16.900
2
unfortunately, you probably can't run two instances of the RDP service, with separate configuration. and you can't firewall based on user. the best bet would be to allow your approved remote users to VPN into your network, and control it there, but that involves some infrastructure. perhaps you can implement some form of Port Knocking: https://en.wikipedia.org/wiki/Port_knocking
– Frank Thomas – 2014-07-25T18:49:51.290@FrankThomas I am currently thinking of an other way, That might work actualy.. I am currently playing around with localgroup polcy editor and saw that when a user is loggin in. we can lauch script. That made me think.. What do you guys think of lauching a script in the script to check if user is an user that is alowed and if not kick log him off Whould that be secure enough ? – Nicolas Racine – 2014-07-25T18:52:44.090
@FrankThomas And thanks for the idea of port knocking never hear of that before. But the thing is on the client side it would be very nice that it stay the same login steps. – Nicolas Racine – 2014-07-25T18:54:59.233
if you are just worried about keeping a few employees from getting caught up on work from outside the office, then your script will probably be sufficient, but I don't believe it would not stop an actual attacker for long. – Frank Thomas – 2014-07-25T18:57:12.353
@FrankThomas "you can't firewall based on user", windows supports firewalling based on user, however it only works on "secure" connections that contain user data for the channel.
– Scott Chamberlain – 2014-07-25T19:40:52.230@ScottChamberlain, ok, thats interesting. I would not characterize it as network firewalling since it happens are layer 7, and is not identified by any characteristic of the network traffic, but it is neat to have those kinds of access controls. – Frank Thomas – 2014-07-25T19:59:51.843