Solved

Hide C Drive from Admins in Terminal Services

Posted on 2006-06-26
8
647 Views
Last Modified: 2008-01-09
i feel almost bad for posting this, but while a large number of posts on various forums are close to my problem, they don't seem to be helping me out a bunch.
i am trying to prevent access to the c: drive by the administrators group in a terminal services environment.
my users must all be members of the administrators group to run a certain application. messing with permissions makes the app very unhappy and it is the central enterprise app.
i have put my terminal server/domain controller in an ou and am locking the ou down per microsoft white paper titled "locking down windows server 2003 terminal server sessions".
the gpo settings causing my issue are at UC\AT\WC\Windows Explorer and are the much discussed "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer"
my goal is to give the users access to three apps and a data drive. no problem using software restrictions to allow access only to the three apps.
my problem is that "prevent" keeps windows explorer from opening at all, and "hide" isn't actually hiding the c: drive (though it appears, strangely, at the end of the drive tree/list in my computer).
does someone know offhand what i missed? thank you in advance.
0
Comment
Question by:politicalfusion
8 Comments
 
LVL 9

Expert Comment

by:dooleydog
ID: 16984379
if you want to hide anything from administrators, you will need to use NTFS permissions.

Do not use hte deny unless absoluty necessary, just remove the everyone or hte authenticated users groups, and only add the appropriate user or users.

Good Luck,

0
 
LVL 1

Author Comment

by:politicalfusion
ID: 16984538
i put the users (who are in the built-in administrators account) into a separate security group. i then denied that group the list folder contents permission. the enterprise app didn't work anymore.
the administrators group must have full control of the c drive for the enterprise app to work, apparently, and the users must be members of that group. even attempting to put them in a separate security group and trying to assign that group all the administrators rights and permissions didn't work. they must be administrators and administrators must have full control (so far - would love to be contradicted). so my next thought has been to remove the c drive from all browse lists and make it de facto inaccessable. thank you for the input and opportunity to comment farther
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 16988000
Just try to find out which permissions are missing where; get FileMon (http://www.sysinternals.com/ntw2k/source/filemon.shtml) and RegMon (http://www.sysinternals.com/ntw2k/source/regmon.shtml) from Sysinternals.
Log on to the TS console as administrator, start FileMon and RegMon; set the filter on both to log only the application.
Start the application as a regular user without additional rights, check for errors. Adjust NTFS or registry permissions until you can run the software as user.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 8

Expert Comment

by:bilbus
ID: 16988950
wow this is not good, giving users admin access to a terminal server is BAD. Have you talked to your program's tech support? perhaps giving them full access to some system files will fix it? If the user is a local admin of the terminal server then any countermesures you put in can easly be overcome. File permisions can be changed even if you put deny on.
0
 
LVL 1

Author Comment

by:politicalfusion
ID: 16989260
hello and thank you. i will try the filemon and regmon day after tomorrow. i have no experience with those programs, thank you for the tip and i will follow it as far as possible (hopefully til it works).
as an interesting note, and you can call me on the loopholes and work-arounds, the users have to be members of the administrators group, but not the administrator. therefore, i've established a significant number of gpo lockdowns, applied them to the administrator's group, and denied my administrator account the apply gpo setting. also, they cannot log on locally or except through terminal services.
the gpo's start with 'disble the desktop and everything on it', kill run, shutdown, the command prompt, task manager, the control panel, restrict software to the three identified apps, disable right clicking, associated key commands, etc. reference the aforementioned white paper. it seems to be awfully tight and i'm getting a measure of comfort.
0
 
LVL 8

Expert Comment

by:bilbus
ID: 17207900
if they are a member of the administrators's group they can turn off anything you turn on.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question