RE: [ActiveDir] GP and TS lockdown

Tue, 04 Nov 2003 23:03:17 -0800

Title: Message
I tried sending a screen-shot as a guide, but it's too large for the list. the Configuration is done on the RDP Properties.
 
Go to Admin Tools -> Terminal Services Configuration -> Connections -> RDP-Tcp (or whatever your connection is named).
 
Double-click on it and go to Environment. Check the "Override settings from user....." option. Then, in the "Program path and file name",  specify the path to the executable of the application you want to auto-launch (with the name of the executable, e.g. C:\winnt\system32\notepad.exe). For the "start in" option, I would put in the path to the executable (without the name of the executable, e.g. C:\winnt\system32).
 
Forget what I said earlier about "logon locally". If you still need to see the screen shot, email me offline at deji at akomolafe dot com
 
HTH
 
Sincerely,

D�j� Ak�m�l�f�, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon

From: Charlie Kaiser
Sent: Tue 11/4/2003 5:14 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GP and TS lockdown

Hi Deji. I'm not sure I'm following you here.
TS is installed in application mode. When a non-admin user logs on, they get a desktop with only the app shortcut on it. Never having worked with TS before, I haven't figured out how to have just the application run instead of the desktop. Tried using CCM to create a connection and run the app, but it still gave me a desktop.
I tried denying logon locally rights to the test user and that account couldn't connect at all. Nothing I've read shows me that I can run just an app instead of a windowed desktop (as in citrix).
The app ties to a SQL instance and requires SQL client connectivity, and we don't want to make those connections across WAN links from the client PCs. So the app runs on the TS box local to the SQL box. If you've got a way that will allow me to run (on the TS) just the app at the client without a desktop session, I'd love to use it. Enlighten me... :-)
 

**********************
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 985 0975 x5083
**********************

-----Original Message-----
From: deji Agba [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 2:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GP and TS lockdown

Is there a good reason you don't just install TS in application mode on this server? If I were doing this (and there is no political/technical/budget reason against it), I'd do it that way and then deny logon locally rights to everyone but Admins. You can then configure TS to auto-launch the specific application that users need to use on the server.
 
 
Sincerely,

D�j� Ak�m�l�f�, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon

From: [EMAIL PROTECTED] on behalf of Charlie Kaiser
Sent: Tue 11/4/2003 1:57 PM
To: ([EMAIL PROTECTED])
Subject: [ActiveDir] GP and TS lockdown

I just spent the morning looking around at resources and doing some things
to lock down a new W2K TS. This box is a member server in a W3K domain, and
is hosting an app that end users hit. We needed to make it so that was the
only thing they could do on the box, but we still needed admin access. So
here's what I did. I'm looking for any gotchas on this before it swings into
production...
New OU, termservers.
2 GPs for that OU. 1 is a lockdown, strips everything except that app. 2 is
an Admin access, which disables everything in the lockdown for those times
that we need to do something to the box.
Set Admin GP at top w/no override, lockdown second. Appropriate rights
assignments.
Seems to work pretty well. Any glaring issues?
Found a couple of interesting nasties while trying to lockdown the box,
though. Why the heck is it SO difficult to prevent IE from running? We don't
want a browser to open on this box for users at all. Couldn't find any way
to lock it down within the policy, and didn't want to get involved with IEAK
at this point. So, I put it on the list of apps that you can't run. Also
added the one app we want to the list of apps you can run. (along with all
the other lockdown tweaks in the policy) That should do it, right? Wrong.
Picture this. Locked down desktop, with a log off command and one icon for
the app we want to run. Can't do much, except hit F1. Hit F1, up comes a
help box. On the top bar is "Web Help". Click on that, a browser opens.
Nice. Let's you do anything at that point. Even though it's on the
prohibited list, it still runs. OK, lock down NTFS on iexplore.exe. Removed
users, etc., left admins, system. Still the same problem. Cute. IE runs in
the system context when launched from help. Removed perms for system account
and that finally did it. Nasty. Not exactly the context I want a web browser
running from...


**********************
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 985 0975 x5083
**********************
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/[EMAIL PROTECTED]/

Reply via email to