question

segunabefe-6547 avatar image
0 Votes"
segunabefe-6547 asked segunabefe-6547 commented

Restrict Remote MMC

Hi,

Current: Domain user can launch MMC console on their computer, select remote server A, select and use MMC snap-ins to work on the remote server A.

Goal: I want to block MMC on the remote server A so that if a domain user launch MMC console on their computer, select remote server A and then select MMC snap-ins, domain users will be notified that restriction is in place or access is denied.

Domain administrator should be able to launch MMC console from remote server B, select remote server A, select and use MMC snap-ins to work on the remote server A.

Domain user should be able to use MMC snap-ins on their own computer. 83072-mmc.png


windows-server
mmc.png (7.6 KiB)
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please i will appreciate any help and guide.

Thank you

0 Votes 0 ·

What snap-in (or WMI query) are you really trying to block? Since the Domain User does not have administrator rights, they will not be able to make any changes that the Domain Admin would be able to make. The user is already limited as to what they can do.

Will the Domain User access network shares or web sites on Server A?

Are all 3 machines on the same or different subnets? (Can you block access by IP address?)

0 Votes 0 ·

This is what i want to achieve:
Scenario

1.On server A, Domain admin disable Services snap-ins under Restricted/Permitted snap-ins
2. On server A, Domain admin launch mmc console and could not access Services snap-ins because it is disabled
3. Domain user login to a workstation on the same network and same domain as server A
4. Domain user launch mmc console on the workstation, select server A as the computer to manage and select Services as the snap-ins to manage on server A
5, Domain user was able to launch Services snap-ins on server A remotely and was able modify Services snap-in on server A (despite that it is restricted and disabled on server A)

If I restrict a snap-in on server A and anyone that login to server A locally is restricted from using that snap-in on server. I also want the restriction to affect anyone that is using mmc console to remotely connect to server A not to be able to use a restricted snap-ins on the server A.


Thank you

0 Votes 0 ·
Show more comments

All the systems are on same subnet. I want to block snap-ins like services, disk management, device management and bunch of them

0 Votes 0 ·
Show more comments
MotoX80 avatar image
0 Votes"
MotoX80 answered segunabefe-6547 commented

One way to stop MMC is to define a firewall rule that blocks all outbound connections on non-admin desktops.

As I noted in prior post, this will not stop the user from executing a Powershell command to query remote resources that they have access to.

And if the user has admin access on their own desktop, they can just temporarily turn off the firewall to bypass that rule. So you would need to lock down the desktop further with Active Directory group policy.

83638-capture.jpg



capture.jpg (113.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This approach will work


Thank you

0 Votes 0 ·
CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered

Hi,
Please refer to the information in the link below:
Restrict remote mmc
https://stackoverflow.com/questions/22485479/restrict-windows-server-2008-r2-remote-mmc
You may could disable the setting Restrict users to the explicitly permitted list of snap-ins in GPO.
If you disable this setting, all snap-ins are permitted. Then you could disable the snap-in which you want to disable under the path User Configuration/Administrative Templates/Windows Components/Microsoft Management Console.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.