Restrict users from login to Remote Desktop Web Access
If you are working with Remote Desktop Services, and especially with Remote Desktop Web Access, you might know by now that every domain user can log in to that interface, even if that user has no application published. Most of the administrators don’t even care about this, because if the user can’t see an application on that web page, he will close it eventually. But if that user is persistent, you will be sitting in the witness chair. Why can’t I see anything on that page ? Why I don’t have applications like my college ? And the list can go on. If you want to restrict access to users that don’t have applications published on RD Web Access, there is trick.
As you can see bellow my user account is logged in to RD Web Access even if no applications are published.
To restrict this, first we need to create a security group in AD. You know that I don’t like to put users in ACL’s directly, I like to work with groups. Go ahead and create a security group then put those user accounts that you don’t want to be able to log in to the web page in that group.
Now log into your RD Web Access server and browse to C:\Windows\Web. Right-click the RDWeb folder and choose Properties.
Go to the Security tab and click Edit then Add.
Type the security group name that you just created in AD and hit OK.
Back in the Permissions window, make sure the group is selected, then in the Permissions section (bellow) click the Read & Execute box under the Deny column. Click OK to close all the windows. Choose Yes on the warning messages.
Now, if a user that is part of that security group tries to log in, it will get a deny message. In the future, when you want to restrict someone to log in to RD Web Access just add the account to that security group.
Simple and effective. Hope this helps some of you.
Want content like this delivered right to your
email inbox?
Thanks for the info!
What about restricting desktop access to the Web RDP server? In my current config the users in the remote desktop group can launch the web rdp apps but can also RDP to the server desktop. Is there a way to restrict the desktop access?
Hi,
Just disable RDP on the web server; it shouldn’t be enabled anyway. All the server is providing is a web service.
HI Guys,
I am trying to implement same thing but other way(restricting all users and only specific security group can access).
I mean i want to restrict all users to login via RDweb logins but only allow users who are members of AD security group.
But i am not sure which permission are required to remove under c:\windows\web\rdweb or via IIS RDweb virtual directory
please help
thanks
Right now I don’t have a lab so I can see the default permissions on that folder, but you can try this:
For the Authenticated Users group remove all permissions (do not set a deny, because deny overrides everything).
Create a security group where you will add the users that can access the web interface and add that group to the ACL (access control list) of the folder.
Let me know if this works.
Hi,
Is it possible to restrict the terminals that you can access throught RDWeb? For example: in my domain I have server01, server02 and server03, and i want that users just can connect to server-02.
How would you do it?
Thanks!!
Hi,
Create a security group, add those users to that group then add the group to the local Remote Desktops Users group on the server. See this article. Let me know how it goes.
Thanks Adrian!
I already have a security group with the users that can access and works fine. But i need to limit the terminals that they got access. Actually this users can connect to all desktops in the network.
How would you specify which clients they can access?
Thanks.
This is also controlled by which users are part of the Remote Desktop Users group on each server. I’m sure that is a solution, a better one to do this, bit right now I can’t think of it, or I don’t remember; plus I don’t have a lab right now. Let me see if I get the time this week to build a lab and test this scenario.
Thanks for this suggestion which is similar to the suggestions here – http://social.technet.microsoft.com/Forums/windowsserver/en-US/66595988-753a-4cab-b5c4-4b9b3bcabbe8/restrict-logins-to-rds-web-access?forum=windowsserver2008r2rds
While planning to use this technique on a Windows 2012 RDS server I have found that the RDweb folder already has a permission for the group RDWebAccess. I would rather modify an existing group but I cannot find this group in either the local computer or AD.
Any ideas?
Hi,
I usually don’t mess with the groups assigned by the system, just like with group policy, you don’t modify the default one. Create your own security group and set security on that one.