Jump to content

Terminal Services Setup/Flaw

Guest RemyMaza

By Guest RemyMaza
in Windows NT Server

 Share

Recommended Posts

Guest RemyMaza

Guest RemyMaza

Posted
Posted

I'm a new hire to a company and I've never used TS before. I was given my

domain admin priviledges and went to work last week. I was probing and

testing the network for any flaws and I found a big one I'd like to fix. I

am able to .rdp into the terminal server and from there I'm able to use .rdp

into any other server in the network. The problem lies not with my login but

with a normal user's login, I'm able to do this. What can I do to prevent

normal user's from logging into any machine they want?

 

Server '03 SP2

 

Best Regards,

Matt

  • Replies 9
  • Created
  • Last Reply

Popular Days

Popular Days

Guest moncho

Guest moncho

Posted
Posted

Re: Terminal Services Setup/Flaw

 

RemyMaza wrote:

> I'm a new hire to a company and I've never used TS before. I was given my

> domain admin priviledges and went to work last week. I was probing and

> testing the network for any flaws and I found a big one I'd like to fix. I

> am able to .rdp into the terminal server and from there I'm able to use .rdp

> into any other server in the network. The problem lies not with my login but

> with a normal user's login, I'm able to do this. What can I do to prevent

> normal user's from logging into any machine they want?

>

> Server '03 SP2

 

What is a "normal" user?

 

Do you mean any user in the "Users" or "Authenticated Users" group?

 

I would start there.

 

I would check to see if there are any group policies setup to allow

this type of access.

 

If a "normal" users can RDP in a DC, that is a big issue.

 

If your own login can RDP to any server, that seems OK since

you are the Domain Admin. If that fits your companies security

policies.

 

moncho

Guest RemyMaza

Guest RemyMaza

Posted
Posted

Re: Terminal Services Setup/Flaw

 

Yes, it's any authenticated user which would lead me to believe it's allowed

through a group policy. What would I modify in that group policy to inhibit

this type of login?

 

Many Thanks,

Matt

 

"moncho" wrote:

> RemyMaza wrote:

> > I'm a new hire to a company and I've never used TS before. I was given my

> > domain admin priviledges and went to work last week. I was probing and

> > testing the network for any flaws and I found a big one I'd like to fix. I

> > am able to .rdp into the terminal server and from there I'm able to use .rdp

> > into any other server in the network. The problem lies not with my login but

> > with a normal user's login, I'm able to do this. What can I do to prevent

> > normal user's from logging into any machine they want?

> >

> > Server '03 SP2

>

> What is a "normal" user?

>

> Do you mean any user in the "Users" or "Authenticated Users" group?

>

> I would start there.

>

> I would check to see if there are any group policies setup to allow

> this type of access.

>

> If a "normal" users can RDP in a DC, that is a big issue.

>

> If your own login can RDP to any server, that seems OK since

> you are the Domain Admin. If that fits your companies security

> policies.

>

> moncho

>

Guest moncho

Guest moncho

Posted
Posted

Re: Terminal Services Setup/Flaw

 

RemyMaza wrote:

> Yes, it's any authenticated user which would lead me to believe it's allowed

> through a group policy. What would I modify in that group policy to inhibit

> this type of login?

 

In order to RDP into any server, the user or group must be in either

the local server Remote Desktop Users Group or System-> Remote-> Allowed

Users, depending up on whether the server is in Application or

Administration mode.

 

Remote Authenticated Users from those groups on the local servers that

you DO NOT want users to RDP into.

 

moncho

>

> Many Thanks,

> Matt

>

> "moncho" wrote:

>

>> RemyMaza wrote:

>>> I'm a new hire to a company and I've never used TS before. I was given my

>>> domain admin priviledges and went to work last week. I was probing and

>>> testing the network for any flaws and I found a big one I'd like to fix. I

>>> am able to .rdp into the terminal server and from there I'm able to use .rdp

>>> into any other server in the network. The problem lies not with my login but

>>> with a normal user's login, I'm able to do this. What can I do to prevent

>>> normal user's from logging into any machine they want?

>>>

>>> Server '03 SP2

>> What is a "normal" user?

>>

>> Do you mean any user in the "Users" or "Authenticated Users" group?

