Re: How to prevent a terminal user from running applications
From: Fred Blum (h.f.blum_at_marketconnectnospam.nl)
Date: Wed, 20 Oct 2004 17:36:54 +0200
As we had to reinstall our servers and abandon the old active directory, I
had to set this up myself and I'll post my steps.
To set up security on a terminal server you have the following tools: W2K
domain accounts, Group policies, profiles and NTFS permissions.
In our situation we have:
Basic TS users with a almost blank desktop and program list
TS Internet users as above with internet explorer
TS Office users as above with Ms Office.
Active directory users and groups.
Create the corresponding groups, TS users, TS internet users, TS Office
users, settings global and security, no exchange mail box. Divide the TS
users accordingly and add them to there group.
Right click your domain and select tab group policy. Create the new
corresponding policies, named TS policy, TS internet policy and TS Office
Click properties, goto security and unclick Apply policy at authenticated
users! Add your created user group to the policy and click apply policy.
Make sure it only applies to this group! Set the
order correct lowest TS users, then TS internet, then TS Office, and above
Basicly all you have done is creating a division without consequences yet.
We'll start limiting now. On the group policy tab click edit starting with
TS users policy. Limit as needed. Switch with a remote desktop or TS client
to your terminal server and logon
with a user account in the TS user group to view your settings.
Disable Internet Connection wizard - Enabled
Disable changing connection settings -Enabled
Disable changing proxy settings - Enabled
Disable AutoComplete for forms - Enabled
Disable changing proxy settings - Enabled
Disable changing Messaging settings - Enabled
Identity Manager: Prevent users from using identities - Enabled
Disable adding channels - Enabled
Enable Classic Shell - Enabled
Remove folders options - Enabled
Remove map and disconnect network drive - Enabled
Hide manage from context menu - Enabled
Only allow approved Shell extensions- Enabled
Hide specified drives - Enabled
Prevent access to drives - Enabled
Hide Hardware tab - Enabled
No "Computers Near Me" in My Network Places - Enabled
No "Entire Network" in My Network Places - Enabled
Start Menu & Taskbar
Remove user's documents - enable
Remove Windows Update - enable
Remove documents menu - enable
Disable programs on settings - enable
Remove network from start - enable
Remove favorites from start - enable
Remove search from start - enable
remove help from start - enable
remove run from start - enable
Disable drag-an-drop context menu - enable
Add Logoff to the Start Menu - Enabled
Disable and remove the Shut Down command - Enabled
Disable changes to Taskbar and Start Menu Settings - Enabled
Disable context menu for start menu - enable
Disable personalized menus - enable
Hide My Documents on Desktop - enable
Hide My Documents from Start - enable
Remove properties from My Computer - enable
Hide my network places - enable
hide IE on desktop - enable
disable adding toolbar items - enable
disable changing toolbar - enable
Disable active directory - enable
Allow only bitmapped wallpaper - Enabled
Disable Control Panel--Enabled
Disable Add/Remove Programs - Enabled
Activate screen saver - Disabled
Disable deletion of printers - Enabled
Disable addition of printers - Enabled
Browse network to find printers - Disabled
Network and Dial-up Connections
Enable Connecting and disconnecting a LAN
Enable access to properties of components of a LAN
Security - is missing in MMC. I want to disable that aswell. KB 186618
allows manually removing this by editing the registry. Needs a reboot of the
Don't display welcome screen - enable
Disable command prompt - enable
Use run only allowed windows applications - specify or leave as is.
Don't run specified windows applications - specify or leave as is.
Disable Task Manager - Enabled
Disable Lock Computer - Enabled
For the other Policy Groups TS Internet and TS Office policies make it less
restrictive as needed.
Go tru your user's documents and settings folders, start at All users and
review the available programs and desktop items. Befor deleting them copy
them to individual users who need them. Hereafter go tru the individual
users profiles and delete unneeded desktop and program items. This will be
an ongoing task as after every change made to your server.
Basicly we have restricted access. W2K will only set NTFS rights for the
directories that Microsoft feels should be protected such as Documents and
Settings and WINNT . Review and change your NTFS rights if necassary. Make
sure at least the administrator Group has all rights!
Addtional study material, check out run: MMC /s upper right console add
remove snap in, select analyse and security template.
A follow post with stringent NTFS rights and permissions settings on a TS is
Just my 0,02.