Virtualization Strategies for the CIOIs there a way of denying access to a Terminal Service connection (TS 2003) in remote admin mode? Even with security set on the RDP protocol, you can connect to it from both Windows and Linux machines not part of any domain. The security policies seem to concentrate on not allowing users to log in but I don't want them to even connect. The solution would ideally not use IPSEC.
Requires Free Membership to View
When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop virtualization technology.
Margie Semilof, Editorial Director
If you don't want anyone to connect to the server from a certain location (say, the outside world) you can block off port 3389, used by RDP. You can also remove servers from the browse list of Terminal Servers (although a Windows 2003 server in Remote Administration mode shouldn't be listed). To keep a server from announcing itself as a Terminal Server (while keeping it on the browse list), run the Registry Editor and go to
HKLMSystemCurrentControlSetControlTerminal Server. Add the following registry value: TSAdvertise, Data type: REG_DWORD, Radix: Decimal, and Value: 0.
This was first published in January 2004