Re: Terminal Services Setup/Flaw
RemyMaza wrote:
> Just to follow up with you, what I found was in gpedit.msc, you can deny
> logins through TS. I did that for all groups except for the admins that need
> it. This still allows everyone to hit the TS Server but denies the login to
> other servers. I have to configure this for each one though, so a lil
> tedious, but it's stopping the flaw! Thank you so much for your input. You
> really helped me out a lot and I appreciate your feedback!
Your welcome.
It's a work around but it stinks to have to do that. I bet it is one of
those things that if someone else takes a look at it, it would pop
right out.
Until the root issue is discovered, remember to set that for all new
users too.
moncho
>
> Best Regards,
> Matt
>
> "moncho" wrote:
>
>> RemyMaza wrote:
>>> Here's what I came up with; I created a test user in the User folder. I
>>> believe this is a default folder in AD. This user isn't part of any other
>>> group except for the default: Domain User. I was able to login to the
>>> Terminal Server with this user and then .rdp into another server on the
>>> network using the same credentials. I checked to see who is allowed to .rdp
>>> into these servers and only admins are.
>>>
>>> I looked in AD to see how the user's are being grouped. I found the Remote
>>> Desktop Users group but that's not being used. The one that is being used is
>>> in the Users folder: RemoteUsersGroup. I would imagine this has been
>>> created. However I was still able to login with my Test user and everyone
>>> else in AD was created in a different OU: i.e %companyname%User. This leads
>>> me to believe the problem lies in the TSCC.msc or a Group Policy that affects
>>> Domain User. I'm not sure if this is right, since I'm not very savvy with
>>> TS. I really appreciate your help and if you need more info, I'll get
>>> whatever you need!
>> RemoteUsersGroup was created and may be being used to create your issue.
>>
>> Without the user being part of the RemoteUsersGroup and neither
>> the RemoteUsersGroup or Users group not being in any of the local
>> "Remote Desktop Users" group, I am at a loss as to how they
>> are able to get RDP access.
>>
>> Maybe someone out there can help point out what I am missing.
>>
>> moncho
>>
>>> Many Thanks,
>>> Matt
>>>
>>> "moncho" wrote:
>>>
>>>> RemyMaza wrote:
>>>>> I've checked the settings for remote logins on the servers and only Domain
>>>>> Admins are configured to login. I did check in active directory and every
>>>>> user is in the Remote Authenticated user's group but this is what is needed
>>>>> for them to hit my IP from their home. What do you think is allowing the
>>>>> connection with .rdp to another server?
>>>> You need to get SPECIFIC in your description.
>>>>
>>>> What do you mean by "Remote Authenticated User's?" There is no built in
>>>> default group called "Remote Authenticated User's" in Windows.
>>>>
>>>> The default groups I know of (regarding this topic) are "Remote Desktop
>>>> Users," "Users" and "Authenticated Users."
>>>>
>>>> If the "Remote Authenticated Users" group exists this was created by
>>>> an admin and may be causing you issues.
>>>>
>>>> I just want to make sure we are talking about the same group names so we
>>>> do not get off track or we/others assume different meanings.
>>>>
>>>> To help you, create a generic user in A/D that does not belong to
>>>> ANY group other than "Users." Then try to RDP into different servers as
>>>> this generic user. What are the results?
>>>>
>>>> If no, great. What differentiates a "normal user" from this new generic
>>>> user?
>>>>
>>>> If so, check the local RDU group on the local server one more time and
>>>> see who is a member of that group.
>>>>
>>>> moncho
>>>>
>>>>> Regards,
>>>>> Matt
>>>>>
>>>>> "moncho" wrote:
>>>>>
>>>>>> RemyMaza wrote:
>>>>>>> Yes, it's any authenticated user which would lead me to believe it's allowed
>>>>>>> through a group policy. What would I modify in that group policy to inhibit
>>>>>>> this type of login?
>>>>>> In order to RDP into any server, the user or group must be in either
>>>>>> the local server Remote Desktop Users Group or System-> Remote-> Allowed
>>>>>> Users, depending up on whether the server is in Application or
>>>>>> Administration mode.
>>>>>>
>>>>>> Remote Authenticated Users from those groups on the local servers that
>>>>>> you DO NOT want users to RDP into.
>>>>>>
>>>>>> moncho
>>>>>>> Many Thanks,
>>>>>>> Matt
>>>>>>>
>>>>>>> "moncho" wrote:
>>>>>>>
>>>>>>>> RemyMaza wrote:
>>>>>>>>> I'm a new hire to a company and I've never used TS before. I was given my
>>>>>>>>> domain admin priviledges and went to work last week. I was probing and
>>>>>>>>> testing the network for any flaws and I found a big one I'd like to fix. I
>>>>>>>>> am able to .rdp into the terminal server and from there I'm able to use .rdp
>>>>>>>>> into any other server in the network. The problem lies not with my login but
>>>>>>>>> with a normal user's login, I'm able to do this. What can I do to prevent
>>>>>>>>> normal user's from logging into any machine they want?
>>>>>>>>>
>>>>>>>>> Server '03 SP2
>>>>>>>> What is a "normal" user?
>>>>>>>>
>>>>>>>> Do you mean any user in the "Users" or "Authenticated Users" group?
>>>>>>>>
>>>>>>>> I would start there.
>>>>>>>>
>>>>>>>> I would check to see if there are any group policies setup to allow
>>>>>>>> this type of access.
>>>>>>>>
>>>>>>>> If a "normal" users can RDP in a DC, that is a big issue.
>>>>>>>>
>>>>>>>> If your own login can RDP to any server, that seems OK since
>>>>>>>> you are the Domain Admin. If that fits your companies security
>>>>>>>> policies.
>>>>>>>>
>>>>>>>> moncho
>>>>>>>>