[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1586
  • Last Modified:

How to block terminal server clients from using the internet

I am using Windows 2003 Server R2 as a primary domain controller and a terminal server I need to know how to block cretin clients from the internet while letting others connect
0
unisupport
Asked:
unisupport
  • 3
  • 2
1 Solution
 
budchawlaCommented:
I assume you want to do this via a centralised group policy approach, rather than manually.

One simple way would be to create a new OU for your "cretin" users within the container that the users are currently in, and then create & apply a policy to that OU that sets a proxy server (pointing to a non-existent IP) for IE and also prevents changes to the IE connection settings. The problem with this being that it would apply to them on & off the terminal server. I don't know if that would work for you.

Other than that, I know of two methods of locking down Terminal Services in Svr2K3 - either apply a policy to the server itself in loopback processing mode - this applies to all users of the computer.
Or, create a separate set of users for ppl to use only on the terminal server, and lockdown those accounts using GPOs.

Let me know if you need more detail on any of the above...
0
 
McKnifeCommented:
We have another approach in use in our company: Use an ident daemon like http://grack.com/programming/misc/Identd.html that submits a user id to the proxy server. On the proxy server (linux) we have squid that only allows certain users to connect from certain IP adresses. There is no circumventing for the users. They could not even bring there own portable browsers :)
0
 
unisupportAuthor Commented:
budchawla, I have been investigating these methods which were somewhat different in sever 2000 which was the OS I replaced with the new server 2003. Could you explain in detail which GPO's need to be modified as I have made the changes to what seems to be the necessary ones with no luck.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
budchawlaCommented:
Do you want to apply the policy to all users who log into that server, or only certain users?
0
 
unisupportAuthor Commented:
Its a group of thin clients that different users share so I would need to control access based on user credentials, so someone that is allowed internet acces is granted it where ever they log in and some one who is not allowed will be denied where ever they log in.
0
 
budchawlaCommented:
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx will give you a lot of useful pointers, but to address your exact requirement:
Put your "cretin" users into an OU and assign it a GPO with the following setting:
User Config\Administrative Templates\System\Don't run specified Windows applications.... and enable that for iexplore.exe. That's the most basic and probably effective method.

If for some reason you have other browsers installed, then add those to the list.

Note: this will not cut off all internet-based comms, just browser-based access to the web.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now