Solved

RDP Lock down to one application

Posted on 2014-01-30
9
1,414 Views
Last Modified: 2014-01-31
Hi,

I am wanting to give an user access to one application on a system over WAN.   I was planning on setting up RDP access for that purpose, but need to restrict access to just one application and its associated files, and prevent the users from being able to access all other files or applications.

What would be the best way to go about that ?    

Doing it using User permissions / groups seems like a really messy way to do it as even a user only assigned only with Remote Desktop Users can still access all of the applications and much of the files.      The other option would be to setup another TS 'server' computer with just the required client software on it and run it as a client to the server, but would be more convenient if I could just have him log into the server and restrict him to one application on the actual server as it saves the hassle of needed another machine / client to update etc.

Also the server is space limited so setting up some kind of virtual machine on the server isn't' really an option.

thx.
0
Comment
Question by:yagigain
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 12

Expert Comment

by:ktaczala
ID: 39823261
You can only run an application (publish) on a Server running Remote Desktop Services.

Best you could do, would be to create an account that could login (Non-Admin) to the server,  then go in to GPEdit & lock down that users desktop, start menu, command line access, etc.
0
 
LVL 3

Accepted Solution

by:
ola_erik earned 250 total points
ID: 39823393
I get the impression that you're going to let some user use a server as a workstation/ desktop. Just don't do it.

Users work on user workstations
Admins use (the) admin workstation
Servers do what servers do

Set up the user to connect via RDP to a free workstation and log in as himself (separate user account).  

About the lockdown hmm

for "quick and dirty good enough" I'd look into making a dedicated security group for just this and then hand-deny whatever looks out of bounds in that user environment for that security group.

there was a windows kiosk-mode available a while ago, unsure if its still around. As far as I can remember it lets you clear the startmenu ...

here you go:
http://tinyurl.com/ohm8yco

should do it if u can combine w RDP

cheers
0
 

Author Comment

by:yagigain
ID: 39825736
Well the server is already used by about 30 RDP users.   We wanted to allow access to one application to another medical organization.      I'll look into GPEdit, but thinking be safest to just setup an old box as a TS server for this particular purpose.
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 12

Expert Comment

by:ktaczala
ID: 39825810
30 RDP users? Is this a terminal server(RDS Server)?  Or do they just login to the server at different times? (Servers can only have 2 admin accounts logged in at the same time.)
0
 

Author Comment

by:yagigain
ID: 39825815
Yeah licensed RDP (TS) server, all logged on at once (or most of them).   We just want to setup a really locked down account for one particular user / organisation to use.
0
 
LVL 12

Expert Comment

by:ktaczala
ID: 39825829
OK, now we're getting somewhere. What version is the TS server, win 2000, 2003, 2008 ,2011 , 2012?
0
 

Author Comment

by:yagigain
ID: 39825830
2008 R2
0
 
LVL 12

Assisted Solution

by:ktaczala
ktaczala earned 250 total points
ID: 39825843
0
 

Author Comment

by:yagigain
ID: 39825928
Yeah remote app is interesting, but I'm not prepared to experiment with it on this application, which is SQL driven and has lots of different .exe's and also mission critical.   I think I'm going to just setup a physical box and install software as a client and allow a TS connection on it.

Thanks all for the input and helping me clarify my options.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question