?
Solved

RDP user security

Posted on 2006-06-02
10
Medium Priority
?
316 Views
Last Modified: 2010-04-18
Hi,

I am running windows2003 server and have a remote user who accesses our LAN via a seperate hardware based VPN.

All works fine and the user has access to mapped drives and can access their windows 200 desktop currently via netmeeting.

I would like this user to our windows 2003 RDP to run in a session on the server. This works fine and most of the security is good, ie they cannot access most folders etc.

My problem is that this user can access the windows folder and run anything within it (eg regedit and other dangerous things).

Is there a way to prevent the user from seeing/accessing the servers windows directory when running a rdp session. I have tried locking the folder to them using the security tab, but it prevents them logging in.

Thanks in adavnce

C
0
Comment
Question by:chris_msl
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16816411
In Terminal services Configuration utility, highlight CONNECTIONS... then go to properties of the RDP-TCP.  Click the Permissions Tab...  add the user account here... give the user GUEST Access..
0
 

Author Comment

by:chris_msl
ID: 16816468
Hi,

Thanks for the reply, had already tried that, user can still right click start, click explore go to the windows folder and run things in it.

Any other suggestions would be appreciated though.

Kind regards

C
0
 
LVL 9

Expert Comment

by:dooleydog
ID: 16816695
use a local policy to restrict some of the more serious things, like regedit and regedt32.

there are always NTFS permissions, you can deny this user the right to use any file, including .exe

Good Luck,
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:chris_msl
ID: 16816729
Ho dooleydog,

Is that the only way to do this.

It just seems strange that the config allows for guest users, but they could still create havoc within the windows directory. Is this a Microsoft oversight or am I doing something that should not really be done??

Any advice/recommendations would be appreciated.

Thanks

C
0
 
LVL 33

Accepted Solution

by:
NJComputerNetworks earned 1000 total points
ID: 16816854
There is no microsoft over sight...  

Do this...

In Terminal services Configuration utility, highlight CONNECTIONS... then go to properties of the RDP-TCP.  Click the Permissions Tab...  add the user account here... give the user GUEST Access..

and MAKE SURE THE USER DOESN'T Belong to other groups like domain admin or local admin...

Being guest on RDP will not give the user rights to modify the reg (they can look at it though)... they can not modify info in the Windows dir...  (they can look at it though)
0
 

Author Comment

by:chris_msl
ID: 16816980
Many thanks
0
 
LVL 8

Expert Comment

by:bilbus
ID: 16826557
there are lots of things you can do , but its best not to unless this is a terminal server only

As long as they are not a local admin you are fine
0
 

Author Comment

by:chris_msl
ID: 16831257
Many thanks for the comments.
I know i've accepted the answer, but does anyone know of any particular damage they could do to the server if they wanted? or to put it another way, is there anything particular I should lock down?

Thanks to all

C

0
 
LVL 8

Expert Comment

by:bilbus
ID: 16831281
there are 100's of settings

disable cmd prompt, regedit, any program
Remove read permision from all folders other then windows, program files, and the software you run
tun off internet access

you can make only a single program window show up when they login, no desktop or start bar
0
 

Author Comment

by:chris_msl
ID: 16831310
Many thanks for the comments

C
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Integration Management Part 2
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question