Can I block a group from accessing Remote Desktop Web Connection?

D Smith · May 15, 2008

We have a windows 2003 terminal server here in our office that is used by
many internal employees. They login and do their work on the terminal server.
Some time ago we had some IT consultants come in and setup Remote Desktop Web
Connection on the same server as a remote access method. This way some
employees can login to the web page and access the server from outside the
office.

Now I need to figure out a way to restrict the people that can access the
Remote Desktop Web Connection without restricting people from access from
regular remote desktop inside the office.

After lots of searching I cannot find a solution to this problem. Any
setting I find in group policy relates to both types of remote access.

Is there a way that I can grant access to only certain users or groups to
the web access without affecting normal remote desktop?

Thank you!

Ratnesh Yadav [MSFT] · May 31, 2008

Check following link for configuring users permission to access Remote
Desktop Web,
http://www.microsoft.com/windowsxp/using/networking/expert/northrup_03may16.mspx

Ratnesh

"D Smith" <DSmith@discussions.microsoft.com> wrote in message
news:5FB56B32-44C4-4AEF-B439-A47A710F7910@microsoft.com...
> We have a windows 2003 terminal server here in our office that is used by
> many internal employees. They login and do their work on the terminal
> server.
> Some time ago we had some IT consultants come in and setup Remote Desktop
> Web
> Connection on the same server as a remote access method. This way some
> employees can login to the web page and access the server from outside the
> office.
>
> Now I need to figure out a way to restrict the people that can access the
> Remote Desktop Web Connection without restricting people from access from
> regular remote desktop inside the office.
>
> After lots of searching I cannot find a solution to this problem. Any
> setting I find in group policy relates to both types of remote access.
>
> Is there a way that I can grant access to only certain users or groups to
> the web access without affecting normal remote desktop?
>
>
> Thank you!

Vera Noest [MVP] · May 31, 2008

But that article does not answer the OPs question at all.

DSmith, the only concept that comes to my mind is to prohit users
to get to the Remote Desktop website at all. Maybe you can
configure IIS with an extra layer of security.
You will have to create 2 different user groups, like:
RDUsers_from_everywhere and RDUsers_inside_only and give only
members of RDUsers_from_everywhere permission to get to the website
at all.
Drawback is that your permitted users from the outside will have to
authenticate twice, first with IIS and then with the TS.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Ratnesh Yadav [MSFT]" <Ratnesh.Yadav@microsoft.com> wrote on 31
maj 2008 in microsoft.public.windows.terminal_services:

> Check following link for configuring users permission to access
> Remote Desktop Web,
> http://www.microsoft.com/windowsxp/using/networking/expert/northr
> up_03may16.mspx
>
> Ratnesh
>
> "D Smith" <DSmith@discussions.microsoft.com> wrote in message
> news:5FB56B32-44C4-4AEF-B439-A47A710F7910@microsoft.com...
>> We have a windows 2003 terminal server here in our office that
>> is used by many internal employees. They login and do their
>> work on the terminal server.
>> Some time ago we had some IT consultants come in and setup
>> Remote Desktop Web
>> Connection on the same server as a remote access method. This
>> way some employees can login to the web page and access the
>> server from outside the office.
>>
>> Now I need to figure out a way to restrict the people that can
>> access the Remote Desktop Web Connection without restricting
>> people from access from regular remote desktop inside the
>> office.
>>
>> After lots of searching I cannot find a solution to this
>> problem. Any setting I find in group policy relates to both
>> types of remote access.
>>
>> Is there a way that I can grant access to only certain users or
>> groups to the web access without affecting normal remote
>> desktop?
>>
>>
>> Thank you!

DSmith · Jun 5, 2008

Re: Can I block a group from accessing Remote Desktop Web Connecti

This sounds like what I need, do you know of an article or something that I
can read that would explain how to setup this extra layer of security around
IIS?

Thanks!

