Discussion:
Deny access to TS desktop
(too old to reply)
Bentley
2005-04-04 18:31:06 UTC
Permalink
I need to block users from accessing the actual TS desktop. I have created
an RDP shortcut to run the only application they need. However, they can
edit the shortcut and end up seeing the server desktop. I realize I can
'lock down' the desktop environment, but they can still see more than I want
them to.

How can I deny them access to the desktop period? Thanks.
Rickard
2005-04-04 19:00:09 UTC
Permalink
You can configure the user account to only launch the specific applikation.
Check the environment tab in Active Directory Users and Computer.

Rickard
Post by Bentley
I need to block users from accessing the actual TS desktop. I have created
an RDP shortcut to run the only application they need. However, they can
edit the shortcut and end up seeing the server desktop. I realize I can
'lock down' the desktop environment, but they can still see more than I want
them to.
How can I deny them access to the desktop period? Thanks.
Patrick Rouse
2005-04-04 23:55:02 UTC
Permalink
Doing this won't prevent someone from spawning explorer.exe in other ways,
i.e. Ctrl+Alt+End -> Task Manager -> File -> New Task(Run...), although it is
a decent security measure to take for a user that only needs one application.

Other things you can do to lock down the machine are to use Software
Restriction Policies and other rescrictive policy settings via GPO and lock
down the server with strict NTFS permission sets.

http://www.workthin.com/tshta.htm

Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com
Post by Rickard
You can configure the user account to only launch the specific applikation.
Check the environment tab in Active Directory Users and Computer.
Rickard
Post by Bentley
I need to block users from accessing the actual TS desktop. I have created
an RDP shortcut to run the only application they need. However, they can
edit the shortcut and end up seeing the server desktop. I realize I can
'lock down' the desktop environment, but they can still see more than I want
them to.
How can I deny them access to the desktop period? Thanks.
Bentley
2005-04-05 14:49:03 UTC
Permalink
New wrinkle in this. I just found out that the user needs access to 3
applications in the same subfolder on the TS. Is there a way to still use
the Environment tab and give them access to all 3 apps?
Post by Patrick Rouse
Doing this won't prevent someone from spawning explorer.exe in other ways,
i.e. Ctrl+Alt+End -> Task Manager -> File -> New Task(Run...), although it is
a decent security measure to take for a user that only needs one application.
Other things you can do to lock down the machine are to use Software
Restriction Policies and other rescrictive policy settings via GPO and lock
down the server with strict NTFS permission sets.
http://www.workthin.com/tshta.htm
Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com
Post by Rickard
You can configure the user account to only launch the specific applikation.
Check the environment tab in Active Directory Users and Computer.
Rickard
Post by Bentley
I need to block users from accessing the actual TS desktop. I have created
an RDP shortcut to run the only application they need. However, they can
edit the shortcut and end up seeing the server desktop. I realize I can
'lock down' the desktop environment, but they can still see more than I want
them to.
How can I deny them access to the desktop period? Thanks.
Patrick Rouse
2005-04-05 15:43:08 UTC
Permalink
The environment tab is purely asthetic, so this should not be used at your
security plan to prevent users from intentionally/unintentionally harming
your TS.

You have two options:

1. Lock down the desktop with GPO, NTFS or 3rd party program to limit users
to what you want them to be able to execute.

2. Lock down the desktop with GPO, NTFS + application publishing program
like Citrix MetaFrame, WTSPortal, Remote Application Center 2.0 (free),
Tarantella SGD, Jetro...

A fairly extensive list of 3rd party add-ons here:
http://www.workthin.com/tsao.htm

Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com
Post by Bentley
New wrinkle in this. I just found out that the user needs access to 3
applications in the same subfolder on the TS. Is there a way to still use
the Environment tab and give them access to all 3 apps?
Post by Patrick Rouse
Doing this won't prevent someone from spawning explorer.exe in other ways,
i.e. Ctrl+Alt+End -> Task Manager -> File -> New Task(Run...), although it is
a decent security measure to take for a user that only needs one application.
Other things you can do to lock down the machine are to use Software
Restriction Policies and other rescrictive policy settings via GPO and lock
down the server with strict NTFS permission sets.
http://www.workthin.com/tshta.htm
Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com
Post by Rickard
You can configure the user account to only launch the specific applikation.
Check the environment tab in Active Directory Users and Computer.
Rickard
Post by Bentley
I need to block users from accessing the actual TS desktop. I have created
an RDP shortcut to run the only application they need. However, they can
edit the shortcut and end up seeing the server desktop. I realize I can
'lock down' the desktop environment, but they can still see more than I want
them to.
How can I deny them access to the desktop period? Thanks.
Loading...