How to configure permissions during remote session.

[ditchmagnet]

Is there a way to limit what users can access on the server while they are logged in during a remote session? Anyone who logs into the server can go around and look at whatever they want on the server. Is my only option to create another server specifically for remote access, a server with no sensitive data?

Thanks.

 

[victorv]

hi,
which users ?

1) the same users that normally log in internally, but for some reasons are remotely attached

2) external users (customers,suppliers...) that you enable
to log in in your network to collaborate with you.

In case of internal (1), I don't see many problems: if they want do "strange" things, and you are able to verify if they are inside or not, they can do the same thing tomorrow, when they are inside.
If you are able to do it and limit them, you may limit the ability to perform normal jobs (while they are in hotel or till at home)
and this may be a limitation for the company.

For (2) external, probably it is right to limit access,
but limit by name, not for location (VPN or other or not).

They can be not domain user but only server member,
or they can be in domain but they can be deleted from "Domain Users" group and belong to special groups,
and give access to resources (shares,...) just adding their group/name to specific res.

bye
vic

 

[TechyMcSe2k]

utilize Group Policies and lock the server down for remote users.

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[ditchmagnet]

Thanks for the replies. Let me explain the situation a little more.

To Vic:
The users that log into the server are users that login internally, as well as users that are offsite that do not login internally.

Users are logging in so that they can run a database program called Skyline. It is a reality company, so they have different offices (which is why there are users offsite). The users on site also login to a remote session with the server in order to use the program.

Its not that the users would want to do harm to the server, its just that, (as one of the bosses has told me), there is sensitive information that not every employee should have access to.

To Techy:
What do you mean lock the sever down for remote users? Do you mean shut down remote access? Users need to be able to remotely access the server to run the program on the server.

-ditchmagnet

 

[TechyMcSe2k]

Group Policies are how domain administrators lock down servers, just as you would lock down a PC to prevent user access to sensitive items such as command prompt, c: drive, registry editing tools.

It is essentially setting local security policies, but from a central management point.

introduction to GPO in Windows 2003

http://download.microsoft.com/download/0/0/4/0044470e-5f3a-4569-9255-91f932e4da3b/gpintro.doc

Terminal Server Lockdown with GPO

http://support.microsoft.com/kb/260370

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[ditchmagnet]

Does it mater that the server is 2000 and not 2003?

 

[TechyMcSe2k]

no, there are GPO's for windows 2000. the feature may be missing a few of the upfgraded 2003 gpos, but a nice google search will find you the GPO w2K documents

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[victorv]

hi,
I deploy projects with Terminal Server + Citrix, and I am use to solve these problems in indirect mode.
We don't publish entire desktop to users, but just the applications they need. You can do something similar without
Citrix, with some limitations, but you can do.

Do these users login in Server just to use the db-program?
When they log in, use another username (one of db, different
from that of domain) ?

If yes, disable TS for these users and publish a TS link to this program for a generic domain user called TS-Skyline,
that has access to Ts and just launch the program. When they exit from the program, the session close up.

To user TS-Skyline, you can apply GPO policy as remove links
from desktop, and so on, so that if they make an interactive login (not using the link, but loging as before), they are limited.

If the idea my be good, we try to improve and detail it.

ciao
vittorio

 

[ditchmagnet]

Couldnt I just go to properties on C:, then go to security, and allow only certain users full control? right now all domain users are set to full control.

 

[TechyMcSe2k]

That could affect programs. The GPO's HIDE C: but still allow programs to run.

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[ditchmagnet]

Techy:
after reading through that link to the KB, I am wondering if I can do that successfully. The terminal server is also, the domain controller. They only have one server. So if I add the server to an OU, would that cause problems for everything else?

 

[TechyMcSe2k]

The DC will need to remain under the Domain Controllers OU. What you can do is apply your GPO there, since they only have one DC.

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!