In this article, I'll quickly discuss how using a single registry hack, you can completely disable or enable logons to your terminal server from all clients.
ĽA running terminal server that needs to have its logons disabled
ĽA registry editor, like regedit.exe
Section 1: The hack:
In the registry at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, edit the string value of WinStationsDisabled and set it to 1. This will effectively disable all remote terminal services logons to the server. Beware though, as disabling all remote terminal services logons can possibly lock you out of your terminal server, especially if you only have access to the server through terminal services.
If a person attempts to connect to your server while WinStationsDisabled is set to 1, they will successfully connect, but instead of seeing an authentication box, they will receive an error message saying, "Remote logins are currently disabled." Performing this hack will not prevent people from connecting to port 3389 on your terminal server.
Section 2: An alternative hack:
If you are running Windows Server 2003, and you want to disable/enable logons to your terminal server while you are in remote administration mode, then you can do a similar hack.
In the registry at HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server, edit the DWORD value of fDenyTSConnections and set it to 1. This will effectively disable all remote admin terminal services logons to the server. Just as before, beware that disabling all remote terminal services logons can possibly lock you out of your terminal server, especially if you only have access to the server through terminal services.
Setting fDenyTSConnections will effectively disable the RDP listener on port 3389, thus making it impossible for users to connect on that port.
For both these hacks, you can also enable terminal services by doing the opposite. Instead of setting your desired regsitry entry to 1, set it to 0.