Re: how to restrict remote desktop control applications

• Previous message: Steve Cohen: "Applying Security Policy on boot"
• In reply to: Steven L Umbach: "Re: how to restrict remote desktop control applications"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 6 Oct 2003 00:52:08 -0700

Steve thanks a lot. It was a great help and exactly what I
was looking for. But unfortunately my foresight has been
wrong. I thought almost all of these remote view \ admin
applications were using RDP as an integral protocol stack
including ITU T.120 series. But they are running on
different services & ports (dynamic ports which means
these ports can be changed).
So it seems problem is getting complicated. I will think
about restricting of access to computers from network.
Thanks,
Best regards,
Suat Bilben

>-----Original Message-----
>OK. Reason I asked was that I was wondering if they were
using built in Windows
>Remote Desktop or a third party application. Sounds like
it is a third party
>application. You should be able to use ipsec filtering to
control access at the
>machine level. For instance Terminal Service/Remote
Desktop uses tcp port 3389 on the
>target computer. You could create ipsec filtering polices
that would restrict access
>to the port used for your remote access application only
from authorized ip addresses
>or block certain address ranges. Ipsec policies can be
administered via group policy
>and local administrators could not override them. If you
are having an abuse of
>privileges issue, you may also want to enable auditing of
logon events on domain
>computers which should show when these "administrators"
are accessing other
>computers. I don't know if it would intefere with their
adminstrative functions, but
>domain computers can also be configured via security
policy/local policies/user
>rights assignments for allow and deny access to this
computer from the network. ---
>Steve
>
>
>
>"sb" <sbilben@havelsan.com.tr> wrote in message
>news:1f5601c3882b$6453ca50$a301280a@phx.gbl...
>> all clients are w2k prof. and they are in the same
domain
>> >-----Original Message-----
>> >Are they using Windows XP and are all the computers in
a
>> domain? -- Steve
>> >
>> >"suat bilben" <sbilben@havelsan.com.tr> wrote in
message
>> >news:1942401c38727$b56e60d0$a601280a@phx.gbl...
>> >> no there is no internet connection. these local
admins
>> are
>> >> at their LAN and I want to restrict their remote
>> >> access/view capability in their area. suat bilben
>> >> >-----Original Message-----
>> >> >If they are connecting from the internet, then you
need
>> >> to block their access at the
>> >> >firewall controlling which ip address can or can not
>> >> access the port that application
>> >> >uses. --- Steve
>> >> >
>> >> >"sb" <sbilben@havelsan.com.tr> wrote in message
>> >> >news:1b8301c38678$c87da1e0$a101280a@phx.gbl...
>> >> >>
>> >> >> we have a multi-sited complicated system standing
on
>> an
>> >> >> w2k active directory. in every sites there are
>> groups of
>> >> >> admins managing desktops. they are in local admin
>> groups
>> >> >> of PCs in their sites.
>> >> >> because these local admins have administrative
>> >> privileges
>> >> >> they can connect and remotely view what is going
on
>> the
>> >> >> screen using "remote desktop control
applications".
>> >> >> i need to know how to centrally restrict the use
of
>> >> remote
>> >> >> desktop control applications.
>> >> >>
>> >> >> best regards
>> >> >> thanks in adv.
>> >> >> .
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>

• Previous message: Steve Cohen: "Applying Security Policy on boot"
• In reply to: Steven L Umbach: "Re: how to restrict remote desktop control applications"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]