How can I brutally lock down a 2000 terminal server?

[silverspecv]

We have a batch of about 20 horribly computer illiterate sales reps who keep mucking up their machines with viruses and spyware. This has been going on for years despite our best efforts to train them, so we have decided to saddle the worst of them with pentium 300's with 64megs of ram and dump them on a terminal server with no rights whatsoever. and a firewall within on our lan with the untrusted side pointing to their switch, and only enough open ports to connect to the term server. I'm talking the 3rd reich here. I would remove their computers completely if they didn't need access to email, sales docs, and the occassional web site. Unfortunately I have very little experience with terminal server, gpo's etc. So far I have created a group in active directory, added the users to the group, and then set that group with read access plus deny write on the entire c:. Now I need to lock down control panels, and options and anything/everything else that can be fliped, clicked, or screwed with. Can someone give me a list of do's?

Assuming this can work - and please correct me if you see any gaping flaws in our plan - what specs should I ask for on the new server? I'm currently using a print server with p3-650 w/512mb, which is great with just me, but I suspect 20 users will choke it. We will need to support about 20 users with IE, Outlook, and Word/Acrobat Reader. I am thinking just a modern P4 with a gig or two of ram and a fast hard drive? Nothing overly special, just a buttload of ram.

Anyone have any advice for me?

 

[jtb]

ghost" look around for software like schools use to automatically refresh the disk every morning before the user logs on. Wake On LAN is a wonderful thing in the rigt hands...

"system policy editor" (if they're on Win95/98/ME/NT) or "group policy editor" (if they're on W2K) you can edit what access their userID has to everything on the box. I mean everything. And, yes, in a domain, you can prevent the hitting escape to bypass logon in W9x...

Have fun!!

JTB
Have Certs, Will Travel
"A knight without armour in a [cyber] land."

 

[Zelandakh]

set up their term srv profiles for them. After completion, give them read only access to the profile! Never tried it though...

 

[jfp23]

I would go with the Citrix Metaframe/Winterm method, though you can use desktops instead of Winterms, you still run the risk of the underlying pc os getting infected with something. With a winterm and Citrix Metaframe the user has what amounts to a dumb terminal at there desk, and connects directly to a citrix server farm where you have complete control over what applications can and cannot be run. Plus a Winterm is half the cost of a new pc.

 

[ndunaz]

Try this knowledge base article. Some things in there are working for me.

278295 - How to Lock Down a Windows 2000 Terminal Server Session

http://support.microsoft.com/default.aspx?scid=kb;en-us;278295

 

[ffoschiatti2]

Get them fired!

 

[aco636]

Hi there

I'll add my ten penith. I suggest the use of Mandatory Profiles. Easy to use, create one user with all the settings you like.
Log on as Admin, rename ntuser.dat in the new users profile directory to ntuser.man

Then use the copy profile util (right click "My Computer", properties, profiles tab, etc. Copy the new ntuser.man to each user you want to tie down.

One minor problem, settings for Email, ect may need to be set up either by script to change the appropriate keys or do it manually. Or, tidy each users profile, then rename ntuser.dat to ntuser.man for each user.
PS I have done this and it works pretty well, else GPO's in AD. Regards ACO

 

[tyant]

You could use group policy and only allow certain applications

 

[SGTRawlins]

ffoschiatti2 is along the right lines;

As well as careting these digital GPO generate some good old fashion user polices that state what is acceptable/non-acceptable behaviour on the system,

When users breach this policy you have the facility to dicipline them, should bring issues grinding to a stop.

Cheers, Rob

 

[gaveeve]

I work in a public library with computer access for the public. We use a product called deep freeze from Hypertechnologies. It reverts back to the original installation whenever you reboot. You can leave part of the Hard Drive thawed, it works on top of group policies, you can disable it to alter the original config. It has been a lifesaver. The user does not know that it is running.

 

[silverspecv]

Ok, I'm doing something wrong here. First, I set up a policy and before I even attached it to anything, I accidentally locked down every 2000 machine in the building.. Ooops..

So I undid that and created a new OU in active directory, in the same list with users, computers, etc. and called it "terminal server users".

Then I moved 2 items into the folder: the computer account for the termsrv computer and the user group "sales reps". (this is the step I really guessed on)

Then I went into the group policy for "terminal server users" and locked it down, but it doesn't seem to be working. I waited a while thinking maybe it just had to refresh, but it still won't work. How do I associate the policy with the computer or the users or anything?

 

[aco636]

Sounds like you may have applied to to the root and not the container.
Looking in AD right click the container, make sure you have selected the GPO for the correct container.
Regards ACO

 

[silverspecv]

In the end, here's how it went down, for anyone else who needs steps 1, 2, and 3.. like I said earlier, I have no experience with gpo's so I had to figure this out myself.. it's easy now that I know how, but it was not obvious to me

1. go into active directory users and computers, right click on your domain node, and choose new -> organizational unit

2. drag and drop users/computers from the normal location to the new folder.. moving groups won't work

3. right click the folder, click properties, group policies tab, click new, type a name, then click edit to open the editor on the new container