Forum Discussion

Deleted's avatar
Deleted
Jul 01, 2021

Preventing full desktop session login when just using app remoting

Case as follows:
We have some smart users who just figure out the name of the WVD session host from a remote app they use.
What they do next is just fire off mstsc.exe to that session host and then they have access to the full desktop of the session host.
How can we prevent this ?

  • How are the users connected with the service. Are they connected with the Azure network over vpn or do they connect via the internet? I assume via vpn since via the internet the session hosts aren't reachable.
    • Deleted's avatar
      Deleted
      they can access it via VPN, yes... (but also internal)
      Blocking some things via firewall/nsg might help here, I have to check on that... (support must still be possible and AVD short-path should still work )
  • hme_about_IT's avatar
    hme_about_IT
    Copper Contributor
    Why not change the default RDP port to something else ?
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber

    Or disable RDP...
  • semkaz's avatar
    semkaz
    Copper Contributor

    Deleted Another suggestion would be to add an inbound rule to your Network Security Group for your AVD (if you have one) which would only allow RDP port 3389 connections from a limited number of I.P addresses (your admin machines for example). Your RD-client RemoteApp connections would be unaffected by this rule. 

Resources