>>

>> I would start there.

>>

>> I would check to see if there are any group policies setup to allow

>> this type of access.

>>

>> If a "normal" users can RDP in a DC, that is a big issue.

>>

>> If your own login can RDP to any server, that seems OK since

>> you are the Domain Admin. If that fits your companies security

>> policies.

>>

>> moncho

>>

Guest RemyMaza

Guest RemyMaza

Posted
Posted

Re: Terminal Services Setup/Flaw

 

I've checked the settings for remote logins on the servers and only Domain

Admins are configured to login. I did check in active directory and every

user is in the Remote Authenticated user's group but this is what is needed

for them to hit my IP from their home. What do you think is allowing the

connection with .rdp to another server?

 

Regards,

Matt

 

"moncho" wrote:

> RemyMaza wrote:

> > Yes, it's any authenticated user which would lead me to believe it's allowed

> > through a group policy. What would I modify in that group policy to inhibit

> > this type of login?

>

> In order to RDP into any server, the user or group must be in either

> the local server Remote Desktop Users Group or System-> Remote-> Allowed

> Users, depending up on whether the server is in Application or

> Administration mode.

>

> Remote Authenticated Users from those groups on the local servers that

> you DO NOT want users to RDP into.

>

> moncho

> >

> > Many Thanks,

> > Matt

> >

> > "moncho" wrote:

> >

> >> RemyMaza wrote:

> >>> I'm a new hire to a company and I've never used TS before. I was given my

> >>> domain admin priviledges and went to work last week. I was probing and

> >>> testing the network for any flaws and I found a big one I'd like to fix. I

> >>> am able to .rdp into the terminal server and from there I'm able to use .rdp

> >>> into any other server in the network. The problem lies not with my login but

> >>> with a normal user's login, I'm able to do this. What can I do to prevent

> >>> normal user's from logging into any machine they want?

> >>>

> >>> Server '03 SP2

> >> What is a "normal" user?

> >>

> >> Do you mean any user in the "Users" or "Authenticated Users" group?

> >>

> >> I would start there.

> >>

> >> I would check to see if there are any group policies setup to allow

> >> this type of access.

> >>

> >> If a "normal" users can RDP in a DC, that is a big issue.

> >>

> >> If your own login can RDP to any server, that seems OK since

> >> you are the Domain Admin. If that fits your companies security

> >> policies.

> >>

> >> moncho

> >>

>

Guest moncho

Guest moncho

Posted
Posted

Re: Terminal Services Setup/Flaw

 

RemyMaza wrote:

> I've checked the settings for remote logins on the servers and only Domain

> Admins are configured to login. I did check in active directory and every

> user is in the Remote Authenticated user's group but this is what is needed

> for them to hit my IP from their home. What do you think is allowing the

> connection with .rdp to another server?

 

You need to get SPECIFIC in your description.

 

What do you mean by "Remote Authenticated User's?" There is no built in

default group called "Remote Authenticated User's" in Windows.

 

The default groups I know of (regarding this topic) are "Remote Desktop

Users," "Users" and "Authenticated Users."

 

If the "Remote Authenticated Users" group exists this was created by

an admin and may be causing you issues.

 

I just want to make sure we are talking about the same group names so we

do not get off track or we/others assume different meanings.

 

To help you, create a generic user in A/D that does not belong to

ANY group other than "Users." Then try to RDP into different servers as

this generic user. What are the results?

 

If no, great. What differentiates a "normal user" from this new generic

user?

 

If so, check the local RDU group on the local server one more time and

see who is a member of that group.

 

moncho

>

> Regards,

> Matt

>

> "moncho" wrote:

>

>> RemyMaza wrote:

>>> Yes, it's any authenticated user which would lead me to believe it's allowed

>>> through a group policy. What would I modify in that group policy to inhibit

>>> this type of login?

>> In order to RDP into any server, the user or group must be in either

>> the local server Remote Desktop Users Group or System-> Remote-> Allowed

>> Users, depending up on whether the server is in Application or

>> Administration mode.

>>

>> Remote Authenticated Users from those groups on the local servers that

>> you DO NOT want users to RDP into.

