Securing Terminal Sessions 1

[techer]

Hi all,

I am currently using a Win2K Adv Server to deploy a single application to a user group - through Terminal Services.

The problem is, I am running this server in an NT4 domain. Everything is working perfectly, except my attempts to secure/customise the NT Shell (Desktop, Start Menu, etc).

I know that in an Active Directory domain, you can use 'Active Directory Users and Computers' or the Local Computer Policy snap-in in MMC to set up general policy restrictions for the whole PC. But how can I get this policy to apply only for a specific global group from my NT4 SAM?

Also, the restrictions I apply are only supposed to pertain to users connecting to this particular server, using the RDP client. The last time I applied the restrictions using the Local Computer Policy snap-in, I found that the restrictions also applied when I logged in locally using my admin account!

Lastly, I've also tried using 'poledit' to set up custom shortcuts on the desktop, etc, and I find this works with the desktop, but not the Start Menu - where users can still get on and reconfigure all kinds of stuff (if they want to)!

Please help! What am I doing wrong?

Thank-you,

Marti

 

[Davetoo]

If you're only running the one application on the TS, just set the TS Server to only run that application, then apply AppSec from the RK to lock out any other attempts at circumventing the security.

 

[techer]

Thanks lander215.

I will give it a go this weekend. When administering a terminal server, is there any problem with performing these admin tasks through a terminal session? Or is it all supposed to be done locally?

Almost everything I've done from an admin point of view, I've done remotely through a Terminal Session. Would this also explain the results I mentioned above? (restrictions/mods being limited to my login).

Thanks again,

Marti

 

[leadingsx]

How do you setup TS to run only one or two applications?

 

[techer]

It depends on what type of domain you have. If it's Active Directory, you can easily use group policy objects (Accessible as a snap-in in the Microsoft Management Console) to lock down the server so that only one or two applications run. You can also set these applications to run automatically at login if you want. And these settings can be applied to User Group objects on the AD domain, so you can deploy different apps to different groups.

In an NT4 domain however, it is more complex, because the Group Policy settings are not able to be assigned to user groups - they are just assigned to the local computer. That means if you restrict access to something, that access will be restricted, whether you connect via TS or log on locally, and whether you are a domain user, or an Admin. To get user-group-specific settings or restrictions in place, you need to create user group policies using POLEDIT. This has alot of the same functionality you get in GPOs, but is the old way of applying them. Go to start-run-poledit - to start familiarising yourself with it.

 

[Davetoo]

For a Terminal Server running in Application Mode, you just go to the Terminal Services Configuration - Connections/Rdp-tcp/Properties and then you can configure how you want the TS to operate. One of the tabs you'll see the option to override the user settings and open a specific program upon session creation.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[techer]

Good call lander215. I had overlooked that setting.

What if you want a different application to run at login for a different Global group?

Can you assign a Connection to a particular Group?

What if a user is a member of multiple groups with multiple connections (ie, an administrator) - can an administrator get a greater level of access? Is there a hierarchy for group connection properties to override each other?