RDP user security

Hi,

I am running windows2003 server and have a remote user who accesses our LAN via a seperate hardware based VPN.

All works fine and the user has access to mapped drives and can access their windows 200 desktop currently via netmeeting.

I would like this user to our windows 2003 RDP to run in a session on the server. This works fine and most of the security is good, ie they cannot access most folders etc.

My problem is that this user can access the windows folder and run anything within it (eg regedit and other dangerous things).

Is there a way to prevent the user from seeing/accessing the servers windows directory when running a rdp session. I have tried locking the folder to them using the security tab, but it prevents them logging in.

Thanks in adavnce

C
chris_mslAsked:
Who is Participating?
 
NJComputerNetworksCommented:
There is no microsoft over sight...  

Do this...

In Terminal services Configuration utility, highlight CONNECTIONS... then go to properties of the RDP-TCP.  Click the Permissions Tab...  add the user account here... give the user GUEST Access..

and MAKE SURE THE USER DOESN'T Belong to other groups like domain admin or local admin...

Being guest on RDP will not give the user rights to modify the reg (they can look at it though)... they can not modify info in the Windows dir...  (they can look at it though)
0
 
NJComputerNetworksCommented:
In Terminal services Configuration utility, highlight CONNECTIONS... then go to properties of the RDP-TCP.  Click the Permissions Tab...  add the user account here... give the user GUEST Access..
0
 
chris_mslAuthor Commented:
Hi,

Thanks for the reply, had already tried that, user can still right click start, click explore go to the windows folder and run things in it.

Any other suggestions would be appreciated though.

Kind regards

C
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
dooleydogCommented:
use a local policy to restrict some of the more serious things, like regedit and regedt32.

there are always NTFS permissions, you can deny this user the right to use any file, including .exe

Good Luck,
0
 
chris_mslAuthor Commented:
Ho dooleydog,

Is that the only way to do this.

It just seems strange that the config allows for guest users, but they could still create havoc within the windows directory. Is this a Microsoft oversight or am I doing something that should not really be done??

Any advice/recommendations would be appreciated.

Thanks

C
0
 
chris_mslAuthor Commented:
Many thanks
0
 
bilbusCommented:
there are lots of things you can do , but its best not to unless this is a terminal server only

As long as they are not a local admin you are fine
0
 
chris_mslAuthor Commented:
Many thanks for the comments.
I know i've accepted the answer, but does anyone know of any particular damage they could do to the server if they wanted? or to put it another way, is there anything particular I should lock down?

Thanks to all

C

0
 
bilbusCommented:
there are 100's of settings

disable cmd prompt, regedit, any program
Remove read permision from all folders other then windows, program files, and the software you run
tun off internet access

you can make only a single program window show up when they login, no desktop or start bar
0
 
chris_mslAuthor Commented:
Many thanks for the comments

C
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.