Forum Discussion
Deleted
Jul 01, 2021Preventing full desktop session login when just using app remoting
Case as follows:
We have some smart users who just figure out the name of the WVD session host from a remote app they use.
What they do next is just fire off mstsc.exe to that session host and then they have access to the full desktop of the session host.
How can we prevent this ?
- Johan_VanneuvilleIron ContributorHow are the users connected with the service. Are they connected with the Azure network over vpn or do they connect via the internet? I assume via vpn since via the internet the session hosts aren't reachable.
- Deletedthey can access it via VPN, yes... (but also internal)
Blocking some things via firewall/nsg might help here, I have to check on that... (support must still be possible and AVD short-path should still work )
- hme_about_ITCopper ContributorWhy not change the default RDP port to something else ?
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
Or disable RDP... - semkazCopper Contributor
Deleted Another suggestion would be to add an inbound rule to your Network Security Group for your AVD (if you have one) which would only allow RDP port 3389 connections from a limited number of I.P addresses (your admin machines for example). Your RD-client RemoteApp connections would be unaffected by this rule.