• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 657
  • Last Modified:

Hide C Drive from Admins in Terminal Services

i feel almost bad for posting this, but while a large number of posts on various forums are close to my problem, they don't seem to be helping me out a bunch.
i am trying to prevent access to the c: drive by the administrators group in a terminal services environment.
my users must all be members of the administrators group to run a certain application. messing with permissions makes the app very unhappy and it is the central enterprise app.
i have put my terminal server/domain controller in an ou and am locking the ou down per microsoft white paper titled "locking down windows server 2003 terminal server sessions".
the gpo settings causing my issue are at UC\AT\WC\Windows Explorer and are the much discussed "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer"
my goal is to give the users access to three apps and a data drive. no problem using software restrictions to allow access only to the three apps.
my problem is that "prevent" keeps windows explorer from opening at all, and "hide" isn't actually hiding the c: drive (though it appears, strangely, at the end of the drive tree/list in my computer).
does someone know offhand what i missed? thank you in advance.
0
politicalfusion
Asked:
politicalfusion
1 Solution
 
dooleydogCommented:
if you want to hide anything from administrators, you will need to use NTFS permissions.

Do not use hte deny unless absoluty necessary, just remove the everyone or hte authenticated users groups, and only add the appropriate user or users.

Good Luck,

0
 
politicalfusionAuthor Commented:
i put the users (who are in the built-in administrators account) into a separate security group. i then denied that group the list folder contents permission. the enterprise app didn't work anymore.
the administrators group must have full control of the c drive for the enterprise app to work, apparently, and the users must be members of that group. even attempting to put them in a separate security group and trying to assign that group all the administrators rights and permissions didn't work. they must be administrators and administrators must have full control (so far - would love to be contradicted). so my next thought has been to remove the c drive from all browse lists and make it de facto inaccessable. thank you for the input and opportunity to comment farther
0
 
oBdACommented:
Just try to find out which permissions are missing where; get FileMon (http://www.sysinternals.com/ntw2k/source/filemon.shtml) and RegMon (http://www.sysinternals.com/ntw2k/source/regmon.shtml) from Sysinternals.
Log on to the TS console as administrator, start FileMon and RegMon; set the filter on both to log only the application.
Start the application as a regular user without additional rights, check for errors. Adjust NTFS or registry permissions until you can run the software as user.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
bilbusCommented:
wow this is not good, giving users admin access to a terminal server is BAD. Have you talked to your program's tech support? perhaps giving them full access to some system files will fix it? If the user is a local admin of the terminal server then any countermesures you put in can easly be overcome. File permisions can be changed even if you put deny on.
0
 
politicalfusionAuthor Commented:
hello and thank you. i will try the filemon and regmon day after tomorrow. i have no experience with those programs, thank you for the tip and i will follow it as far as possible (hopefully til it works).
as an interesting note, and you can call me on the loopholes and work-arounds, the users have to be members of the administrators group, but not the administrator. therefore, i've established a significant number of gpo lockdowns, applied them to the administrator's group, and denied my administrator account the apply gpo setting. also, they cannot log on locally or except through terminal services.
the gpo's start with 'disble the desktop and everything on it', kill run, shutdown, the command prompt, task manager, the control panel, restrict software to the three identified apps, disable right clicking, associated key commands, etc. reference the aforementioned white paper. it seems to be awfully tight and i'm getting a measure of comfort.
0
 
bilbusCommented:
if they are a member of the administrators's group they can turn off anything you turn on.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Tackle projects and never again get stuck behind a technical roadblock.
Join Now