>>

>> moncho

>>> Many Thanks,

>>> Matt

>>>

>>> "moncho" wrote:

>>>

>>>> RemyMaza wrote:

>>>>> I'm a new hire to a company and I've never used TS before. I was given my

>>>>> domain admin priviledges and went to work last week. I was probing and

>>>>> testing the network for any flaws and I found a big one I'd like to fix. I

>>>>> am able to .rdp into the terminal server and from there I'm able to use .rdp

>>>>> into any other server in the network. The problem lies not with my login but

>>>>> with a normal user's login, I'm able to do this. What can I do to prevent

>>>>> normal user's from logging into any machine they want?

>>>>>

>>>>> Server '03 SP2

>>>> What is a "normal" user?

>>>>

>>>> Do you mean any user in the "Users" or "Authenticated Users" group?

>>>>

>>>> I would start there.

>>>>

>>>> I would check to see if there are any group policies setup to allow

>>>> this type of access.

>>>>

>>>> If a "normal" users can RDP in a DC, that is a big issue.

>>>>

>>>> If your own login can RDP to any server, that seems OK since

>>>> you are the Domain Admin. If that fits your companies security

>>>> policies.

>>>>

>>>> moncho

>>>>

Guest RemyMaza

Guest RemyMaza

Posted
Posted

Re: Terminal Services Setup/Flaw

 

Here's what I came up with; I created a test user in the User folder. I

believe this is a default folder in AD. This user isn't part of any other

group except for the default: Domain User. I was able to login to the

Terminal Server with this user and then .rdp into another server on the

network using the same credentials. I checked to see who is allowed to .rdp

into these servers and only admins are.

 

I looked in AD to see how the user's are being grouped. I found the Remote

Desktop Users group but that's not being used. The one that is being used is

in the Users folder: RemoteUsersGroup. I would imagine this has been

created. However I was still able to login with my Test user and everyone

else in AD was created in a different OU: i.e %companyname%User. This leads

me to believe the problem lies in the TSCC.msc or a Group Policy that affects

Domain User. I'm not sure if this is right, since I'm not very savvy with

TS. I really appreciate your help and if you need more info, I'll get

whatever you need!

 

Many Thanks,

Matt

 

"moncho" wrote:

> RemyMaza wrote:

> > I've checked the settings for remote logins on the servers and only Domain

> > Admins are configured to login. I did check in active directory and every

> > user is in the Remote Authenticated user's group but this is what is needed

> > for them to hit my IP from their home. What do you think is allowing the

> > connection with .rdp to another server?

>

> You need to get SPECIFIC in your description.

>

> What do you mean by "Remote Authenticated User's?" There is no built in

> default group called "Remote Authenticated User's" in Windows.

>

> The default groups I know of (regarding this topic) are "Remote Desktop

> Users," "Users" and "Authenticated Users."

>

> If the "Remote Authenticated Users" group exists this was created by

> an admin and may be causing you issues.

>

> I just want to make sure we are talking about the same group names so we

> do not get off track or we/others assume different meanings.

>

> To help you, create a generic user in A/D that does not belong to

> ANY group other than "Users." Then try to RDP into different servers as

> this generic user. What are the results?

>

> If no, great. What differentiates a "normal user" from this new generic

> user?

>

> If so, check the local RDU group on the local server one more time and

> see who is a member of that group.

>

> moncho

>

> >

> > Regards,

> > Matt

> >

> > "moncho" wrote:

> >

> >> RemyMaza wrote:

> >>> Yes, it's any authenticated user which would lead me to believe it's allowed

> >>> through a group policy. What would I modify in that group policy to inhibit

> >>> this type of login?

> >> In order to RDP into any server, the user or group must be in either

> >> the local server Remote Desktop Users Group or System-> Remote-> Allowed

> >> Users, depending up on whether the server is in Application or

> >> Administration mode.

> >>

> >> Remote Authenticated Users from those groups on the local servers that

> >> you DO NOT want users to RDP into.

> >>

> >> moncho

> >>> Many Thanks,

> >>> Matt

> >>>

> >>> "moncho" wrote:

> >>>

> >>>> RemyMaza wrote:

> >>>>> I'm a new hire to a company and I've never used TS before. I was given my

> >>>>> domain admin priviledges and went to work last week. I was probing and

> >>>>> testing the network for any flaws and I found a big one I'd like to fix. I

> >>>>> am able to .rdp into the terminal server and from there I'm able to use .rdp

> >>>>> into any other server in the network. The problem lies not with my login but

> >>>>> with a normal user's login, I'm able to do this. What can I do to prevent

> >>>>> normal user's from logging into any machine they want?

