We help IT Professionals succeed at work.

How to restrict TS RemoteAppusers from logging onto TS desktop?

bradber
bradber asked
on
How to restrict TS RemoteAppusers from logging onto TS desktop


I would like to know if it is possible to prevent "TS RemoteApp"  users from using the  Remote Desktop Client to  logon directly to the  Terminal Server.  In other words, I only want users to be able to access the apps that are published on the TS Web Access Home page (http://hostname/ts).  I do not want them to be able to log directly onto the Terminal server via the remote desktop client or the Terminal Services Remote Desktop Web Connection page. Is there a way to do this? Any help would be appreciated.
Comment
Watch Question

Commented:
restrict port 80 on the box.

Commented:
Use a firewall either Hw or Sw to block all ports except port 80. For Windows FIrewall, here how you could do it:
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfexceptions.mspx

Note that this will block everything except port 80 for all users including administrators. If you want to allow admins to access RDP, you can add an exception for their IPs through the exceptions tab.

For Remote Desktop Web Connection page, check the second comment by "chakko" here :
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26229802.html

Commented:
Use a firewall either Hw or Sw to block all ports except port 80. For Windows FIrewall, here how you could do it:
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfexceptions.mspx

Note that this will block everything except port 80 for all users including administrators. If you want to allow admins to access RDP, you can add an exception for their IPs through the exceptions tab.

For Remote Desktop Web Connection page, check the second comment by "chakko" here :
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26229802.html

Author

Commented:
Thanks for your input. Unfortunately I haven to been able to get this to work so far. With the firewall restriction in place, users are blocked from using the remote desktop client and they CAN access the TS remote app web page but when they actually try to use an app from that page, the firewall blocks them.
Am I missing a step somewhere?

Commented:
- What I understood is that users now have no access to anything, am I right?
- What type of applications are on the web page (web apps / native apps)?
- Are the web apps and the TS Remote Desktop Web App in the same page?

Author

Commented:
First, I am just in a test mode so the users are not "down" , but when I turn on a firewall rule to block RDP access from the user's subnet, they can only reach the TS Web Access home page. But when they click on an application that is published on that page, they are not able to establish a session and use the application, due to the firewall rule.
I am publishing Wordpad and a couple of in-house applications, for testing.  Goals is to make the custom applications available to the users thru I.E.
THE applications are published on the TS Web Access home page:    http://server.com/ts/en-US/Default.aspx
Commented:
I think I figured out what you mean. Check "Configure Remote Desktop Web Connection behavior" :http://technet.microsoft.com/en-us/library/cc730673%28WS.10%29.aspx#BKMK_RemoteDesktopWeb

BTW, you need to open port 3389 (which is the RDP port) for remote apps to work. Sorry for the misunderstanding.

Author

Commented:
Sorry Yasser, perhaps I am just not doing a good job of explaining what I want to accomplish.  What I want to do is to restrict users to only being able to using the specific apps that I publish on the terminal server, rather than allowing them to log onto the server and browse around on the server, using other apps.   Apparently there is no way to allow them access via RDP and yet limit them to specific apps.  The article you referenced addresses this obliquely, as follows:

"Do not allow users to start unlisted program on initial connection (Recommended)
To help protect against malicious users, or a user unintentionally starting a program from an .rdp file on initial connection, we recommended that you select this setting.

Important  
This setting does not prevent users from starting unlisted programs remotely after they connect to the terminal server by using the RemoteApp program. For example, if Microsoft Word is in the RemoteApp Programs list and Microsoft Internet Explorer is not, if a user starts a remote Word session, and then clicks a hyperlink in a Word document, they can start Internet Explorer. "

So the recommended setting helps curtail malicious users but does not totally prevent them from using non-published programs.  Thanks for your help with this, I am giving you the points and appreciate your input.