Terminal Server 2000 - Restricting Access to server's desktop

[awise]

I need to implement a windows 2000 application terminal server to provide client access to several applications. Within 2000 TS, Citrix is not an option for us, how can I setup ts so that clients can only access specified applications and not have access to anything else on the ts server?

I want clients accessing their apps and not have access to the server itself (ie: command prompt, program menu, etc.).

Appreciate any input.

Thank you,

Andrew

 

[Davetoo]

You could utilize the Application Security program from the resource kit.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[aco636]

Set p one profile the way you want and create all other users with a mandatory profile. I.E. rename NTUSER.DAT to NTUSER.MAN
Copy profile to TS users.

Have to say this is a pain cause many applications have loop holes and back doors to explorer and shell objects.

Think you need to tie down profiles with GPO for best results.

Regards ACO

 

[mviltan]

you could make a new contianer in active directory put the TS in there then create a policy for it.

 

[jpaf]

Group Policies is the best way to achieve this. I have done this by creating a new OU for my TSE servers and setting all the options in a GPO that I have then applied to that OU.

There is an MS White Paper on how to lock down TSE servers using GPOs. Do a google search for Securing TSE servers and there are also some good articles in various magazines.

Regards
jpaf

 

[ShackDaddy]

Although I've used GPO's to lock down sessions, recently I've taken another tactic. I simply configure the RDP protocol on the Terminal Server using Terminal Services Configuration MMC. Get properties on the RDP-TCP connection and choose the environment tab. Choose "override settings from user profile and RDP client" and then notice that you are able to enter a program path below. I point it at a batch file I've written.

I wrote this batch file for my environment that kicks off both of the apps that the user might need to log into, each of which brings up a logon dialog. The users cancel logon for the app they aren't interested in using and log onto the app they want. Since we wrote custom apps, the logon dialogs are small (in screen real-estate), but this might be a problem if your apps didn't have small logon dialogues.

If the user closes all of the logon dialogue boxes, the session automatically logs itself out. And since the Explorer shell is bypassed when you use this option, there is a blank desktop with no start menu behind the apps that run.

A better way to do this, if you have a programmer in-house, is to write a quick app that gives the user a menu of which app they want to execute, and tell the RDP connector to run that app on logon. Then you wouldn't have the overhead and potential confusion of having unneeded apps open in a session, and you still avoid using the explorer shell that gives users access to all those things you want to restrict.

If this isn't helpful, I hope it's at least interesting.

ShackDaddy