Solved

Remote Desktop Services - RemoteApp - no connect with this group policy enabled?

Posted on 2012-04-04
13
2,260 Views
Last Modified: 2012-05-14
We're playing with the RemoteApp for the 1st fine.  For years we've only used the standard Remote Desktop connection PC application.   Aok.

With Group Policy Enabled "Use Only Allowed Windows Applications", and a real simple example using Calc.exe.    RemoteAPP fails to connect and run Calc.exe.   Just sort of hangs there and then dies.   Nothing in Event Logs.   Works aok as soon as we disable the policy.  We tried both access via the .msi created icon  and the Web RDWeb page.  

The group policy is in User Configuration | Administrative Templates | System.  Been working as expected for us for a long time, just not with the new RemoteApp.

After searching google,  we tried adding more allowed applications to the allowed list such as rdpshell.exe, rdpinit.exe, rdpclip.exe, and about 25 others windows o/s related apps.  We also looked at C:> Query Process *  when successfully connected w/ policy disabled and made sure we had the few exe's shown also in our policy's allowed list.

Question:  What do we need to add to "Use Only Allowed Windows Applications"?   Does anybody have RemoteApp working with policy "Use Only Allowed Windows Applications"?  

Yes client PC is running RDC 6.0.6001 protocol 6.1 supported.

Any comments appreciated.
0
Comment
Question by:JReam
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 7

Assisted Solution

by:Jayanta Sarmah
Jayanta Sarmah earned 100 total points
ID: 37810743
Just a though, if the below helps you find out the file needed:

Enable "Failure attempts" on the Audit Policy "Audit process tracking"
and "Audit object access", and then check the event log after trying
to start calc.exe
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 37812095
Did you remember to allow remote desktop connection? %windir%\system32\mstsc.exe
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 300 total points
ID: 37812220
Hi.

Please clear this up: where is "Run only allowed Windows applications" in effect? at the server or client side? Also: how did you publish the remoteApp? Did you distribute an msi or? Because after activating remoteApp at the server site, we can no longer connect to the server via rdp and start shells other than explorer or published remote apps (I am talking about this: mstsc.exe - options - programs - "start the following program on connection"). So if you use that way to start calculator, it will fail, unless you first published calc.exe as remoteApp.
0
 
LVL 1

Author Comment

by:JReam
ID: 37812333
From original question poster.  Thank you all for your replies.  Let's keep the dialog going.

To ve3ofa:  mstsc.exe is the client-side Remote desktop connection application which gets the connection started in the first place.  I don't see how that app would be of concern on server side for apps allowed since the mstsc.exe on the serverr itself is not needed.

To sarmahjay:  Interesting and we're going to try that later today.

To McKnife:  The policy is a Domain-level policy.   Our remote users are in a Users Group that we set up and are in the policy's delegation.  Pretty staight forward.   We distributed both an MSI and set up the standard web interface RDWeb,  both ways connect and launch calc.exe perfectly fine with RemoteApp but only when the Policy is disabled.   We're not messing with mstsc command line options, er unless the auto created calc.rdp is.... here's the .rdp file:

redirectclipboard:i:1
redirectposdevices:i:0
redirectprinters:i:1
redirectcomports:i:1
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
span monitors:i:1
use multimon:i:1
remoteapplicationmode:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
authentication level:i:2
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:0
gatewaycredentialssource:i:0
full address:s:tech.esensory.com
alternate shell:s:||calc
remoteapplicationprogram:s:||calc
gatewayhostname:s:
remoteapplicationname:s:Calculator
remoteapplicationcmdline:s:

Open in new window

0
 
LVL 53

Expert Comment

by:McKnife
ID: 37812372
So calc.exe is on the list of allowed programs?
You might think about the sense of using this policy at all. The protective effect is next to nothing, see the description of the policy.
0
 
LVL 1

Author Comment

by:JReam
ID: 37814197
McKnife:  Yes calc.exe is on the list of allowed program.   We put it in there for this testing.  