> >>>>>

> >>>>> Server '03 SP2

> >>>> What is a "normal" user?

> >>>>

> >>>> Do you mean any user in the "Users" or "Authenticated Users" group?

> >>>>

> >>>> I would start there.

> >>>>

> >>>> I would check to see if there are any group policies setup to allow

> >>>> this type of access.

> >>>>

> >>>> If a "normal" users can RDP in a DC, that is a big issue.

> >>>>

> >>>> If your own login can RDP to any server, that seems OK since

> >>>> you are the Domain Admin. If that fits your companies security

> >>>> policies.

> >>>>

> >>>> moncho

> >>>>

>

Guest moncho

Guest moncho

Posted
Posted

Re: Terminal Services Setup/Flaw

 

RemyMaza wrote:

> Here's what I came up with; I created a test user in the User folder. I

> believe this is a default folder in AD. This user isn't part of any other

> group except for the default: Domain User. I was able to login to the

> Terminal Server with this user and then .rdp into another server on the

> network using the same credentials. I checked to see who is allowed to .rdp

> into these servers and only admins are.

>

> I looked in AD to see how the user's are being grouped. I found the Remote

> Desktop Users group but that's not being used. The one that is being used is

> in the Users folder: RemoteUsersGroup. I would imagine this has been

> created. However I was still able to login with my Test user and everyone

> else in AD was created in a different OU: i.e %companyname%User. This leads

> me to believe the problem lies in the TSCC.msc or a Group Policy that affects

> Domain User. I'm not sure if this is right, since I'm not very savvy with

> TS. I really appreciate your help and if you need more info, I'll get

> whatever you need!

 

RemoteUsersGroup was created and may be being used to create your issue.

 

Without the user being part of the RemoteUsersGroup and neither

the RemoteUsersGroup or Users group not being in any of the local

"Remote Desktop Users" group, I am at a loss as to how they

are able to get RDP access.

 

Maybe someone out there can help point out what I am missing.

 

moncho

> Many Thanks,

> Matt

>

> "moncho" wrote:

>

>> RemyMaza wrote:

>>> I've checked the settings for remote logins on the servers and only Domain

>>> Admins are configured to login. I did check in active directory and every

>>> user is in the Remote Authenticated user's group but this is what is needed

>>> for them to hit my IP from their home. What do you think is allowing the

>>> connection with .rdp to another server?

>> You need to get SPECIFIC in your description.

>>

>> What do you mean by "Remote Authenticated User's?" There is no built in

>> default group called "Remote Authenticated User's" in Windows.

>>

>> The default groups I know of (regarding this topic) are "Remote Desktop

>> Users," "Users" and "Authenticated Users."

>>

>> If the "Remote Authenticated Users" group exists this was created by

>> an admin and may be causing you issues.

>>

>> I just want to make sure we are talking about the same group names so we

>> do not get off track or we/others assume different meanings.

>>

>> To help you, create a generic user in A/D that does not belong to

>> ANY group other than "Users." Then try to RDP into different servers as

>> this generic user. What are the results?

>>

>> If no, great. What differentiates a "normal user" from this new generic

>> user?

>>

>> If so, check the local RDU group on the local server one more time and

>> see who is a member of that group.

>>

>> moncho

>>

>>> Regards,

>>> Matt

>>>

>>> "moncho" wrote:

>>>

>>>> RemyMaza wrote:

>>>>> Yes, it's any authenticated user which would lead me to believe it's allowed

>>>>> through a group policy. What would I modify in that group policy to inhibit

>>>>> this type of login?

>>>> In order to RDP into any server, the user or group must be in either

>>>> the local server Remote Desktop Users Group or System-> Remote-> Allowed

>>>> Users, depending up on whether the server is in Application or

>>>> Administration mode.

>>>>

>>>> Remote Authenticated Users from those groups on the local servers that

>>>> you DO NOT want users to RDP into.

