How do I restrict access to Remote Desktop?
I have an AWS Lightsail server based on the Windows Server 2016 blueprint. I would like to have users log in via remote desktop, and be limited to using just one designated application, and have no access to the desktop or other features (including the File Explorer). I tried setting up a group policy, both for the server (Computer Configuration) and users (User Configuration) under Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Remote Session Environment, and I enabled and configured Start a program on connection. That did not work. I also tried the suggestions found at the following link: Can RDP clients launch remote applications and not desktops including setting the following dword value in the server's registry: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] "fAllowUnlistedRemotePrograms"=dword:00000001I also included the alternate shell and remoteapplication entries in an .RDP file, and pointed to that file in the user's Remote Desktop Services Profile tab of the user's Properties dialog. None of that worked. Each time I logged in as the user, the configured application did not run and I had access to the desktop. Nothing that I found in my Google searches worked either. Can someone please point me in the right direction. I am pretty sure that what I am trying to do is possible, but I am stuck. I am connecting to the server using the remote desktop client in Windows 10 Pro, though I am not sure that that has anything to do with the failure. I'll also note that once I log into the server using remote desktop I can successfully run the application from the File Explorer or cmd prompt.
Download Article Download Article
Remote Desktop is a Windows service that allows users to connect to a host computer from a different location. This allows users to access information stored on a separate computer from any place that allows them to log on to the Remote Desktop application. This has many practical applications in business, but also opens up some obvious security issues. These issues can be remedied by learning how to make a secure Remote Desktop Connection as safe for your needs as possible.
wikiHow is a “wiki,” similar to Wikipedia, which means that many of our articles are co-written by multiple authors. To create this article, 12 people, some anonymous, worked to edit and improve it over time. This article has been viewed 127,071 times.
Co-authors: 12 Updated: August 15, 2020 Views: 127,071 Categories: Network Security | Remote Access Services
Thanks to all authors for creating a page that has been read 127,071 times.
If you want to restrict Remote Desktop access to your dedicated server IP address or range of IP addresses, you can do so by following the instructions below. Edit existing firewall rule
Create your IP restrictionsThe Scope tab is where you add the IP addresses and ranges you want to access the server.
Once you complete the changes, you can test the rule by trying to connect to the RDP server using an IP outside the desired intervals. If it fails to connect, then the rule has been successfully applied. If the rule is unsuccessful, or you lose your connection to the server via RDP, please contact your support team.
The best option to me in this case is simply modify the properties of the users AD account. Under the "Account" tab, select "Log On To" and there you can specify to which computers the user is allowed to login. You will of course want to allow them to login to their own workstation, but you can also add the terminal servers to which they should be allowed to login. The downside to this method, depending on your environment, is that the user would not be allowed to login at other workstations either, unless those workstation are specified in this list of allowed systems. |