"Vera Noest [MVP]" wrote:

> But that article does not answer the OPs question at all.
>
> DSmith, the only concept that comes to my mind is to prohit users
> to get to the Remote Desktop website at all. Maybe you can
> configure IIS with an extra layer of security.
> You will have to create 2 different user groups, like:
> RDUsers_from_everywhere and RDUsers_inside_only and give only
> members of RDUsers_from_everywhere permission to get to the website
> at all.
> Drawback is that your permitted users from the outside will have to
> authenticate twice, first with IIS and then with the TS.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Ratnesh Yadav [MSFT]" <Ratnesh.Yadav@microsoft.com> wrote on 31
> maj 2008 in microsoft.public.windows.terminal_services:
>
> > Check following link for configuring users permission to access
> > Remote Desktop Web,
> > http://www.microsoft.com/windowsxp/using/networking/expert/northr
> > up_03may16.mspx
> >
> > Ratnesh
> >
> > "D Smith" <DSmith@discussions.microsoft.com> wrote in message
> > news:5FB56B32-44C4-4AEF-B439-A47A710F7910@microsoft.com...
> >> We have a windows 2003 terminal server here in our office that
> >> is used by many internal employees. They login and do their
> >> work on the terminal server.
> >> Some time ago we had some IT consultants come in and setup
> >> Remote Desktop Web
> >> Connection on the same server as a remote access method. This
> >> way some employees can login to the web page and access the
> >> server from outside the office.
> >>
> >> Now I need to figure out a way to restrict the people that can
> >> access the Remote Desktop Web Connection without restricting
> >> people from access from regular remote desktop inside the
> >> office.
> >>
> >> After lots of searching I cannot find a solution to this
> >> problem. Any setting I find in group policy relates to both
> >> types of remote access.
> >>
> >> Is there a way that I can grant access to only certain users or
> >> groups to the web access without affecting normal remote
> >> desktop?
> >>
> >>
> >> Thank you!
>

Vera Noest [MVP] · Jun 6, 2008

Re: Can I block a group from accessing Remote Desktop Web Connecti

Try posting in an IIS newsgroup, they can surely tell you how to
password-protect a webpage. You can do this in IIS Manager, but I
don't know the details.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RFNtaXRo?= <DSmith@discussions.microsoft.com> wrote on
05 jun 2008 in microsoft.public.windows.terminal_services:

> This sounds like what I need, do you know of an article or
> something that I can read that would explain how to setup this
> extra layer of security around IIS?
>
> Thanks!
>
> "Vera Noest [MVP]" wrote:
>
>> But that article does not answer the OPs question at all.
>>
>> DSmith, the only concept that comes to my mind is to prohit
>> users to get to the Remote Desktop website at all. Maybe you
>> can configure IIS with an extra layer of security.
>> You will have to create 2 different user groups, like:
>> RDUsers_from_everywhere and RDUsers_inside_only and give only
>> members of RDUsers_from_everywhere permission to get to the
>> website at all.
>> Drawback is that your permitted users from the outside will
>> have to authenticate twice, first with IIS and then with the
>> TS.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> "Ratnesh Yadav [MSFT]" <Ratnesh.Yadav@microsoft.com> wrote on
>> 31 maj 2008 in microsoft.public.windows.terminal_services:
>>
>> > Check following link for configuring users permission to
>> > access Remote Desktop Web,
>> > http://www.microsoft.com/windowsxp/using/networking/expert/nor
>> > thr up_03may16.mspx
>> >
>> > Ratnesh
>> >
>> > "D Smith" <DSmith@discussions.microsoft.com> wrote in message
>> > news:5FB56B32-44C4-4AEF-B439-A47A710F7910@microsoft.com...
>> >> We have a windows 2003 terminal server here in our office
>> >> that is used by many internal employees. They login and do
>> >> their work on the terminal server.
>> >> Some time ago we had some IT consultants come in and setup
>> >> Remote Desktop Web
>> >> Connection on the same server as a remote access method.
>> >> This way some employees can login to the web page and access
>> >> the server from outside the office.
>> >>
>> >> Now I need to figure out a way to restrict the people that
>> >> can access the Remote Desktop Web Connection without
>> >> restricting people from access from regular remote desktop
>> >> inside the office.
>> >>
>> >> After lots of searching I cannot find a solution to this
>> >> problem. Any setting I find in group policy relates to both
>> >> types of remote access.
>> >>
>> >> Is there a way that I can grant access to only certain users
>> >> or groups to the web access without affecting normal remote
>> >> desktop?
>> >>
>> >>
>> >> Thank you!