deny ts connection based on ip?

[Guest robert.waters]

I have been tasked with only allowing a certain user account to

connect to the TS from the internal network (that person should not be

allowed to log in from their home anymore). Is there any way to

accomplish this, besides figuring out that person's home IP address

and denying it at the firewall?

 

I am open to anything (shell/vb scripting, whatever).

 

Thanks!

[Guest MW]

Re: deny ts connection based on ip?

 

You try http://www.2x.com/securerdp/

 

MW

 

Dne Tue, 28 Aug 2007 23:21:26 +0200 robert.waters

<robert.waters@gmail.com> napsal/-a:

> I have been tasked with only allowing a certain user account to

> connect to the TS from the internal network (that person should not be

> allowed to log in from their home anymore). Is there any way to

> accomplish this, besides figuring out that person's home IP address

> and denying it at the firewall?

>

> I am open to anything (shell/vb scripting, whatever).

>

> Thanks!

>

 

 

 

--

MW

[Guest Dragos CAMARA]

RE: deny ts connection based on ip?

 

stop the 3389 port on the firewall or create rules on firewall.

what firewall do you use?

--

Dragos CAMARA

MCSA Windows 2003 server

 

 

"robert.waters" wrote:

> I have been tasked with only allowing a certain user account to

> connect to the TS from the internal network (that person should not be

> allowed to log in from their home anymore). Is there any way to

> accomplish this, besides figuring out that person's home IP address

> and denying it at the firewall?

>

> I am open to anything (shell/vb scripting, whatever).

>

> Thanks!

>

>

[Guest robert.waters]

Re: deny ts connection based on ip?

 

On Aug 29, 4:22 am, Dragos CAMARA <drago...@remove-this.hotmail.com>

wrote:

> stop the 3389 port on the firewall or create rules on firewall.

> what firewall do you use?

> --

> Dragos CAMARA

> MCSA Windows 2003 server

>

> "robert.waters" wrote:

> > I have been tasked with only allowing a certain user account to

> > connect to the TS from the internal network (that person should not be

> > allowed to log in from their home anymore). Is there any way to

> > accomplish this, besides figuring out that person's home IP address

> > and denying it at the firewall?

>

> > I am open to anything (shell/vb scripting, whatever).

>

> > Thanks!

 

I have a PIX 501, but there are many other employees that need to use

the TS remotely. I have gone through the security event logs on the

TS and found the remote IP she's been using to connect; is it possible

for me to check the remote IP with a login script and automatically

log her off if it matches the one I know? Would you know how to go

about doing that? I don't want to ban her IP completely at the

firewall, b/c that would cut her off from our intranet (which shares

the IP w/ the rest of the wan-facing stuff).

[Guest robert.waters]

Re: deny ts connection based on ip?

 

On Aug 29, 2:51 am, MW <w...@3net.cz> wrote:

> You tryhttp://www.2x.com/securerdp/

>

> MW

>

> Dne Tue, 28 Aug 2007 23:21:26 +0200 robert.waters

> <robert.wat...@gmail.com> napsal/-a:

>

> > I have been tasked with only allowing a certain user account to

> > connect to the TS from the internal network (that person should not be

> > allowed to log in from their home anymore). Is there any way to

> > accomplish this, besides figuring out that person's home IP address

> > and denying it at the firewall?

>

> > I am open to anything (shell/vb scripting, whatever).

>

> > Thanks!

>

> --

> MW

 

Thanks MW, I'll try it out. I have used their App Server in the past,

great product but I am not sure I want it on my production server (it

was kinda buggy/flaky). I'll definitely give it a run in my dev

environment and see how it works.

[Guest TP]

Re: deny ts connection based on ip?

 

You can create a new RDP-Tcp listener on a different port,

for example, name it RDP-Internet. Have your PIX forward

all RDP traffic from the Internet to this port. Once this is

set up you can grant permissions on the RDP-Internet listener

as needed.

 

For example, you could remove the Remote Desktop Users

group from the RDP-Internet listener and add a new group named

"Remote Desktop Internet Users". That way only users that are

a member of this group can connect to your TS via the Internet.

 

Users who are a member of the RDU group would still be able

to connect to the TS while in the office.

 

See "How can I allow only a subset of my users to redirect their local printers and drives?"

under the Client resources section of Vera's TS FAQ:

 

http://ts.veranoest.net

 

-TP

 

robert.waters wrote:

> I have been tasked with only allowing a certain user account to

> connect to the TS from the internal network (that person should not be

> allowed to log in from their home anymore). Is there any way to

> accomplish this, besides figuring out that person's home IP address

> and denying it at the firewall?

>

> I am open to anything (shell/vb scripting, whatever).

>

> Thanks!

[Guest TP]

Re: deny ts connection based on ip?

 

This will not help because securerdp does not block based

upon the *real* ip address of the client. There is a reason

why it is free.

 

-TP

 

MW wrote:

> You try http://www.2x.com/securerdp/

>

> MW

[Guest TP]

Re: deny ts connection based on ip?

 

You could program the firewall to block traffic that is

destined for the RDP port that originates from her IP

address. The trouble with this solution is that her address

may change in the future, or she may connect from a

different location/address.

 

For example, she may have a dynamic address, or switch

ISPs, or perhaps purchase a mobile broadband card and

connect from her laptop, etc.

