I found the following question, with a similar premise, however the answer to the question, was the question rephrased as a statement!
http://serverfault.com/questions/111770/remoteapp-prevent-user-from-running-remote-desktop
How do I allow RemoteApp but disallow Remote Desktop? In order to allow remote app, I'm seemingly having to add the users to the "Remote Desktop Users" group. This allows Remote Desktop.
I tried using the "TS Web Access Computers" group, however this does not give them the authority to run RemoteApp.
Where is the configuration to disable Remote Desktop, while leaving RemoteApp capabilities intact?
-
There isn't an "officially sanctioned" way to do this because, fundamentally, TS RemoteApp functionality is just leveraging existing Remote Desktop code. You could do something silly like use Group Policy to set the user's shell to be "logoff.exe" such that if they attempted to access the machine's desktop they'd be immediately logged-off. Any application that uses a common "File / Open" dialog, though, can be used to get a command prompt or other programs open on the server's desktop.
You're better off making sure that you follow the principle of least privilege and give your TS RemoteApp users as few rights as they need to run the intended software. If they do end up on the server computer's desktop their restricted rights should prevent them from doing anything damaging to the server computer.
Aequitarum Custos : Good to know, the software is our own, and we are providing customers a way to run it without having their own server. However we are attempting to restrict them down to simply using the application. Will attempt that idea and see how it goes.Aequitarum Custos : Where is the policy for this located at? Can I do this in the Local Security Policy for the server hosting these applications? If I need to do this at a domain level, need to bring in the owner of the company and walk him through it.Zoredache : @Aequitarum Custos, I believe he was talking about `User Configuration/Policies/Administrative Templates/System/Custom User Interface`Aequitarum Custos : Thanks that looks like it works Zoredache!Miles Erickson : Don't forget to set software restriction policies that allow them to run only what you are expecting them to run. (+1 for setting the shell to logoff.exe: I've done the same & recommend it)Miles Erickson : @Aequitarum No, you don't need to do it at the domain level. If you want to edit Group Policies locally for one machine only, just run gpedit.msc.Evan Anderson : Software restriction policy would be a lot less hackish than changing the shell, but denying access to Explorer, I would surmise, is going to be problematic.From Evan Anderson
0 comments:
Post a Comment