How I can allow only selective clients to access windows 2022 server thro Remote Desktop

Question

We have VPN connected network of around 50 PCs. We expect only 15 PCs to be given access to server thro Remote Desktop. How to achieve this. In built --> Remote desktop users security group was added with the selective computers. Still other computers also are getting access thro Remote Desktop. We access only thro VPN network. Public network access is blocked. Please advice on how to get this done.

Answer 1

Dear Mr Ramamurthy R S，

I'm sorry that the steps I gave you were not possible. After inquiry, I found out adding computers by name in the firewall rule is not available in any edition of Windows Server 2022, including the Datacenter edition.

Windows Server 2022 firewall rules only support access control based on IP addresses and not based on computer names. This is because computer names require DNS resolution to be converted to IP addresses, and firewall rules do not support DNS resolution. Therefore, network access can only be restricted by adding IP addresses. This limitation applies to all editions of Windows Server 2022, including the Datacenter edition.

Best Regards,

Haijian Shan

Answer 2

Hello  Mr Ramamurthy R S，

Thank you for posting in Microsoft Community forum.

You are currently in a composite environment involving VPN connectivity as well as remote desktop services. I have two scenarios for your reference.

First，by remote desktop services to allow only selective clients to access Windows Server 2022 through Remote Desktop, you can follow these steps:

1. Create a new security group in Active Directory for the users who need access to the server through Remote Desktop.
2. Add the users who need access to the new security group.
3. On the server, open the Local Security Policy editor by typing "secpol.msc" in the Run dialog box.
4. Navigate to Local Policies > User Rights Assignment.
5. Double-click on "Allow log on through Remote Desktop Services" and add the new security group you created in step 1.
6. Remove the "Remote Desktop Users" group from the list of users who are allowed to log on through Remote Desktop Services.
7. Ensure that the VPN connection is required to access the server.

After completing these steps, only the users who are members of the new security group will be able to access the server through Remote Desktop. If you are still experiencing issues with other computers being able to access the server, you may need to check your network configuration to ensure that the VPN connection is properly configured and that public network access is blocked.

Second， you can use Windows Firewall to create a rule that allows Remote Desktop traffic only from the IP addresses of the 15 PCs that you want to allow access.

Here are the steps to create the firewall rule:

1. On the Windows 2022 server, open Windows Firewall with Advanced Security.
2. Click on "Inbound Rules" in the left pane, and then click "New Rule" in the right pane.
3. In the New Inbound Rule Wizard, select "Custom" and click "Next".
4. In the "Program" screen, leave the default setting of "All programs" and click "Next".
5. In the "Protocol and Ports" screen, select "TCP" and enter "3389" as the port number (this is the default port used by Remote Desktop). Click "Next".
6. In the "Scope" screen, under "Remote IP address", select "These IP addresses" and click "Add". Enter the IP addresses of the 15 PCs that you want to allow Remote Desktop access from, and click "OK". Click "Next".
7. In the "Action" screen, select "Allow the connection" and click "Next".
8. In the "Profile" screen, select the appropriate network profiles (e.g. Domain, Private, Public) and click "Next".
9. In the "Name" screen, enter a name for the rule (e.g. "Allow Remote Desktop from select PCs") and click "Finish".

Once you have created the firewall rule, only the 15 PCs whose IP addresses are listed in the rule will be able to access the Windows 2022 server through Remote Desktop. Other PCs on the VPN-connected network will be blocked by the firewall rule.

It's important to note that you should test the firewall rule in a non-production environment before deploying it on your live network, and make sure that you have a backup plan in case any issues arise.

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

Haijian Shan

Answer 3

Dear Haijian Shan

Thank you for your support and response.

I followed your First advice. Still, I am able to access Remote Desktop thro un authorised Computers also.

For the Second advice, I prefer to identify the 15 Computers by Computer Names. Is it possible to configure by Computer Names, instead of IP Numbers. Please advise.

Hello  Mr Ramamurthy R S，

 

Thank you for posting in Microsoft Community forum.

 

You are currently in a composite environment involving VPN connectivity as well as remote desktop services. I have two scenarios for your reference.

