Limiting Drive Sharing on Terminal Server

[W]

Is there a way on a terminal server to limit drive mapping to a single
specific drive letter? Right now we have the server configured to Disable
Drive Mapping entirely.

We found out the hard way several years ago that an infected Terminal Server
can use Drive Mapping to infect every client whose drives it can write to!
So we would like to have a single exchange drive (e.g., M:) that would
normally be empty, where files can be copied by the client, and then seen by
the Terminal Server. We do not want to have any possibility of a user
exposing the local boot or data volumes to the Terminal Server.

--
W

[TP]

Hi,

You can limit which local drives are shared by selecting them
in the Remote Desktop Client version 6 or later. You could
save this setting in a .rdp file and distribute to your users, or
configure it via TSWeb if your users use that.

Thanks.

-TP

[Cl‡audio Rodrigues]

All TS mapped drives show up under \\tsclient\driveletter$. If you do
not want any drive whatsoever to be mapped you simply disable that
directly on the RDP-tcp listener (running TSCC.MSC for that).
If you want to disable certain ones you can do one of these:
1. On the logon script simply kill the \\tsclient\driveletter$ mapping
using NET USE.
2. Use group policies to hide certain drive letters and prevent access
to them. In this case only the ones you allow would show up.

--
Claudio Rodrigues
CEO, WTSLabs Inc.

http://www.wtslabs.com
"WebTS: TSWeb the way it should have been done since day one"

Citrix CTP
Provision Networks VIP

Make sure you download our free guide about Terminal Services.
An A to Z guide, explaining everything, from setting it up to enabling
group policies. A must read and again, completely free.

[TP]

Hi Claudio,

Nice to see you active in the group again.

Comments inline...

Cl‡audio Rodrigues wrote:
> All TS mapped drives show up under \\tsclient\driveletter$. If you do
> not want any drive whatsoever to be mapped you simply disable that
> directly on the RDP-tcp listener (running TSCC.MSC for that).

For RDP redirected drives, there is no $. It is just \\tsclient\driveletter

> If you want to disable certain ones you can do one of these:
> 1. On the logon script simply kill the \\tsclient\driveletter$ mapping
> using NET USE.

This will not accomplish much. On 2003, it will delete the network
connection, however, the namespace remains so the connection will
automatically be reestablished if the namespace is accessed. On 2008,
it will accomplish nothing.

You can write a script that will delete the namespaces, however, the
drives are still available through the TS network provider so a virus
would still be able to access them. Also the namespaces are automatically
recreated upon a session reconnect.

> 2. Use group policies to hide certain drive letters and prevent access
> to them. In this case only the ones you allow would show up.

The redirected drives are not drive letters, and therefore would not
be hidden using the hide drives Group Policy setting. Even if they were
a drive letter and able to be hidden, this would not achieve the desired
result since this would not affect the ability of a virus to access the
local client's drives.

-TP

[Cl‡audio Rodrigues]

The mentioned approach to delete the automapped drives is simply a
workaround, as are most TS related policies/lockdowns.
There are ways for example to even elevate privileges within a session
so no matter what you do, someone with skills and time will always find
a way to bypass whatever you did.
This does not mean you should do nothing.
The trick to delete the mapped drives will help with probably 90% of the
users and with some apps and therefore should be used.
Thanks for refreshing my memory regarding the other items.

[Cl‡audio Rodrigues]

Well another option is simply use something like WTSFTP from Ibex
software. This will allow users to transfer files back and forth through
an RDP virtual channel, eliminating your worries completely.