Announcement

Collapse
No announcement yet.

Prohibit execute Remote Desktop "MSTSC" from client machine.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Prohibit execute Remote Desktop "MSTSC" from client machine.

    Dear all,

    I try search through web, there have not much information about prohibit execute Remote Desktop "MSTSC" with GPO.

    I have lots of users try to use Remote Desktop tool which they should not allow to do so.

    I would like to use GPO to prohibit them to execute Remote Desktop on their PCs.

    May I know how to do in order to achieve it?

    Domain OS: Windows Server 2003 R2
    Environment: Single Forest Single Domain
    PCs OS: Windows XP sp3

  • #2
    Re: Prohibit execute Remote Desktop "MSTSC" from client machine.

    Two ways I can think of with GPO:

    1- With a Software Restriction policy (Computer Configuration - Windows Settings - Security Settings - Software restriction policies)
    Either a Path or Hash rule for mstsc.exe located in (C:\Windows\System32)
    2- Configuring Deny logon through Terminal services user right in (Computer Configuration - Windows Settings - Security Settings - Local Policies - User rights assignements)

    Ta
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Prohibit execute Remote Desktop "MSTSC" from client machine.

      Originally posted by L4ndy View Post
      Two ways I can think of with GPO:

      1- With a Software Restriction policy (Computer Configuration - Windows Settings - Security Settings - Software restriction policies)
      Either a Path or Hash rule for mstsc.exe located in (C:\Windows\System32)
      2- Configuring Deny logon through Terminal services user right in (Computer Configuration - Windows Settings - Security Settings - Local Policies - User rights assignements)

      Ta
      Number 1 will work. A hash or path rule will do nicely.

      Number 2 won't work as it determines who can log on to the computer where this setting is applied through TS, it does not restrict the use of the RDP client (mstsc).

      Comment


      • #4
        Re: Prohibit execute Remote Desktop "MSTSC" from client machine.

        Originally posted by joeqwerty View Post
        Number 2 won't work as it determines who can log on to the computer where this setting is applied through TS, it does not restrict the use of the RDP client (mstsc).
        It should work. It won't stop 'em from opening mstsc.exe but they wont be able to logon to any machines internally...
        If connecting to an RD gateway server however it is a different matter.
        Maybe the OP could clarify what exactly he's trying to avoid.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Prohibit execute Remote Desktop "MSTSC" from client machine.

          Originally posted by L4ndy View Post
          It should work. It won't stop 'em from opening mstsc.exe but they wont be able to logon to any machines internally...
          If connecting to an RD gateway server however it is a different matter.
          Maybe the OP could clarify what exactly he's trying to avoid.
          It will only stop them from accessing computers that are governed by the policy. But what about computers that aren't, such as external computers? Better to restrict the use of mstsc via a Software Restriction rule as you suggested.

          Comment


          • #6
            Re: Prohibit execute Remote Desktop "MSTSC" from client machine.

            Dear joeqwerty & L4ndy,

            Thanks for your advise.
            I will try on option 1.
            Since my management do not want user to execute the MSTSC.

            Comment


            • #7
              Re: Prohibit execute Remote Desktop "MSTSC" from client machine.

              Please be aware that if your users are pretty savvy they can circumvent this.

              Comment


              • #8
                Re: Prohibit execute Remote Desktop "MSTSC" from client machine.

                As part of the defence in depth, i was suggesting to use both methods as well as configuring the perimeter firewall to block any outgoing RDP, rdp over http, rdp over ssl traffic (if it was allowed for any reason).
                As wullieb1 said, if you just stick to 1, it can easily be circumvented by using a different terminal client.
                Caesar's cipher - 3

                ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                SFX JNRS FC U6 MNGR

                Comment

                Working...
                X