Solved

GPO Lockdown

Posted on 2014-11-10
7
120 Views
Last Modified: 2014-11-12
I'm looking to lock down a desktop so that only one application can be run. The user will RDP in and then start this single application. I'm thinking that a GPO would accomplish this. Is it possible?

Server 2008 R2, Windows 7
0
Comment
Question by:xmouser
7 Comments
 
LVL 2

Accepted Solution

by:
Michael Wade earned 350 total points
Comment Utility
Yes.

Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double-click the Start a program on connection setting, and then click Enabled.

http://technet.microsoft.com/en-us/library/cc736643%28v=ws.10%29.aspx
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Deploy a custom RDP file to the user. Create the RDP file on the Windows 7 machine they will be using, modify the settings as desired (screen resolution, enable/disable device redirection.

The Programs tab is what you'll be most interested in > specify the path to the program's executable > go back to the General tab > Save As > save the file to your Desktop with your desired filename > zip up the file > send to the user.

This will launch the program (and nothing else) whenever the user connects to the Windows 7 machine using this icon. There is nothing that will stop him from using the Remote Desktop Connection client on his PC though, which will grant him access to the full desktop. This is where Software Restriction Policies (and GPOs) come into play. Have a read here for some more information: http://technet.microsoft.com/en-us/library/hh994606.aspx
0
 

Author Comment

by:xmouser
Comment Utility
Michael Wade

Yes it will start that particular program but I think that users will still retain thew ability to start other applications after connection. This one application is the only thing that can run.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Expert Comment

by:Michael Wade
Comment Utility
Actually the way I've done this in the past is through the user's AD properties under ENVIRONMENT. If you specify the program at logon, the user's session will be disconnected if they close that program.

The GPO linked should terminate as well, but I prefer using RDP application delivery nowadays since it appears to the user that the application is installed on their PC.

The AD user environment properties is probably the easiest way to accomplish this for a one-off user.
0
 

Author Comment

by:xmouser
Comment Utility
Michael Wade

I'll check, thanks.
0
 
LVL 1

Assisted Solution

by:Bradley Vonderheide
Bradley Vonderheide earned 150 total points
Comment Utility
Mouser,
There are some programs that will not work this way.. while i agree with most everyone on here, there are ways to configure environmental variables in AD, using Group Policy, there are times when software requires certain access to area's of the system, as well as different folder, where it would be a nightmare to set this up in a large company. Those are the ones i typically create a RDS client running on the server with multiple clones running the same username to work around having to go through hoops to fix.

Another thing,
is while you can lock down everything and anything..
I would strongly suggest you run all your changes in a test environment prior to changing anything in the corp environment, as there are some changes that as an admin read one way, the change can cause head-aches that are far worse.. (or create a Test OU and put only one or two participants into that group to test with)

Best of luck sir..
0
 
LVL 6

Expert Comment

by:Asif Bacchus
Comment Utility
I have not tried this in a TS/RDS environment, but locally you can restrict users to only running specified programs.  One catch, if the program you run launches other programs also, you have to know the name of each of those executables also.

You can use Computer Configuration > Policies > Administrative Templates > System > Run only specified Windows applications.  Set this to enabled, then click the 'Show...' button and enter the names of the executable program(s) you want the user to be able to run.  If you want to restrict this only to the specific user logging in, then use the same policy, but under User Configuration instead of Computer Configuration.

Hope this helps.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now