Hi

We are running Citrix PS4.5 on Windows 2003 servers. We have the RDP icon published on our Web Interface so that developers etc can RDP onto application servers from outside the network to troubleshoot.

All our application servers are on the same network, and it is possible to RDP from one application server to all others. This causes a problem, since a developer that can RDP (via Citrix) can then launch the RDP application from a server they correctly have permissions on to any other server where they should not have access. I know we can tie this down by usernames etc, but is there anyway to prevent the RDP'ing onto the other servers in the first place?

Hi Brian,

With the default settings, only Administrators can RDP into a Windows server. The local RDP users group gives the local policy setting 'Allow logon through terminal services' and also assigns permissions to RDP-TCP. If you want to dissallow a user who would otherwise have access because they are an admin or they are in the RDP users group or whatever, you can edit RDP-TCP on the servers that you not want them to acccess and add that user/group with the Deny permission to user access. Deny overrides any allow. Hope this helps.

Pete

I think the easiest way to do this would be the following:
On each server go to Start Menu - Administrative Tools and start Terminal Services configuration.
Choose Connections and in the right window right click on RDP-tcp and choose properties.

Under Permissions control who has access to connect to the desktop

The best way to prevent RDP access to other workstations/servers is to implement a GPO. You can setup who is allowed to RDP (Permit remote control of this computer). This GPO is then applied to all workstations/servers. This is what we do and it works terrific.