lockdown desktop without Group Policy
Pearl
Group Policy?
Vera Noest [MVP]
permissions on the file system.
Folder redirection is not possible, though.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?UGVhcmw=?= <Pe...@discussions.microsoft.com> wrote on 07
sep 2007 in microsoft.public.windows.terminal_services:
Pearl
I looked at the local policy on the server and it does not appear to have
the ability to do such things as remove icons or deactivate them from the TS
user or only execute a single application from the TS session. Am I correct?
Vera Noest [MVP]
wanted from the Default User profile and Start menu. You can not
redirect the desktop to a custom desktop, because Folder
redirection is not supported with a local policy.
You should be able to define a starting application, but you can
also do that in the Terminal Services Configuration tool.
Pearl
only want the icon removed but deactivated so that the user can not launch it
at all. The icons that they are concerned about are : Network Places, My
computer, Internet Explorer, RUN, ...just about anything that will allow the
user to customize the desktop and anything that is connected to or can be
connected to the network. They would like to lock the desktop down to just
the ability to launch a single application and have that icon on the desktop
ALONE...no wallpaper, also. Strong paranoia.
Lanwench [MVP - Exchange]
> is there a way to lockdown a Terminal Server session desktop without
> using Group Policy?
Sure, many ways. For example, if you're using a standalone or member server
you can do a lot of things with *local* policies. But you may wish to be
more specific about what exactly you're trying to do, and why you're trying
to do it without group policy if you have it as an option....
Pearl
users) to access this TServer and still apply desktop restrictions like:
1. limit only a specific application to launch
2. remove and disable key desktop icons like Network Places, My Computer,
Internet Explorer
3. Disable the RUN command
4. Disable the wallpaper and Desktop properties from being customized
5. Not making security tab available to the users
6. Only showing and allowing Logoff....no shutdown
7. Prevent access to the command prompt
8. Prevent users from accessing Registry tools to edit the Registry
I have GPMC and the server is Windows 2003 standard. I am advised that GPMC
will not allow us to configure these restrictions for the User so what other
options do I have?
Thanks in advance
Vera Noest [MVP]
gpedit.msc to edit the local policy.
Vera Noest [MVP]
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?UGVhcmw=?= <Pe...@discussions.microsoft.com> wrote on 07
sep 2007 in microsoft.public.windows.terminal_services:
> thanks for replying. What we'd like to do is setup only Local
Pearl
in our DMZ. I'm assured by our security team that all the necessary setup
will be in place to allow outside remote users to connect to the server as
local users.
Pearl
That seems to work fine but it also restricted the administrator. How can I
get back into the server as the administrator and apply the policy to all
users EXCEPT the administrator? I now don't have run nor any of the items I
activated...which is good for the users but not for the administrator.
Vera Noest [MVP]
security filtering.
TP posted a way around this a while ago:
From: "TP" <tperson....@mailandnews.com>
Subject: Re: local policy and terminal server
Date: Wed, 8 Nov 2006 16:59:42 -0500
Newsgroups: microsoft.public.windows.terminal_services
Here are the instructions for a standalone 2003 server, which can
be summarised with:
1. create a group and user (steps 1 - 4)
2. set permissions and ownership on three folders and a file (
steps 5 - 23)
3. create a shortcut (steps 24 - 27)
INITIAL SETUP
This should be done before attempting any changes to
Group Policy settings.
1. Logon as an administrator
2. Open up Computer Management from Administrative Tools
3. Create a new local group named "GP Editors"
4. Create a new local user named "gpedit". Assign this user
a password, and check "password never expires". Make
this user a member of the GP Editors group.
5. Open up windows explorer and browse to the following
folder (make sure that view hidden files is enabled):
C:\WINDOWS\system32\GroupPolicy
6. Right-click on the GroupPolicy folder and Properties - Security
- Advanced
7. Click the Add button, enter GP Editors in the Select User or
Group dialog, and click OK
8. Check Full Control under the Allow column, and click OK
9. Check "Replace permission entries on all child objects with
entries shown here that apply to child objects"
10. Click the Apply button and confirm Yes twice.
11. On the Owner tab, click the Other Users and Groups button,
enter GP Editors, and click OK.
12. Check "Replace owner on subcontainers and objects"
13. Make sure GP Editors is selected in the Change Owner to list.
14. Click the OK button to change the owner, click OK to close
the GroupPolicy Properties
15. Within the GroupPolicy folder, right-click on the Machine
folder, and choose Properties - Security
16. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
17. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
18. Within the GroupPolicy folder, right-click on the User folder,
and choose Properties
19. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
20. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
21. Within the GroupPolicy folder, right-click on the gpt.ini file,
and choose Properties
22. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
23. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
24. Right-click on the desktop and choose New-->Shortcut
25. Enter the following in the location box:
runas /user:gpedit "%windir%\system32\mmc gpedit.msc"
26. Click Next, and enter "Edit Group Policy" for the name
27. Click Finish
MODIFYING GROUP POLICY SETTINGS
1. Logon using the account you used for the intitial setup
2. Double-click on the Edit Group Policy shortcut
3. Enter the password for the gpedit account
4. Edit the policies as needed
Lanwench [MVP - Exchange]
> forgot to mention. The SERVER is also not in AD. It is a standalone
> Server in our DMZ. I'm assured by our security team that all the
> necessary setup will be in place to allow outside remote users to
> connect to the server as local users.
