General discussion


Limiting RDP user ability to browse domain

By ecoleadvisor ·
I'm running server 2003 and we need to have a contracted remote user access one of our servers. Our information is extremely confidential and we must ensure that he does not have the ability to browse the rest of our domain - or even see it for that matter. We have tried to run a GPO enabling ???No Entire Network in My Network Places???, installed MS Access-based Enumeration and to no avail, can still browse the network (although the user does not have access). We want to make sure the user can see the server he is on ONLY and nothing else. Any ideas?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

How is the user connecting? Via Terminal Server?

by robo_dev In reply to Limiting RDP user ability ...

A lot depends on exactly what the person needs to do. Is there any way you could get him to connect to a separate device, such as an OpenALS VPN instance on a server or a dedicated VPN device which would connect him to a workstation in a DMZ?

Then access server services from the workstation? This would allow you to do things like blocking ports/addresses from the workstation and essentially provide a reverse-proxy to the server.

My opinon is that having a standard RDP connection directly into a critical server is a really bad idea. While putting it at a non-standard port number may reduce the number of hack attempts, there are lots of hacking tools like tsgrinder that are made to break into TSWEB connections.

An alternate pie-in-the-sky idea would be to create a VPN, sandbox, or whatever is needed via a VMware player or Sandboxie instance. Either one can provide airtight control of network resources and security boundaries.

Related Discussions

Related Forums