Access Denied: Protecting Workstations from Remote Access

We want to make sure that no one can use Remote Assistance, Remote Desktop, or Windows 2000 Server Terminal Services to remotely access the workstations of certain users who have access to highly sensitive data or to financial transactions. What's the simplest way to disable all these features?

You can disable the Terminal Services service, which all the features you mentioned require. However, a user who's a member of the workstation's local Administrators group can reenable and start the service. To prevent that scenario, you can tighten Terminal Services' ACL, as I explained in "Auditing Users Who Might Be Starting and Stopping Services," May 2002,, InstantDoc ID 24669. Alternatively, you can assign the Deny logon through Terminal Services right to the Everyone group. Assigning this right to Everyone overrides anyone who has the Allow logon through Terminal Services right.

However, for a more effective solution, I suggest you use an IP Security (IPSec) policy. For more information about how to use an IPSec policy, see "Protect Private Ports with IPSec," April 2002,, InstantDoc ID 24273.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.