Preventing full desktop session login when just using app remoting

%3CLINGO-SUB%20id%3D%22lingo-sub-2506975%22%20slang%3D%22en-US%22%3EPreventing%20full%20desktop%20session%20login%20when%20just%20using%20app%20remoting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2506975%22%20slang%3D%22en-US%22%3E%3CP%3ECase%20as%20follows%3A%3CBR%20%2F%3EWe%20have%20some%20smart%20users%20who%20just%20figure%20out%20the%20name%20of%20the%20WVD%20session%20host%20from%20a%20remote%20app%20they%20use.%3CBR%20%2F%3EWhat%20they%20do%20next%20is%20just%20fire%20off%20mstsc.exe%20to%20that%20session%20host%20and%20then%20they%20have%20access%20to%20the%20full%20desktop%20of%20the%20session%20host.%3CBR%20%2F%3EHow%20can%20we%20prevent%20this%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2508175%22%20slang%3D%22en-US%22%3ERe%3A%20Preventing%20full%20desktop%20session%20login%20when%20just%20using%20app%20remoting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2508175%22%20slang%3D%22en-US%22%3EHow%20are%20the%20users%20connected%20with%20the%20service.%20Are%20they%20connected%20with%20the%20Azure%20network%20over%20vpn%20or%20do%20they%20connect%20via%20the%20internet%3F%20I%20assume%20via%20vpn%20since%20via%20the%20internet%20the%20session%20hosts%20aren't%20reachable.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2508644%22%20slang%3D%22en-US%22%3ERe%3A%20Preventing%20full%20desktop%20session%20login%20when%20just%20using%20app%20remoting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2508644%22%20slang%3D%22en-US%22%3EWhy%20not%20change%20the%20default%20RDP%20port%20to%20something%20else%20%3F%3CBR%20%2F%3EHKEY_LOCAL_MACHINE%5CSystem%5CCurrentControlSet%5CControl%5CTerminal%20Server%5CWinStations%5CRDP-Tcp%5CPortNumber%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20disable%20RDP...%3C%2FLINGO-BODY%3E
Contributor

Case as follows:
We have some smart users who just figure out the name of the WVD session host from a remote app they use.
What they do next is just fire off mstsc.exe to that session host and then they have access to the full desktop of the session host.
How can we prevent this ?

4 Replies
How are the users connected with the service. Are they connected with the Azure network over vpn or do they connect via the internet? I assume via vpn since via the internet the session hosts aren't reachable.
Why not change the default RDP port to something else ?
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber

Or disable RDP...

@vinisz Another suggestion would be to add an inbound rule to your Network Security Group for your AVD (if you have one) which would only allow RDP port 3389 connections from a limited number of I.P addresses (your admin machines for example). Your RD-client RemoteApp connections would be unaffected by this rule. 

they can access it via VPN, yes... (but also internal)
Blocking some things via firewall/nsg might help here, I have to check on that... (support must still be possible and AVD short-path should still work )