How can I prevent RDWeb (Remote Desktop Web Access) attempting to authenticate/login ANY user on the domain!? I was under the impression only users configured in our CAP (Connection Access Policy) & RAP (Resource Access Policy) were allowed to login. However a user not in those policies was able to login successfully. Intentional wrong passwords were tried for that user confirming it could be locked out on the domain, which is the exact issue we're facing occasionally. I'm guessing someone on the internet is trying to hack in using that username.
Things I've tried:
- I've setup 'Remote Access Account Lockout' on the sole RDS server, but it doesn't appear to be working. The account is still being locked out & the registry subkey
domain name:user name
isn't being created. Can this even work with RDWeb? - Denying certain users the read rights to
%WinDir%\Web\RDWeb
blocked certain users successfully logging in, but those same user accounts could still be locked-out after bad password attempts.
We're going to be using DirectAccess in the near future & remote access configuration might even be handled by someone else so we're looking for easy/free solutions!
I was under the impression only users configured in our CAP (Connection Access Policy) & RAP (Resource Access Policy) were allowed to login.
- Yes, but that doesn't prevent "hackers" from attempting to log in. If a "hacker" attempts to log in using a valid user account and exceeds the account lockout threshold then the account is going to be locked out. That's the entire point of having an account lockout policy.