>>>>

>>>> moncho

>>>>> Many Thanks,

>>>>> Matt

>>>>>

>>>>> "moncho" wrote:

>>>>>

>>>>>> RemyMaza wrote:

>>>>>>> I'm a new hire to a company and I've never used TS before. I was given my

>>>>>>> domain admin priviledges and went to work last week. I was probing and

>>>>>>> testing the network for any flaws and I found a big one I'd like to fix. I

>>>>>>> am able to .rdp into the terminal server and from there I'm able to use .rdp

>>>>>>> into any other server in the network. The problem lies not with my login but

>>>>>>> with a normal user's login, I'm able to do this. What can I do to prevent

>>>>>>> normal user's from logging into any machine they want?

>>>>>>>

>>>>>>> Server '03 SP2

>>>>>> What is a "normal" user?

>>>>>>

>>>>>> Do you mean any user in the "Users" or "Authenticated Users" group?

>>>>>>

>>>>>> I would start there.

>>>>>>

>>>>>> I would check to see if there are any group policies setup to allow

>>>>>> this type of access.

>>>>>>

>>>>>> If a "normal" users can RDP in a DC, that is a big issue.

>>>>>>

>>>>>> If your own login can RDP to any server, that seems OK since

>>>>>> you are the Domain Admin. If that fits your companies security

>>>>>> policies.

>>>>>>

>>>>>> moncho

>>>>>>

Guest RemyMaza

Guest RemyMaza

Posted
Posted

Re: Terminal Services Setup/Flaw

 

Just to follow up with you, what I found was in gpedit.msc, you can deny

logins through TS. I did that for all groups except for the admins that need

it. This still allows everyone to hit the TS Server but denies the login to

other servers. I have to configure this for each one though, so a lil

tedious, but it's stopping the flaw! Thank you so much for your input. You

really helped me out a lot and I appreciate your feedback!

 

Best Regards,

Matt

 

"moncho" wrote:

> RemyMaza wrote:

> > Here's what I came up with; I created a test user in the User folder. I

> > believe this is a default folder in AD. This user isn't part of any other

> > group except for the default: Domain User. I was able to login to the

> > Terminal Server with this user and then .rdp into another server on the

> > network using the same credentials. I checked to see who is allowed to .rdp

> > into these servers and only admins are.

> >

> > I looked in AD to see how the user's are being grouped. I found the Remote

> > Desktop Users group but that's not being used. The one that is being used is

> > in the Users folder: RemoteUsersGroup. I would imagine this has been

> > created. However I was still able to login with my Test user and everyone

> > else in AD was created in a different OU: i.e %companyname%User. This leads

> > me to believe the problem lies in the TSCC.msc or a Group Policy that affects

> > Domain User. I'm not sure if this is right, since I'm not very savvy with

> > TS. I really appreciate your help and if you need more info, I'll get

> > whatever you need!

>

> RemoteUsersGroup was created and may be being used to create your issue.

>

> Without the user being part of the RemoteUsersGroup and neither

> the RemoteUsersGroup or Users group not being in any of the local

> "Remote Desktop Users" group, I am at a loss as to how they

> are able to get RDP access.

>

> Maybe someone out there can help point out what I am missing.

>

> moncho

>

> > Many Thanks,

> > Matt

> >

> > "moncho" wrote:

> >

> >> RemyMaza wrote:

> >>> I've checked the settings for remote logins on the servers and only Domain

> >>> Admins are configured to login. I did check in active directory and every

> >>> user is in the Remote Authenticated user's group but this is what is needed

> >>> for them to hit my IP from their home. What do you think is allowing the

> >>> connection with .rdp to another server?

> >> You need to get SPECIFIC in your description.

> >>

> >> What do you mean by "Remote Authenticated User's?" There is no built in

> >> default group called "Remote Authenticated User's" in Windows.

> >>

> >> The default groups I know of (regarding this topic) are "Remote Desktop

> >> Users," "Users" and "Authenticated Users."

> >>

> >> If the "Remote Authenticated Users" group exists this was created by

> >> an admin and may be causing you issues.

> >>

> >> I just want to make sure we are talking about the same group names so we

> >> do not get off track or we/others assume different meanings.

