Limited remote desktop access to user on Windows Server 2003

Posted on 2009-02-17
Last Modified: 2012-05-06

I have a desktop application installed on a server running windows server 2003. This is a standard account software - MYOB and is meant to be used on a single desktop.

I would like it to be accessible on a different computer within the network that runs Windows XP. I'm wondering if I can create a user account for remote desktop so that a person can login using MSTSC and have access only to the given application and nothing else on the server. The user should not be able to see other apps or folders that they don't have access to and should not be able to make any configuration changes to the server.

Is this possible?

Question by:anuragc
    LVL 22

    Accepted Solution

    The problem with this idea is that if MYOB isn't configured for multiple user access, if multiple remote desktop connections access it at the same time, you might scramble your data.  I suspect this is possible by figuring out where MYOB and data directories are installed and giving Read and Execute rights to these directories to the remote desktop user.  There are some rights that come with the remote users group, but you should be able to limit them so that they can't browse around your server.
    LVL 38

    Assisted Solution

    by:Hypercat (Deb)
    In addition to what Paka said, if you want to use the application in terminal server mode, you would have to:
    1.  Configure and license the server as a terminal server.  By default, servers are only licensed for remote administration over a remote desktop connection and the user would have to log on with administrative permissions.
    2.  You would most likely have to uninstall and reinstall the application so that it is configured and installed properly for use in a terminal server environment.
    3.  Also, if there is going to be more than one user using the application at a time, as Paka said, you would have to license the app for multiple concurrent users.

    Author Comment

    Thanks Paka and hypercat,

    Both your comments helped me resolve my issue.

    I have installed the terminal server role and terminal services licensing server. A given user can now log in and based on folder permissions only has access to the MYOB data files and nothing else on the data drive. The intention is not to have multiple users using an app - just one user using it remotely from a thin client.

    The user does have access to all currently installed applications on the server though. I'm assuming any new applications I install as administrator (and these are server apps for admin reasons, not user apps) - I will somehow have the ability to only have these visible and accessible to the admin.

    Any further thoughts and tips for this will be appreciated, otherwise I'll close this question.

    LVL 38

    Expert Comment

    by:Hypercat (Deb)
    Just make sure you have locked down user permissions on the terminal server.  Look at the group policies and terminal server configuration settings.  Group policies are at:
    Computer Configuration/Administrative Templates/Windows Components/Terminal Services
    User Configuraiton/Administrative Templates/Windows Components/Terminal Services
    In the Terminal Server Configuration console, be sure you have set the Permissions Compatibility to Full Security if possible.  You can also control access of course with NTFS permissions, and move any icons for sensitive programs out of the All Users profile and into your administrator profile so that the user can't see them.  He/she wouldn't be able to run them anyway, but it's of course better if they can't even see them.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Convert websphere application server default chained Certificates from 1024 to 2048 keysize or higher size and also you can change signatureAlgorithm . Please make sure Websphere Application Server fixpack or Above. The following steps a…
    Local Printing Using Remote Desktop Windows 7 sometimes has issues with printing to a local printer using a Remote Desktop Connection (RDC). The 1st step is to verify that printers are checked on the Local Resources tab of the Remote Desktop C…
    How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now