-1

We have blocked all direct connections from client computers to the Internet in our firewalls and only allow Internet access via http and https through a Squid proxy. Now one of my users requests permission to use accounting software provided as SaaS via RDP. I am reluctant to allow this because of the possibility of making local resources (printer, clipboard, disk drive, camera) available to the RDP session. I see a risk that the SaaS provider's server might gain unauthorized access for example to my user's disk or camera.

The user in question is not an IT expert and I doubt she would be able to reliably disable local resource sharing in the remote desktop client each time she connects to the service.

Is there a way to technically limit the RDP connection to pure video/keyboard/mouse functionality without any resource sharing?

Specifically:

  1. Can resource sharing over RDP be blocked selectively in the firewall or a proxy without completely blocking RDP?

  2. Is there a GPO or other administrative setting for disabling resource sharing in the Microsoft remote desktop client? Everything I could find so far applies to the server side which doesn't help in the case the server isn't under my control.

  3. Is there an alternative RDP client program without that functionality?

Tilman Schmidt
  • 911
  • 4
  • 7
  • 1
    There are group policy settings for pretty much all the resource sharing options. – user Mar 18 '22 at 16:31
  • Have you looked this up? https://www.google.com/search?q=rdp+gpo+block+resource+sharing – schroeder Mar 18 '22 at 17:01
  • Indeed, I have. – Tilman Schmidt Mar 18 '22 at 19:43
  • @user Would you care spelling out the gpmc path? Everything I could find applies to the server side which doesn't help in this case. – Tilman Schmidt Mar 23 '22 at 11:25
  • Btw if the person who downvoted the question would share their reason to do so, I'll happily fix any problem you're seeing. – Tilman Schmidt Mar 23 '22 at 13:06
  • @TilmanSchmidt Oh good point, most of that is assuming you want to secure the server from clients. I guess what I'd look at is disabling the "Allow .rdp files from unknown publishers" option, enabling the "Allow .rdp files from valid publishers and user's default .rdp settings", then setting up and signing a .rdp file with all the sharing options disabled and providing that to the user. – user Mar 23 '22 at 14:16
  • Unfortunately, allowing a signed .rdp file and allowing manually configured sessions is controlled by one and the same setting so I'd have to trust my users not to enable resource sharing manually, for example if the service provider asks them to do so for seemingly good reasons such as "otherwise we cannot provide support." – Tilman Schmidt Mar 23 '22 at 14:46
  • Does the remote desktop client allow you to change settings even when you set the user's default .rdp file to a signed, restricted .rdp file with those options set? – user Mar 23 '22 at 15:01
  • I don't know. But even if it doesn't, what prevents the user from just deleting or moving the signed default.rdp file? – Tilman Schmidt Mar 23 '22 at 15:28
  • You should be able to change the permissions and owner to prevent them from modifying/moving the file. – user Mar 23 '22 at 16:34

1 Answers1

0

It's funny you ask this because I was just going through my services on Windows 10 and noticed the service: UmRdpService - Remote Desktop Services UserMode Port Redirector.

It has the description:

Allows the redirection of Printers/Drives/Ports for RDP connections

I have never tried it, but I would imagine disabling or restricting this service would prevent resource sharing over RDP since that's what it explicitly states is its purpose.

8vtwo
  • 410
  • 2
  • 7
  • Alas, the UmRdpService service is also running on the server side to which I have no access. I need a way to influence the function on the client side. – Tilman Schmidt Mar 23 '22 at 13:03