If users on this server will be accessing any AD resources at all, putting
this box in a DMZ is beyond foolish.
Tonky
I have a similar issue, but on a Server 2003 R2 SP1 box which is a DC and so
I followed the instructions for GP Editor as suggested by TP. All seemed to
go well until accessing the desktop shortcut created in the last step. A
Command prompt appears requesting the gpedit password. When I attempt to type
it in, nothing appears but the Command Line disappears launching Group Policy
Editor saying access denied.
Something obviously went wrong, which could stem back to editing the
security settings for gpt.ini, which suggested changes couldn't be made as it
was read only, but it appeared to make changes all the same as all existing
security groups were removed from the list.
I can now no longer edit group policy.
Any help?
Many thanks.
Tony
--
Always hands on and keen to learn.
Vera Noest [MVP]
A standalone server (i.e. a server in a workgroup) is only
subjected to it's local policy, nothing else. A DC is subject to
Group Policies in the domain.
Can you check who is the current owner of gpt.ini? Right-click
gpt.ini - properties - scecurity - advanced - owner.
And what exactly is listed in the security tab? Any accounts at all
there? With which permissions?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?VG9ua3k=?= <To...@discussions.microsoft.com> wrote on 26
okt 2007 in microsoft.public.windows.terminal_services:
TP
The instructions are *not* meant for use on a DC.
Please reset the permissions on the GroupPolicy folder to
default using the following instructions:
1. Logon to the DC as an administrator
2. Open up windows explorer and browse to the following
folder (make sure that view hidden files is enabled):
C:\WINDOWS\system32\GroupPolicy
3. Right-click on the GroupPolicy folder and choose Properties
- Security tab - Advanced button - Owner tab
4. Select Administrators for the owner and check "Replace
owner on subcontainers and objects", click OK and Yes
5. Close the GroupPolicy folder Properties window
6. Right-click on the GroupPolicy folder and choose Properties
- Security tab - Advanced button - Permissions tab
7. Use the Add & Remove buttons as needed until you have
*only* the following Permissions entries in the list:
Allow Authenticated Users Read & Execute <not inherited> This folder, subfolders and files
Allow Server Operators Read & Execute <not inherited> This folder, subfolders and files
Allow Administrators Full Control <not inherited> This folder, subfolders and files
Allow CREATOR OWNER Full Control <not inherited> Subfolders and files only
Allow SYSTEM Full Control <not inherited> This folder, subfolders and files
Note: Read & Execute consists of the following individual
permissions, check all of them when adding the entry:
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions
8. Check "Replace permission entries on all child objects with
entries shown here that apply to child objects"
9. Click OK and then Yes to confirm
Thanks.
-TP
Tonky
The Owner is: Unable to display current owner.
In the Change Owner to: Administrator is listed
There are no Users or Groups listed under the Security tab.
BTW: the procedure did succeed in locking down the Shut Down button for all
standard Remote Desktop User accounts as hoped, only I can now no longer
effect any other changes. I will revert changes as suggested by TP in the
next thread, but I still need to figure out how to lock it down, including
certain Apps, Server browsing, web browsing, etc.
Further help is appreciated.
Kind rgards
Tony
--
Always hands on and keen to learn.
Tonky
I kind of moosed that up a bit so thanks for the "Get out of jail card".
Once I revert the settings, I will still need to lock the Server down in
terms of what the TS users are able to access. Some will be running different
apps from each other but none will be permitted to gain access to the file
structure on the Server.
I would apprecaite further help bearing in mind it is a DC.
Many thanks
Tony
--
Always hands on and keen to learn.
Tonky
I followed TP's repair procedure to revert settings, and have just tried to
edit Group Policy with the admin account, but all options are greyed out.
Please help. We have just added a new user to the Domain and although that
went okay, they cannot access file shares. I went to look at gpedit.msc and
noticed the greyed out problem.
Please help.
Thanks
--
Always hands on and keen to learn.
Vera Noest [MVP]
Support. Since it's not clear what went wrong, it's nearly
impossible to fix it with advice from a newsgroup, and you'll only
risk to make the damage even bigger.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
=?Utf-8?B?VG9ua3k=?= <To...@discussions.microsoft.com> wrote on 17
dec 2007: