Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 293
  • Last Modified:

Locking down Terminal Server

Hello, I need to allow remote users to access a program running on a member server. Terminal Server is running in application mode. Any hints,or suggestions on restricting their access to only the one program and select folders?  
0
91mustang
Asked:
91mustang
1 Solution
 
harleyjdCommented:
Set the default users profile to have nothing in the \Start Menu\Programs folder

Add only the program shortcut to the All User \Start Menu\Programs folder

hide/restrict users access to the c:\ drive via group policy. Hide any other stuff you see fit

run the chkroot application compatability script to give them a virtual rootdrive - I use W:, but you can use anything.

This should allow them to see only the one icon, and not be able to browse for any executables on the c:\ drive...

Check the following for some general info:

How to Apply Group Policy Objects to Terminal Services Servers - http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&sd=tech
Loopback Processing of Group Policy - http://support.microsoft.com/default.aspx?scid=kb;EN-US;231287
Locking Down Windows Server 2003 Terminal Server Sessions - http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en
0
 
birkoffCommented:
harleyjd: did you ever try to create a shorcut on (for example) the desktop to a folder or file on the restricted c: drive. untill now it always works for me. according to me it's a great bug in the windows environment.

als double clicking on a folder in the start menu has a bug. it opens an explorer windows. this is a great problem if you have a redirected start menu on another server. even after complety locking down an entire terminal server with policies you are still able to browse the network and see / access shares etc.

untill now i never found a good solution for these kind of problems

0
 
pjimersonCommented:
I'd suggest you go into the remote desktop clients options (by clicking on the options button of the remote desktop client - before you connect) then go to the Program tab and check the box labelled "Start the following program on connection".  Then the other fields on this tab won't be greyed out.  You can then specify the program you wish to restrict your users in the uppermost field.   That will run the program immediately after they log in.   Should they choose to terminate that program their remote desktop session will end.   I can't say for sure if there's a way around this  (key combinations to bring up windows explorer, or perhaps some feature of the program that allows them to browse for a file perhaps being mis-used to run another program) but I believe it was meant to do what you need it to do.  

Good Luck,

pjimerson
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now