deny ts connection based on ip?

  • Thread starter Thread starter robert.waters
  • Start date Start date
R

robert.waters

Guest
I have been tasked with only allowing a certain user account to
connect to the TS from the internal network (that person should not be
allowed to log in from their home anymore). Is there any way to
accomplish this, besides figuring out that person's home IP address
and denying it at the firewall?

I am open to anything (shell/vb scripting, whatever).

Thanks!
 
Re: deny ts connection based on ip?

You try http://www.2x.com/securerdp/

MW

Dne Tue, 28 Aug 2007 23:21:26 +0200 robert.waters
<robert.waters@gmail.com> napsal/-a:

> I have been tasked with only allowing a certain user account to
> connect to the TS from the internal network (that person should not be
> allowed to log in from their home anymore). Is there any way to
> accomplish this, besides figuring out that person's home IP address
> and denying it at the firewall?
>
> I am open to anything (shell/vb scripting, whatever).
>
> Thanks!
>



--
MW
 
RE: deny ts connection based on ip?

stop the 3389 port on the firewall or create rules on firewall.
what firewall do you use?
--
Dragos CAMARA
MCSA Windows 2003 server


"robert.waters" wrote:

> I have been tasked with only allowing a certain user account to
> connect to the TS from the internal network (that person should not be
> allowed to log in from their home anymore). Is there any way to
> accomplish this, besides figuring out that person's home IP address
> and denying it at the firewall?
>
> I am open to anything (shell/vb scripting, whatever).
>
> Thanks!
>
>
 
Re: deny ts connection based on ip?

On Aug 29, 4:22 am, Dragos CAMARA <drago...@remove-this.hotmail.com>
wrote:
> stop the 3389 port on the firewall or create rules on firewall.
> what firewall do you use?
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
> "robert.waters" wrote:
> > I have been tasked with only allowing a certain user account to
> > connect to the TS from the internal network (that person should not be
> > allowed to log in from their home anymore). Is there any way to
> > accomplish this, besides figuring out that person's home IP address
> > and denying it at the firewall?
>
> > I am open to anything (shell/vb scripting, whatever).
>
> > Thanks!

I have a PIX 501, but there are many other employees that need to use
the TS remotely. I have gone through the security event logs on the
TS and found the remote IP she's been using to connect; is it possible
for me to check the remote IP with a login script and automatically
log her off if it matches the one I know? Would you know how to go
about doing that? I don't want to ban her IP completely at the
firewall, b/c that would cut her off from our intranet (which shares
the IP w/ the rest of the wan-facing stuff).
 
Re: deny ts connection based on ip?

On Aug 29, 2:51 am, MW <w...@3net.cz> wrote:
> You tryhttp://www.2x.com/securerdp/
>
> MW
>
> Dne Tue, 28 Aug 2007 23:21:26 +0200 robert.waters
> <robert.wat...@gmail.com> napsal/-a:
>
> > I have been tasked with only allowing a certain user account to
> > connect to the TS from the internal network (that person should not be
> > allowed to log in from their home anymore). Is there any way to
> > accomplish this, besides figuring out that person's home IP address
> > and denying it at the firewall?
>
> > I am open to anything (shell/vb scripting, whatever).
>
> > Thanks!
>
> --
> MW

Thanks MW, I'll try it out. I have used their App Server in the past,
great product but I am not sure I want it on my production server (it
was kinda buggy/flaky). I'll definitely give it a run in my dev
environment and see how it works.
 
Re: deny ts connection based on ip?

You can create a new RDP-Tcp listener on a different port,
for example, name it RDP-Internet. Have your PIX forward
all RDP traffic from the Internet to this port. Once this is
set up you can grant permissions on the RDP-Internet listener
as needed.

For example, you could remove the Remote Desktop Users
group from the RDP-Internet listener and add a new group named
"Remote Desktop Internet Users". That way only users that are
a member of this group can connect to your TS via the Internet.

Users who are a member of the RDU group would still be able
to connect to the TS while in the office.

See "How can I allow only a subset of my users to redirect their local printers and drives?"
under the Client resources section of Vera's TS FAQ:

http://ts.veranoest.net

-TP

robert.waters wrote:
> I have been tasked with only allowing a certain user account to
> connect to the TS from the internal network (that person should not be
> allowed to log in from their home anymore). Is there any way to
> accomplish this, besides figuring out that person's home IP address
> and denying it at the firewall?
>
> I am open to anything (shell/vb scripting, whatever).
>
> Thanks!
 
Re: deny ts connection based on ip?

This will not help because securerdp does not block based
upon the *real* ip address of the client. There is a reason
why it is free.

-TP

MW wrote:
> You try http://www.2x.com/securerdp/
>
> MW
 
Re: deny ts connection based on ip?

You could program the firewall to block traffic that is
destined for the RDP port that originates from her IP
address. The trouble with this solution is that her address
may change in the future, or she may connect from a
different location/address.

For example, she may have a dynamic address, or switch
ISPs, or perhaps purchase a mobile broadband card and
connect from her laptop, etc.

-TP

robert.waters wrote:
> I have a PIX 501, but there are many other employees that need to use
> the TS remotely. I have gone through the security event logs on the
> TS and found the remote IP she's been using to connect; is it possible
> for me to check the remote IP with a login script and automatically
> log her off if it matches the one I know? Would you know how to go
> about doing that? I don't want to ban her IP completely at the
> firewall, b/c that would cut her off from our intranet (which shares
> the IP w/ the rest of the wan-facing stuff).
 
