Windows Server 2008 System Specific Remote

Question

I have a server which runs Windows Server 2008 R2 Standard. I have admin rights and I can login through Remote Desktop Connection and access the server.

I wanted to create an account so that my office staff can access (restricted access) and only from office systems. I do not want access from any other location.

Is it possible ?

Thanks,

GR

Answer 1

There are several ways to lock down and secure the RDP services of a particular machine. As with most local services and GPO settings Windows is quite good at making it easy to tailor permissions based on user(s), computer(s) and by group(s).

First off I would personally add RDP permissions on a per user basis, rather than giving staff members one central login to use. There are several reasons for this, mostly down to ease of use and system security.

In the "System Properties" of the Windows Server, I assume you've ticked the box to allow a RDP connection to the server. - Just under that there's a checkbox you should tick in order to only allow connections with NLA (Network Level Authentication) . Proceed to "Select Users" and choose the staff you wish to give RDP permissions too.

I'm going to assume that your RDP connection is working as you've stated that you're able to connect, we'll leave local RDP GPO settings and initial Windows Firewall configuration, please leave a comment if you'd like me to include it.

In the Windows Firewall for the server on the exceptions tab, edit the settings for Remote Desktop Connection. Click "Change Scope" and tick the box that says "My Nntwork (subnet) only".

This will only allow RDP connections from local machines within the servers subnet (office machines) and connections from the users you specified earlier on (Office staff).

As for the restricted access part, short of making a new local limited user on the server there's not much you can do to protect everything.

I hope this clears it up for you.