 

First，by remote desktop services to allow only selective clients to access Windows Server 2022 through Remote Desktop, you can follow these steps:

 

1. Create a new security group in Active Directory for the users who need access to the server through Remote Desktop.
2. Add the users who need access to the new security group.
3. On the server, open the Local Security Policy editor by typing "secpol.msc" in the Run dialog box.
4. Navigate to Local Policies > User Rights Assignment.
5. Double-click on "Allow log on through Remote Desktop Services" and add the new security group you created in step 1.
6. Remove the "Remote Desktop Users" group from the list of users who are allowed to log on through Remote Desktop Services.
7. Ensure that the VPN connection is required to access the server.

 

After completing these steps, only the users who are members of the new security group will be able to access the server through Remote Desktop. If you are still experiencing issues with other computers being able to access the server, you may need to check your network configuration to ensure that the VPN connection is properly configured and that public network access is blocked.

 

Second， you can use Windows Firewall to create a rule that allows Remote Desktop traffic only from the IP addresses of the 15 PCs that you want to allow access.

 

Here are the steps to create the firewall rule:

 

1. On the Windows 2022 server, open Windows Firewall with Advanced Security.
2. Click on "Inbound Rules" in the left pane, and then click "New Rule" in the right pane.
3. In the New Inbound Rule Wizard, select "Custom" and click "Next".
4. In the "Program" screen, leave the default setting of "All programs" and click "Next".
5. In the "Protocol and Ports" screen, select "TCP" and enter "3389" as the port number (this is the default port used by Remote Desktop). Click "Next".
6. In the "Scope" screen, under "Remote IP address", select "These IP addresses" and click "Add". Enter the IP addresses of the 15 PCs that you want to allow Remote Desktop access from, and click "OK". Click "Next".
7. In the "Action" screen, select "Allow the connection" and click "Next".
8. In the "Profile" screen, select the appropriate network profiles (e.g. Domain, Private, Public) and click "Next".
9. In the "Name" screen, enter a name for the rule (e.g. "Allow Remote Desktop from select PCs") and click "Finish".

 

Once you have created the firewall rule, only the 15 PCs whose IP addresses are listed in the rule will be able to access the Windows 2022 server through Remote Desktop. Other PCs on the VPN-connected network will be blocked by the firewall rule.

 

It's important to note that you should test the firewall rule in a non-production environment before deploying it on your live network, and make sure that you have a backup plan in case any issues arise.

 

I hope the information above is helpful.

 

If you have any question or concern, please feel free to let us know.

 

Best Regards,

Haijian Shan

Answer 4

Hello  Mr Ramamurthy R S，

Thank you for your reply.

Yes, it is possible to configure the firewall rule to allow Remote Desktop traffic only from specific computers by their names instead of IP addresses. Here are the steps to do so:

1. On the Windows 2022 server, open Windows Firewall with Advanced Security.
2. Click on "Inbound Rules" in the left pane, and then click "New Rule" in the right pane.
3. In the New Inbound Rule Wizard, select "Custom" and click "Next".
4. In the "Program" screen, leave the default setting of "All programs" and click "Next".
5. In the "Protocol and Ports" screen, select "TCP" and enter "3389" as the port number (this is the default port used by Remote Desktop). Click "Next".
6. In the "Scope" screen, under "Remote IP address", select "These IP addresses" and click "Add".
7. Click on "Add" button and select "Computer" option.
8. In the "Add Computers" dialog box, enter the names of the 15 computers that you want to allow Remote Desktop access from, separated by commas. Click "OK".
9. Click "Next".
10. In the "Action" screen, select "Allow the connection" and click "Next".
11. In the "Profile" screen, select the appropriate network profiles (e.g. Domain, Private, Public) and click "Next".
12. In the "Name" screen, enter a name for the rule (e.g. "Allow Remote Desktop from select PCs") and click "Finish".

Once you have created this firewall rule, only the 15 computers whose names are listed in the rule will be able to access the Windows 2022 server through Remote Desktop. Other computers on the VPN-connected network will be blocked by the firewall rule.

Best Regards,

Haijian Shan

Answer 5

Dear Haijian Shan

Thank you for your support and time spent.

Upto S.No 6, I could do.

S.No. 7, the options are not available. This is Windows Server 2022, standard edition. Please advice.