?
Solved

Windows 7 RDS workstation - restrict to RDS only

Posted on 2012-04-01
8
Medium Priority
?
983 Views
Last Modified: 2012-06-27
I am looking for a means of locking down Windows 7 workstations in a 2008 R2 RDS environment so that the only thing users can do is run the RDP client on it. What should happen is that when anybody turns the computer on is that at the end of the boot process they find themselves looking at an RDP client 'enter your login name' prompt. The users should have no access to the local system - only an administrator would be able to access any of the local resources. How would I go about doing this?
0
Comment
Question by:lineonecorp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 23

Assisted Solution

by:yo_bee
yo_bee earned 1600 total points
ID: 37794324
I just did a search on the internet and found this link.
I have not tried this, so I would stand up a test OU with some test objects in it.

http://jaredheinrichs.com/how-to-turn-a-windows-7-pc-into-a-kiosk.html
0
 
LVL 23

Assisted Solution

by:yo_bee
yo_bee earned 1600 total points
ID: 37794341
You will also probably  want to have RDP start-up at logon as well as placing the shortcut to RDP on the desktop as well.

The startup folder  is %systemdrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

User's desktop is %userprofile%\desktop
0
 
LVL 23

Assisted Solution

by:yo_bee
yo_bee earned 1600 total points
ID: 37794381
For testing you can also try using RD WEB.
if you have this bat file placed in the start up folder listed above this might give you one more layer of lockdown.

iexplore.exe -k "URL"

example iexplore.exe -k  "https://InternalRDService/RDWEB"

You might want to remove the ability for standard users from using Ctrl + Alt + Del as well
0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 
LVL 22

Assisted Solution

by:Radhakrishnan R
Radhakrishnan R earned 400 total points
ID: 37794581
Hi,

Better suggestion would be ask the users to log off the machine once they finished as this is a default behavior for some security reasons. If the current user doesn't log off the current session and shutdown the machine, it will act as the machine is locked and will look for the latest authentication and it says locked and only admin privileged users can unlock it.
0
 

Author Comment

by:lineonecorp
ID: 37798034
Thanks for all the tips.

 yo_bee:

Yo write:

"For testing you can also try using RD WEB.
if you have this bat file placed in the start up folder listed above this might give you one more layer of lockdown.

iexplore.exe -k "URL"

example iexplore.exe -k  "https://InternalRDService/RDWEB"

**** Why would this be one extra layer of lockdown?

You might want to remove the ability for standard users from using Ctrl + Alt + Del as well

**** How? Group Policy?

++++
 radhakrishnan2007:
You write:
Better suggestion would be ask the users to log off the machine once they finished as this is a default behavior for some security reasons. If the current user doesn't log off the current session and shutdown the machine, it will act as the machine is locked and will look for the latest authentication and it says locked and only admin privileged users can unlock it.

**** How would I implement this?
0
 
LVL 23

Accepted Solution

by:
yo_bee earned 1600 total points
ID: 37798816
Note this suggestion is to leverage Remote Desktop Web.  This is another feature that is not enabled by default when adding Remote Desktop Services Role.  You may need to go back to Roles and add this.


**** Why would this be one extra layer of lockdown? ****
By running this you are setting the webpage to a full screen (like pressing F11), but the users will not be able to exit the full screen mode.
By doing this you removing the user's ability to navigate out to another area of the computer.

**** How? Group Policy?
The reason for this part is to restrict the users from accessing Task Manager so they cannot end the IE process or start another application if they know how.

How to set this option in Group Policy.  First and for most you must be running in a Domain infrastructure and not work group to be deploy Group Policies.
You can set the computer policy if you are not in a Domain infrastructure, but you will need to access each computer one by one to make these changes.

To edit in Group Policy:
On a Domain Controller or a Server/Workstations that has RSAT run GPMC.MSC
On a computer that is not a member of a Domain use GPEDIT.MSC

The setting you are looking for is Ctrl + Alt + Del
This is located user User Configuration > Administrative Templates > System > Ctrl + Alt +Del > Remove Task Manager {enabled}

Remove Task Manager
0
 

Author Comment

by:lineonecorp
ID: 37817476
Thanks for the additional info. Let me give it a try and get back to you.
0
 

Author Comment

by:lineonecorp
ID: 37840539
Having trouble freeing up time. I will close and when I get around to this and have any further questions will post then.  Thanks.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question