 

-TP

 

robert.waters wrote:

> I have a PIX 501, but there are many other employees that need to use

> the TS remotely. I have gone through the security event logs on the

> TS and found the remote IP she's been using to connect; is it possible

> for me to check the remote IP with a login script and automatically

> log her off if it matches the one I know? Would you know how to go

> about doing that? I don't want to ban her IP completely at the

> firewall, b/c that would cut her off from our intranet (which shares

> the IP w/ the rest of the wan-facing stuff).

[Guest Dragos CAMARA]

Re: deny ts connection based on ip?

 

hi,

most probably users are connecting remote throught a vpn connection, so on

that vpn you can define groups of users and what IP's and ports are routed

for that groups.

 

--

Dragos CAMARA

MCSA Windows 2003 server

 

 

"robert.waters" wrote:

> On Aug 29, 4:22 am, Dragos CAMARA <drago...@remove-this.hotmail.com>

> wrote:

> > stop the 3389 port on the firewall or create rules on firewall.

> > what firewall do you use?

> > --

> > Dragos CAMARA

> > MCSA Windows 2003 server

> >

> > "robert.waters" wrote:

> > > I have been tasked with only allowing a certain user account to

> > > connect to the TS from the internal network (that person should not be

> > > allowed to log in from their home anymore). Is there any way to

> > > accomplish this, besides figuring out that person's home IP address

> > > and denying it at the firewall?

> >

> > > I am open to anything (shell/vb scripting, whatever).

> >

> > > Thanks!

>

> I have a PIX 501, but there are many other employees that need to use

> the TS remotely. I have gone through the security event logs on the

> TS and found the remote IP she's been using to connect; is it possible

> for me to check the remote IP with a login script and automatically

> log her off if it matches the one I know? Would you know how to go

> about doing that? I don't want to ban her IP completely at the

> firewall, b/c that would cut her off from our intranet (which shares

> the IP w/ the rest of the wan-facing stuff).

>

>

[Guest robert.waters]

Re: deny ts connection based on ip?

 

On Aug 29, 4:23 pm, "TP" <tperson.knowsp...@mailandnews.com> wrote:

> You can create a new RDP-Tcp listener on a different port,

> for example, name it RDP-Internet. Have your PIX forward

> all RDP traffic from the Internet to this port. Once this is

> set up you can grant permissions on the RDP-Internet listener

> as needed.

>

> For example, you could remove the Remote Desktop Users

> group from the RDP-Internet listener and add a new group named

> "Remote Desktop Internet Users". That way only users that are

> a member of this group can connect to your TS via the Internet.

>

> Users who are a member of the RDU group would still be able

> to connect to the TS while in the office.

>

> See "How can I allow only a subset of my users to redirect their local printers and drives?"

> under the Client resources section of Vera's TS FAQ:

>

> http://ts.veranoest.net

>

> -TP

>

> robert.waters wrote:

> > I have been tasked with only allowing a certain user account to

> > connect to the TS from the internal network (that person should not be

> > allowed to log in from their home anymore). Is there any way to

> > accomplish this, besides figuring out that person's home IP address

> > and denying it at the firewall?

>

> > I am open to anything (shell/vb scripting, whatever).

>

> > Thanks!

 

Wow.

Heavy, man.

 

I will definitely check that out.

 

Thanks for your in-depth reply.

-Robert

[Guest robert.waters]

Re: deny ts connection based on ip?

 

On Aug 29, 4:30 pm, "TP" <tperson.knowsp...@mailandnews.com> wrote:

> You could program the firewall to block traffic that is

> destined for the RDP port that originates from her IP

> address. The trouble with this solution is that her address

> may change in the future, or she may connect from a

> different location/address.

>

> For example, she may have a dynamic address, or switch

> ISPs, or perhaps purchase a mobile broadband card and

> connect from her laptop, etc.

>

> -TP

>

> robert.waters wrote:

> > I have a PIX 501, but there are many other employees that need to use

> > the TS remotely. I have gone through the security event logs on the

> > TS and found the remote IP she's been using to connect; is it possible

> > for me to check the remote IP with a login script and automatically

> > log her off if it matches the one I know? Would you know how to go

> > about doing that? I don't want to ban her IP completely at the

> > firewall, b/c that would cut her off from our intranet (which shares

> > the IP w/ the rest of the wan-facing stuff).

 

I've thought of that, but Cisco IOS is just ridiculously confusing to

somebody who has zero time to sit down and learn it from the ground

up.

static interface ip address netmask 1.2.3.4 nat(inside) whatnow??

I just barely have the thing working ;) learned just enough to get

the outside ports to the inside ports, vice-versa, and keep the bad

guys out.

 

(OT) I purchased a PIX book, 'security specialists guide to cisco pix

firewalls'; to all you who got to this post from a 'cisco 501' query,

I wouldn't recommend it if you're new to the PIX or cisco in general.

In the beginning it looks like it's going to start explaining things

on a newbie level, and all of a sudden you're NATing the hell out of

everything, and subnetting and routing and basically learning, by

example, very advanced topics. It goes from "This is cisco IOS. It's

like a programming language, but for your firewall! OMG! Well,

here's how you access the terminal. Good job, children! Now, let's

break your corporate class-B network into 15 differently sized

subnets, set up 47 crazy never-would-happen-in-the-real-world access

lists, and and configure per-user RADIUS attributes before breakfast!

"

Sorry for the OT. I never got to rant about that damn book ;)