Restrict access to specific AD users/groups

Discussion in 'Parallels Remote Application Server' started by AndreaGiacomin, Nov 12, 2020.

  1. AndreaGiacomin

    AndreaGiacomin Bit Poster

    Is it possibile on RAS 17.5 restrict access on Parallels Client and on HTML5 Gateway to specific users or groups in Active Directory.
    In a scenario where there are hundreds or thousands of users is possible that an attacker guess the username and password of user, register the 2FA (if the user never used the RAS services) and access the application exposed to all domain users.
    The possibile workarounds I can think of are:
    - protect all users with 2FA. Very impractical.
    - filter all application to specific user or group.

    Andrea Giacomin
  2. Alexey Kutuzov

    Alexey Kutuzov Parallels Team

    Dear Andrea, RAS does support user and groups filtering:
    At published item level: AD user and group filtering.jpeg
    at theme level:
    Screen Shot 2020-12-11 at 17-55-03.jpeg
  3. AndreaGiacomin

    AndreaGiacomin Bit Poster

    Hi Alexey,
    thank you for the reply.
    The filter on theme level will do the job!

    The only downside I see on theme level filter is that an attacker guessing credentials get a positive feedback if user exist and the password are correct, instead of a generic login error.
    If MFA is enabled and a user is not alowed to login at theme level, it will ask for MFA registration and then access is prohibited. Just a feedback: it would be better to block MFA registration if the user is prohibited to login.

Share This Page