[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Windows 7 RDS workstation - restrict to RDS only

Posted on 2012-04-01
8
Medium Priority
?
1,019 Views
Last Modified: 2012-06-27
I am looking for a means of locking down Windows 7 workstations in a 2008 R2 RDS environment so that the only thing users can do is run the RDP client on it. What should happen is that when anybody turns the computer on is that at the end of the boot process they find themselves looking at an RDP client 'enter your login name' prompt. The users should have no access to the local system - only an administrator would be able to access any of the local resources. How would I go about doing this?
0
Comment
Question by:lineonecorp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 23

Assisted Solution

by:yo_bee
yo_bee earned 1600 total points
ID: 37794324
I just did a search on the internet and found this link.
I have not tried this, so I would stand up a test OU with some test objects in it.

http://jaredheinrichs.com/how-to-turn-a-windows-7-pc-into-a-kiosk.html
0
 
LVL 23

Assisted Solution

by:yo_bee
yo_bee earned 1600 total points
ID: 37794341
You will also probably  want to have RDP start-up at logon as well as placing the shortcut to RDP on the desktop as well.

The startup folder  is %systemdrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

User's desktop is %userprofile%\desktop
0
 
LVL 23

Assisted Solution

by:yo_bee
yo_bee earned 1600 total points
ID: 37794381
For testing you can also try using RD WEB.
if you have this bat file placed in the start up folder listed above this might give you one more layer of lockdown.

iexplore.exe -k "URL"

example iexplore.exe -k  "https://InternalRDService/RDWEB"

You might want to remove the ability for standard users from using Ctrl + Alt + Del as well
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 23

Assisted Solution

by:Radhakrishnan R
Radhakrishnan R earned 400 total points
ID: 37794581
Hi,

Better suggestion would be ask the users to log off the machine once they finished as this is a default behavior for some security reasons. If the current user doesn't log off the current session and shutdown the machine, it will act as the machine is locked and will look for the latest authentication and it says locked and only admin privileged users can unlock it.
0
 

Author Comment

by:lineonecorp
ID: 37798034
Thanks for all the tips.

 yo_bee:

Yo write:

"For testing you can also try using RD WEB.
if you have this bat file placed in the start up folder listed above this might give you one more layer of lockdown.

iexplore.exe -k "URL"

example iexplore.exe -k  "https://InternalRDService/RDWEB"

**** Why would this be one extra layer of lockdown?

You might want to remove the ability for standard users from using Ctrl + Alt + Del as well

**** How? Group Policy?

++++
 radhakrishnan2007:
You write:
Better suggestion would be ask the users to log off the machine once they finished as this is a default behavior for some security reasons. If the current user doesn't log off the current session and shutdown the machine, it will act as the machine is locked and will look for the latest authentication and it says locked and only admin privileged users can unlock it.

**** How would I implement this?
0
 
LVL 23

Accepted Solution

by:
yo_bee earned 1600 total points
ID: 37798816
Note this suggestion is to leverage Remote Desktop Web.  This is another feature that is not enabled by default when adding Remote Desktop Services Role.  You may need to go back to Roles and add this.


**** Why would this be one extra layer of lockdown? ****
By running this you are setting the webpage to a full screen (like pressing F11), but the users will not be able to exit the full screen mode.
By doing this you removing the user's ability to navigate out to another area of the computer.

**** How? Group Policy?
The reason for this part is to restrict the users from accessing Task Manager so they cannot end the IE process or start another application if they know how.

How to set this option in Group Policy.  First and for most you must be running in a Domain infrastructure and not work group to be deploy Group Policies.
You can set the computer policy if you are not in a Domain infrastructure, but you will need to access each computer one by one to make these changes.

To edit in Group Policy:
On a Domain Controller or a Server/Workstations that has RSAT run GPMC.MSC
On a computer that is not a member of a Domain use GPEDIT.MSC

The setting you are looking for is Ctrl + Alt + Del
This is located user User Configuration > Administrative Templates > System > Ctrl + Alt +Del > Remove Task Manager {enabled}

Remove Task Manager
0
 

Author Comment

by:lineonecorp
ID: 37817476
Thanks for the additional info. Let me give it a try and get back to you.
0
 

Author Comment

by:lineonecorp
ID: 37840539
Having trouble freeing up time. I will close and when I get around to this and have any further questions will post then.  Thanks.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question