> >>

> >> To help you, create a generic user in A/D that does not belong to

> >> ANY group other than "Users." Then try to RDP into different servers as

> >> this generic user. What are the results?

> >>

> >> If no, great. What differentiates a "normal user" from this new generic

> >> user?

> >>

> >> If so, check the local RDU group on the local server one more time and

> >> see who is a member of that group.

> >>

> >> moncho

> >>

> >>> Regards,

> >>> Matt

> >>>

> >>> "moncho" wrote:

> >>>

> >>>> RemyMaza wrote:

> >>>>> Yes, it's any authenticated user which would lead me to believe it's allowed

> >>>>> through a group policy. What would I modify in that group policy to inhibit

> >>>>> this type of login?

> >>>> In order to RDP into any server, the user or group must be in either

> >>>> the local server Remote Desktop Users Group or System-> Remote-> Allowed

> >>>> Users, depending up on whether the server is in Application or

> >>>> Administration mode.

> >>>>

> >>>> Remote Authenticated Users from those groups on the local servers that

> >>>> you DO NOT want users to RDP into.

> >>>>

> >>>> moncho

> >>>>> Many Thanks,

> >>>>> Matt

> >>>>>

> >>>>> "moncho" wrote:

> >>>>>

> >>>>>> RemyMaza wrote:

> >>>>>>> I'm a new hire to a company and I've never used TS before. I was given my

> >>>>>>> domain admin priviledges and went to work last week. I was probing and

> >>>>>>> testing the network for any flaws and I found a big one I'd like to fix. I

> >>>>>>> am able to .rdp into the terminal server and from there I'm able to use .rdp

> >>>>>>> into any other server in the network. The problem lies not with my login but

> >>>>>>> with a normal user's login, I'm able to do this. What can I do to prevent

> >>>>>>> normal user's from logging into any machine they want?

> >>>>>>>

> >>>>>>> Server '03 SP2

> >>>>>> What is a "normal" user?

> >>>>>>

> >>>>>> Do you mean any user in the "Users" or "Authenticated Users" group?

> >>>>>>

> >>>>>> I would start there.

> >>>>>>

> >>>>>> I would check to see if there are any group policies setup to allow

> >>>>>> this type of access.

> >>>>>>

> >>>>>> If a "normal" users can RDP in a DC, that is a big issue.

> >>>>>>

> >>>>>> If your own login can RDP to any server, that seems OK since

> >>>>>> you are the Domain Admin. If that fits your companies security

> >>>>>> policies.

> >>>>>>

> >>>>>> moncho

> >>>>>>

>

Guest moncho

Guest moncho

Posted
Posted

Re: Terminal Services Setup/Flaw

 

RemyMaza wrote:

> Just to follow up with you, what I found was in gpedit.msc, you can deny

> logins through TS. I did that for all groups except for the admins that need

> it. This still allows everyone to hit the TS Server but denies the login to

> other servers. I have to configure this for each one though, so a lil

> tedious, but it's stopping the flaw! Thank you so much for your input. You

> really helped me out a lot and I appreciate your feedback!

 

Your welcome.

 

It's a work around but it stinks to have to do that. I bet it is one of

those things that if someone else takes a look at it, it would pop

right out.

 

Until the root issue is discovered, remember to set that for all new

users too.

 

moncho

>

> Best Regards,

> Matt

>

> "moncho" wrote:

>

>> RemyMaza wrote:

>>> Here's what I came up with; I created a test user in the User folder. I

>>> believe this is a default folder in AD. This user isn't part of any other

>>> group except for the default: Domain User. I was able to login to the

>>> Terminal Server with this user and then .rdp into another server on the

>>> network using the same credentials. I checked to see who is allowed to .rdp

>>> into these servers and only admins are.

>>>

>>> I looked in AD to see how the user's are being grouped. I found the Remote

>>> Desktop Users group but that's not being used. The one that is being used is

>>> in the Users folder: RemoteUsersGroup. I would imagine this has been

>>> created. However I was still able to login with my Test user and everyone

>>> else in AD was created in a different OU: i.e %companyname%User. This leads

>>> me to believe the problem lies in the TSCC.msc or a Group Policy that affects

>>> Domain User. I'm not sure if this is right, since I'm not very savvy with

>>> TS. I really appreciate your help and if you need more info, I'll get

>>> whatever you need!

