Restrict RDS access for XP users

Question

Please note, when I say "server", I don't mean the RDS client/server software on each persons computer, I mean a single central server which may be able to control which client computers can connect to the central RDS farm.

How do I go about blocking users from accessing my RDS server if they are using Windows XP? With XP's EOL just around the corner, I want to stop XP users from accessing my RDS server.

I would like to do this from a central LAN server and not from the users computers. If this can be done from a central server, does anyone know how?

Can I assume you want this control on the server and not to just disable it on the local machine? — Dave, Mar 06 '14 at 09:42
@DaveRook, Your assumption is correct. I would like to control this from the server. — oshirowanen, Mar 06 '14 at 11:27
How can I know if they have XP at home or not? I was hoping that the RDS server would be able to detect this somehow by maybe checking the client software rds version (mstsc.exe) and if it's the version from windows xp, don't allow them to login? I could tell them that if you have XP, you account will be disabled, but then they will just say "we've upgraded now" even if they haven't. Is there no way of detecting which OS they are running? — oshirowanen, Mar 07 '14 at 16:31

score 0 · Answer 1 · answered Mar 06 '14 at 11:04

In windows 7+, when you enable the Remote Desktop connections, you get to choose the type of Authentication, as displayed on image below:

Remote Desktop Services in Windows 7

In Windows help, it says like this:

Select Don’t allow connections to this computer to prevent anyone from connecting to your computer using Remote Desktop or RemoteApp.

Select Allow connections from computers running any version of Remote Desktop to allow people using any version of Remote Desktop or RemoteApp to connect to your computer. This is a good choice if you don't know the version of Remote Desktop Connection that other people are using, but it is less secure than the third option.

Select Allow connections only from computers running Remote Desktop with Network Level Authentication to allow people with computers running versions of Remote Desktop or RemoteApp with Network Level Authentication to connect to your computer. This is the most secure choice if you know that the people who will connect to your computer are running Windows 7 on their computers. (In Windows 7, Remote Desktop uses Network Level Authentication.)

So, if you select the third option (Allow connections only from computers running Remote Desktop with Network Level Authentication), this supposedly should allow only users connecting from Windows 7+ to connect.

Also, I am not sure if this was fixed in Windows XP SP3.

I am not sure if this is applicable to your case.

Whilst this was a good answer, the OP has made an update based upon my questions which sadly makes this answer irrelevant now, but good try :) — Dave, Mar 06 '14 at 11:32
Thanks for this. Although helpful, I was after a method to control this from the servers instead of from the users actual computers. I have updated my question to make this clear. — oshirowanen, Mar 06 '14 at 11:32
I don't know what you mean. This is configuration on the PC that accepts connections, which should be server? — dkasipovic, Mar 06 '14 at 14:10
So it's not possible to do this on a single central server and have it populate all client computers? — oshirowanen, Mar 20 '14 at 11:28

Restrict RDS access for XP users

1 Answers1