Solved

Locking down Terminal Server

Posted on 2004-09-15
3
246 Views
Last Modified: 2010-04-19
Hello, I need to allow remote users to access a program running on a member server. Terminal Server is running in application mode. Any hints,or suggestions on restricting their access to only the one program and select folders?  
0
Comment
Question by:91mustang
3 Comments
 
LVL 15

Accepted Solution

by:
harleyjd earned 500 total points
ID: 12074410
Set the default users profile to have nothing in the \Start Menu\Programs folder

Add only the program shortcut to the All User \Start Menu\Programs folder

hide/restrict users access to the c:\ drive via group policy. Hide any other stuff you see fit

run the chkroot application compatability script to give them a virtual rootdrive - I use W:, but you can use anything.

This should allow them to see only the one icon, and not be able to browse for any executables on the c:\ drive...

Check the following for some general info:

How to Apply Group Policy Objects to Terminal Services Servers - http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&sd=tech
Loopback Processing of Group Policy - http://support.microsoft.com/default.aspx?scid=kb;EN-US;231287
Locking Down Windows Server 2003 Terminal Server Sessions - http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en
0
 
LVL 1

Expert Comment

by:birkoff
ID: 12113875
harleyjd: did you ever try to create a shorcut on (for example) the desktop to a folder or file on the restricted c: drive. untill now it always works for me. according to me it's a great bug in the windows environment.

als double clicking on a folder in the start menu has a bug. it opens an explorer windows. this is a great problem if you have a redirected start menu on another server. even after complety locking down an entire terminal server with policies you are still able to browse the network and see / access shares etc.

untill now i never found a good solution for these kind of problems

0
 
LVL 2

Expert Comment

by:pjimerson
ID: 14897056
I'd suggest you go into the remote desktop clients options (by clicking on the options button of the remote desktop client - before you connect) then go to the Program tab and check the box labelled "Start the following program on connection".  Then the other fields on this tab won't be greyed out.  You can then specify the program you wish to restrict your users in the uppermost field.   That will run the program immediately after they log in.   Should they choose to terminate that program their remote desktop session will end.   I can't say for sure if there's a way around this  (key combinations to bring up windows explorer, or perhaps some feature of the program that allows them to browse for a file perhaps being mis-used to run another program) but I believe it was meant to do what you need it to do.  

Good Luck,

pjimerson
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now