Terminal Server Security issue

I have installed a Windows terminal 2003 server; I need the users to have the ability to right/edit the registry (so the application will work properly) - they are not suffused to edit it manually!!! Or having administrative rights on the server

Right now Im kind of bypassing this problem with "Quick Menu Builder" and the environment option in the active directory

Anyone?
siltechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ali_JasCommented:
this looks as an operating issue to me, You'd better ask the question there, because more experts will be able to help you.
0
Ali_JasCommented:
errr.. operating system issue... not operating issue :S
0
siltechAuthor Commented:
its about Group policy
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Ali_JasCommented:
Group policy is also OS related, not networking.

networking here is by means of routers, cabeling and so on.
I should just delete the question here and move it to the OS section.
0
MBarber1957Commented:
A quick way would be to add them to a group on the server, then make that group a member of the LocalAdmin / Administrators group on the local box. That's if you trust them with such authority. This would give them full control of the local machine (not the same as a network administrator).
0
RLGSCCommented:
Siltech,

When you say "modify the registry", I presume that you mean the entire contents of the registry, not User-specific information.

If they have the right to modify the registry, then they can modify the registry -- period.

Certainly unintentionally, the rights and privileges to manipulate the registry create the potential to compromise the integrity of the system. The most common example of this is the dangers of adware/spyware.

I would suggest a thorough review of the application to determine what, exactly, are its needs and requirements. The answer from the developers that "we just need to manipulate the registry" is a poor answer. Once you allow manipulation of the registry, the integrity of the system is destroyed.

I hope that the above is helpful.

- Bob (aka RLGSC)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
siltechAuthor Commented:
that That’s exactly the problem, I can't trust them and I can't let them to act as administrators or change the administrative rights

I what them to be a standard users with the ability to right to the registry , without the run command, access to the control panel ecc…
0
siltechAuthor Commented:
maybe I just duplicate the administrator to a differnt user and lock some icons for this user with "power toy"
what do you think about this?
0
RLGSCCommented:
Siltech,

What you are asking for is a contradiction.

If they have the rights to modify the registry, then they can compromise the system -- period. It does not matter whether it is deliberate (e.g., using REGEDIT) or accidental (e.g., spyware, adware, ActiveX).

What needs to be examined very carefully is what the application is doing that requires registry access, and whether it is operating in an appropriate manner. I have done these reviews on a variety of platforms, and it is often amazing what the justifications for administrative rights are, and how unneeded they are (on a different platform, I just taught a 4 hour seminar on how to delegate management rights over specific applications WITHOUT granting overall administrative rights).

I hope that this information is helpful.

- Bob (aka RLGSC)
0
siltechAuthor Commented:
Right now I solved it with "quick menu builder"

When a user logs on to the server he has an html menu with "buttons" for his unique applications

This "menu" configured to start automatically as an active directory environment
When a user is trying to close the menu and "playing" with the MS Desktop, the session ends automatically and forces the user to log off

What do you think on the solution?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.