Solved

Windows 7 RDS workstation - restrict to RDS only

Posted on 2012-04-01
8
939 Views
Last Modified: 2012-06-27
I am looking for a means of locking down Windows 7 workstations in a 2008 R2 RDS environment so that the only thing users can do is run the RDP client on it. What should happen is that when anybody turns the computer on is that at the end of the boot process they find themselves looking at an RDP client 'enter your login name' prompt. The users should have no access to the local system - only an administrator would be able to access any of the local resources. How would I go about doing this?
0
Comment
Question by:lineonecorp
  • 4
  • 3
8 Comments
 
LVL 21

Assisted Solution

by:yo_bee
yo_bee earned 400 total points
ID: 37794324
I just did a search on the internet and found this link.
I have not tried this, so I would stand up a test OU with some test objects in it.

http://jaredheinrichs.com/how-to-turn-a-windows-7-pc-into-a-kiosk.html
0
 
LVL 21

Assisted Solution

by:yo_bee
yo_bee earned 400 total points
ID: 37794341
You will also probably  want to have RDP start-up at logon as well as placing the shortcut to RDP on the desktop as well.

The startup folder  is %systemdrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

User's desktop is %userprofile%\desktop
0
 
LVL 21

Assisted Solution

by:yo_bee
yo_bee earned 400 total points
ID: 37794381
For testing you can also try using RD WEB.
if you have this bat file placed in the start up folder listed above this might give you one more layer of lockdown.

iexplore.exe -k "URL"

example iexplore.exe -k  "https://InternalRDService/RDWEB"

You might want to remove the ability for standard users from using Ctrl + Alt + Del as well
0
 
LVL 20

Assisted Solution

by:Radhakrishnan Rajayyan
Radhakrishnan Rajayyan earned 100 total points
ID: 37794581
Hi,

Better suggestion would be ask the users to log off the machine once they finished as this is a default behavior for some security reasons. If the current user doesn't log off the current session and shutdown the machine, it will act as the machine is locked and will look for the latest authentication and it says locked and only admin privileged users can unlock it.
0
 

Author Comment

by:lineonecorp
ID: 37798034
Thanks for all the tips.

 yo_bee:

Yo write:

"For testing you can also try using RD WEB.
if you have this bat file placed in the start up folder listed above this might give you one more layer of lockdown.

iexplore.exe -k "URL"

example iexplore.exe -k  "https://InternalRDService/RDWEB"

**** Why would this be one extra layer of lockdown?

You might want to remove the ability for standard users from using Ctrl + Alt + Del as well

**** How? Group Policy?

++++
 radhakrishnan2007:
You write:
Better suggestion would be ask the users to log off the machine once they finished as this is a default behavior for some security reasons. If the current user doesn't log off the current session and shutdown the machine, it will act as the machine is locked and will look for the latest authentication and it says locked and only admin privileged users can unlock it.

**** How would I implement this?
0
 
LVL 21

Accepted Solution

by:
yo_bee earned 400 total points
ID: 37798816
Note this suggestion is to leverage Remote Desktop Web.  This is another feature that is not enabled by default when adding Remote Desktop Services Role.  You may need to go back to Roles and add this.


**** Why would this be one extra layer of lockdown? ****
By running this you are setting the webpage to a full screen (like pressing F11), but the users will not be able to exit the full screen mode.
By doing this you removing the user's ability to navigate out to another area of the computer.

**** How? Group Policy?
The reason for this part is to restrict the users from accessing Task Manager so they cannot end the IE process or start another application if they know how.

How to set this option in Group Policy.  First and for most you must be running in a Domain infrastructure and not work group to be deploy Group Policies.
You can set the computer policy if you are not in a Domain infrastructure, but you will need to access each computer one by one to make these changes.

To edit in Group Policy:
On a Domain Controller or a Server/Workstations that has RSAT run GPMC.MSC
On a computer that is not a member of a Domain use GPEDIT.MSC

The setting you are looking for is Ctrl + Alt + Del
This is located user User Configuration > Administrative Templates > System > Ctrl + Alt +Del > Remove Task Manager {enabled}

Remove Task Manager
0
 

Author Comment

by:lineonecorp
ID: 37817476
Thanks for the additional info. Let me give it a try and get back to you.
0
 

Author Comment

by:lineonecorp
ID: 37840539
Having trouble freeing up time. I will close and when I get around to this and have any further questions will post then.  Thanks.
0

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now