Mcknife:  We thought about dumping the policy as you suggested.   I'm generally a security fan of blacklisting everything then whitelisting stuff as needed.    This strategy of using this Policy enabled has been worked fine for years with Terminal server and still works with new 2008 RDS, just now the new RemoteApp.     I'd hate to dump it for the RemoteApp, especially when RemoteApp should really be able to coexist with the policy.  

McKnife:  And worth mentioning here, we did try turning off the policy for a while and immediated noticed that upon remote user login all sorts of MS crappy apps launch automatically on startup, such as the infamous Narrator.exe Magnifier.exe Ease of access, , all of which amazingly is not easy to turn off , another can or worms for us to ms troubleshoot, I like the tight policy enabled approach better.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Author Comment

by:JReam
ID: 37814251
To sarmahjay:    We tried the Audit failure suggestion.  Yes we saw many more entries in the event logs for Process Creation and Process Termination.     We added EVERY process we saw in there by file name to  the policy's allowed list.  Made no difference.    RemoteApp connects, hangs, and after 30 seconds or so closes the RD window.

I'd be cursious if anyone anywhere is actually using RemoteApp with the Group Policy Enabled "Use Only Allowed Windows Applications".   Maybe it's just flawed at the core.

Here's my current expanded list of "Allowed" applications, most if these entries are new in this policy's list while trying to attempt to get RemoteApp working.  Previously we only needed to put in the obvious app names such as excel.exe and winword.exe.


excel.exe
explorer.exe
iexplorer.exe
ois.exe
winword.exe

and added all of these:
rdpshell.exe
rdpclip.exe
rdpinit.exe
userinit.exe
cmd.exe
gpupdate.exe
conhost.exe
consent.exe
acregl.exe
dwm.exe
atbroker.exe
gpscript.exe
TSTheme.exe
taskhost.exe
Dllhost.exe

I even tried stuff like *.* and *.exe. Also tried a few dozen other file names in there not worth listing here.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 37815520
OK, here's what you should do: dump that policy and use software restriction policies instead - those are more secure, even. Maybe the problem is solved, too.
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
ID: 37815761
I don't think you are clear on what you want to accomplish.

Here is a description of remote App
Here are instructions on how to install it.  After following these instructions, adding a few programs, I first used Internet Explorer to browse to the rdweb website and installed the certificate into my trusted root (it was an self-signed Certificate)

I was then able to do the items shown on this video

No playing around with restricting programs on the client..
You can restrict remote desktop to only admins and only present the 'apps'
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 37815772
Please clear this up: where is "Run only allowed Windows applications" in effect? at the server or client side?

Client Side -- depends upon who the gpo is applied to
Also: how did you publish the remoteApp? Did you distribute an msi or?

no went to control panel / remote app and desktop and then connected to the server after setting up a new connection.
https://servername/rdweb/feed/webfeed.aspx


Because after activating remoteApp at the server site, we can no longer connect to the server via rdp and start shells other than explorer or published remote apps (I am talking about this: mstsc.exe - options - programs - "start the following program on connection"). So if you use that way to start calculator, it will fail, unless you first published calc.exe as remoteApp.

Don't do this (unless you REALLY, REALLY need to) as it is a real pain.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 300 total points
ID: 37817285
To me it is clear what he wants to accomplish. Until now he used RD, (full session) now he would like to use RemoteApp. This fails, because somehow the policy "Run only allowed Windows applications" is interfering.

Software restriction policies offer logging. So if the same problem appears with SRPs, you will at least know what process was blocked and has to be allowed.
0
 
LVL 1

Author Closing Comment

by:JReam
ID: 37966507
We never did figure this out.    RemoteApp somewhere under the hood has a bug, it is MS afrerall.  We'll wait for another chance down the road to give it a try.   In the meantime we're looking to other remote access options.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 37966576
May I comment on the closure:
I appreciate the points, but you did not try to follow my advice. ->Use software restriction policies! They have logging, so you will see what is going on!

...that would have been better than accepting with a C grade, too ;)
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now