Re: deny ts connection based on ip?

hi,
most probably users are connecting remote throught a vpn connection, so on
that vpn you can define groups of users and what IP's and ports are routed
for that groups.

--
Dragos CAMARA
MCSA Windows 2003 server


"robert.waters" wrote:

> On Aug 29, 4:22 am, Dragos CAMARA <drago...@remove-this.hotmail.com>
> wrote:
> > stop the 3389 port on the firewall or create rules on firewall.
> > what firewall do you use?
> > --
> > Dragos CAMARA
> > MCSA Windows 2003 server
> >
> > "robert.waters" wrote:
> > > I have been tasked with only allowing a certain user account to
> > > connect to the TS from the internal network (that person should not be
> > > allowed to log in from their home anymore). Is there any way to
> > > accomplish this, besides figuring out that person's home IP address
> > > and denying it at the firewall?
> >
> > > I am open to anything (shell/vb scripting, whatever).
> >
> > > Thanks!
>
> I have a PIX 501, but there are many other employees that need to use
> the TS remotely. I have gone through the security event logs on the
> TS and found the remote IP she's been using to connect; is it possible
> for me to check the remote IP with a login script and automatically
> log her off if it matches the one I know? Would you know how to go
> about doing that? I don't want to ban her IP completely at the
> firewall, b/c that would cut her off from our intranet (which shares
> the IP w/ the rest of the wan-facing stuff).
>
>
 
Re: deny ts connection based on ip?

On Aug 29, 4:23 pm, "TP" <tperson.knowsp...@mailandnews.com> wrote:
> You can create a new RDP-Tcp listener on a different port,
> for example, name it RDP-Internet. Have your PIX forward
> all RDP traffic from the Internet to this port. Once this is
> set up you can grant permissions on the RDP-Internet listener
> as needed.
>
> For example, you could remove the Remote Desktop Users
> group from the RDP-Internet listener and add a new group named
> "Remote Desktop Internet Users". That way only users that are
> a member of this group can connect to your TS via the Internet.
>
> Users who are a member of the RDU group would still be able
> to connect to the TS while in the office.
>
> See "How can I allow only a subset of my users to redirect their local printers and drives?"
> under the Client resources section of Vera's TS FAQ:
>
> http://ts.veranoest.net
>
> -TP
>
> robert.waters wrote:
> > I have been tasked with only allowing a certain user account to
> > connect to the TS from the internal network (that person should not be
> > allowed to log in from their home anymore). Is there any way to
> > accomplish this, besides figuring out that person's home IP address
> > and denying it at the firewall?
>
> > I am open to anything (shell/vb scripting, whatever).
>
> > Thanks!

Wow.
Heavy, man.

I will definitely check that out.

Thanks for your in-depth reply.
-Robert
 
Re: deny ts connection based on ip?

On Aug 29, 4:30 pm, "TP" <tperson.knowsp...@mailandnews.com> wrote:
> You could program the firewall to block traffic that is
> destined for the RDP port that originates from her IP
> address. The trouble with this solution is that her address
> may change in the future, or she may connect from a
> different location/address.
>
> For example, she may have a dynamic address, or switch
> ISPs, or perhaps purchase a mobile broadband card and
> connect from her laptop, etc.
>
> -TP
>
> robert.waters wrote:
> > I have a PIX 501, but there are many other employees that need to use
> > the TS remotely. I have gone through the security event logs on the
> > TS and found the remote IP she's been using to connect; is it possible
> > for me to check the remote IP with a login script and automatically
> > log her off if it matches the one I know? Would you know how to go
> > about doing that? I don't want to ban her IP completely at the
> > firewall, b/c that would cut her off from our intranet (which shares
> > the IP w/ the rest of the wan-facing stuff).

I've thought of that, but Cisco IOS is just ridiculously confusing to
somebody who has zero time to sit down and learn it from the ground
up.
static interface ip address netmask 1.2.3.4 nat(inside) whatnow??
I just barely have the thing working ;) learned just enough to get
the outside ports to the inside ports, vice-versa, and keep the bad
guys out.

(OT) I purchased a PIX book, 'security specialists guide to cisco pix
firewalls'; to all you who got to this post from a 'cisco 501' query,
I wouldn't recommend it if you're new to the PIX or cisco in general.
In the beginning it looks like it's going to start explaining things
on a newbie level, and all of a sudden you're NATing the hell out of
everything, and subnetting and routing and basically learning, by
example, very advanced topics. It goes from "This is cisco IOS. It's
like a programming language, but for your firewall! OMG! Well,
here's how you access the terminal. Good job, children! Now, let's
break your corporate class-B network into 15 differently sized
subnets, set up 47 crazy never-would-happen-in-the-real-world access
lists, and and configure per-user RADIUS attributes before breakfast!
"
Sorry for the OT. I never got to rant about that damn book ;)
 

Similar threads

M
Best home security camera on Amazon is the $36 Wyze Cam v3 with amazing color night vision
Replies
0
Views
76
Maren Estrada
M
G
How can I Release TCP/IP adresse and Port win I click on button (close connection)
Replies
0
Views
100
gaggs1
G
G
How can I Release TCP/IP adresse and Port win I click on button (close connection)
Replies
0
Views
112
gaggs1
G
M
Free money from Amazon: Last chance to get $25 before Prime Day 2021
Replies
0
Views
67
Maren Estrada
M
G
I need to destroy TCP/IP connection to make an other on the same port
Replies
0
Views
72
gaggs1
G
Back
Top