Online Help > Knowledge Base > Security

Blocking MS RDP to Only Use Remote Desktop Manager

Description

 

Some organizations want to centralize their Remote Desktop connections to be established from Remote Desktop Manager only. A few things need to be considered to implement this in your organization.

 

Solution

 

Just blocking Microsoft RDP (mstsc.exe) is still leaving other “surfaces” open for getting access. One could imagine installing Microsoft RDC Manager or even another copy of Remote Desktop Manager which would connect with settings that you do not approve.

Indeed, you can force your users to use Remote Desktop Manager by hiding the session credentials in the application. This will results in the users able to establish the remote connection without knowing the credentials.

 

If you feel that disabling Microsoft RDP (mstsc.exe) is sufficient for your needs, it is documented on

https://social.technet.microsoft.com/wiki/contents/articles/4980.how-to-enable-or-disable-remote-desktop-via-group-policy-windows-2008.aspx

 

Our best solution involves going through a gateway that is protected by a password unknown from the end user. One can achieve this by using a SSH Tunnel or our own Jump feature. The second step is to adjust the firewalls on the remote hosts to disable connections from IP addresses other than those use by your approved gateways.

Gateways

Gateways

 

SSH tunnels are a very good approaches since they can run on a VM using any *nix distribution and require limited ram and hdd space.

 

This will also force your user to use Remote Desktop Manager because the credentials to use a SSH Tunnel cannot be a domain credential and the information to authenticate will be saved in Remote Desktop Manager.

 

For more information, please consult How to Setup a SSH Tunnel