>> RemoteUsersGroup was created and may be being used to create your issue.

>>

>> Without the user being part of the RemoteUsersGroup and neither

>> the RemoteUsersGroup or Users group not being in any of the local

>> "Remote Desktop Users" group, I am at a loss as to how they

>> are able to get RDP access.

>>

>> Maybe someone out there can help point out what I am missing.

>>

>> moncho

>>

>>> Many Thanks,

>>> Matt

>>>

>>> "moncho" wrote:

>>>

>>>> RemyMaza wrote:

>>>>> I've checked the settings for remote logins on the servers and only Domain

>>>>> Admins are configured to login. I did check in active directory and every

>>>>> user is in the Remote Authenticated user's group but this is what is needed

>>>>> for them to hit my IP from their home. What do you think is allowing the

>>>>> connection with .rdp to another server?

>>>> You need to get SPECIFIC in your description.

>>>>

>>>> What do you mean by "Remote Authenticated User's?" There is no built in

>>>> default group called "Remote Authenticated User's" in Windows.

>>>>

>>>> The default groups I know of (regarding this topic) are "Remote Desktop

>>>> Users," "Users" and "Authenticated Users."

>>>>

>>>> If the "Remote Authenticated Users" group exists this was created by

>>>> an admin and may be causing you issues.

>>>>

>>>> I just want to make sure we are talking about the same group names so we

>>>> do not get off track or we/others assume different meanings.

>>>>

>>>> To help you, create a generic user in A/D that does not belong to

>>>> ANY group other than "Users." Then try to RDP into different servers as

>>>> this generic user. What are the results?

>>>>

>>>> If no, great. What differentiates a "normal user" from this new generic

>>>> user?

>>>>

>>>> If so, check the local RDU group on the local server one more time and

>>>> see who is a member of that group.

>>>>

>>>> moncho

>>>>

>>>>> Regards,

>>>>> Matt

>>>>>

>>>>> "moncho" wrote:

>>>>>

>>>>>> RemyMaza wrote:

>>>>>>> Yes, it's any authenticated user which would lead me to believe it's allowed

>>>>>>> through a group policy. What would I modify in that group policy to inhibit

>>>>>>> this type of login?

>>>>>> In order to RDP into any server, the user or group must be in either

>>>>>> the local server Remote Desktop Users Group or System-> Remote-> Allowed

>>>>>> Users, depending up on whether the server is in Application or

>>>>>> Administration mode.

>>>>>>

>>>>>> Remote Authenticated Users from those groups on the local servers that

>>>>>> you DO NOT want users to RDP into.

>>>>>>

>>>>>> moncho

>>>>>>> Many Thanks,

>>>>>>> Matt

>>>>>>>

>>>>>>> "moncho" wrote:

>>>>>>>

>>>>>>>> RemyMaza wrote:

>>>>>>>>> I'm a new hire to a company and I've never used TS before. I was given my

>>>>>>>>> domain admin priviledges and went to work last week. I was probing and

>>>>>>>>> testing the network for any flaws and I found a big one I'd like to fix. I

>>>>>>>>> am able to .rdp into the terminal server and from there I'm able to use .rdp

>>>>>>>>> into any other server in the network. The problem lies not with my login but

>>>>>>>>> with a normal user's login, I'm able to do this. What can I do to prevent

>>>>>>>>> normal user's from logging into any machine they want?

>>>>>>>>>

>>>>>>>>> Server '03 SP2

>>>>>>>> What is a "normal" user?

>>>>>>>>

>>>>>>>> Do you mean any user in the "Users" or "Authenticated Users" group?

>>>>>>>>

>>>>>>>> I would start there.

>>>>>>>>

>>>>>>>> I would check to see if there are any group policies setup to allow

>>>>>>>> this type of access.

>>>>>>>>

>>>>>>>> If a "normal" users can RDP in a DC, that is a big issue.

>>>>>>>>

>>>>>>>> If your own login can RDP to any server, that seems OK since

>>>>>>>> you are the Domain Admin. If that fits your companies security

>>>>>>>> policies.

>>>>>>>>

>>>>>>>> moncho

>>>>>>>>

 Share
Go to topic listing
×
×
  • Create New...