Re: Remove shutdown in remote desktop

Tech-Archive recommends: Speed Up your PC by fixing your registry

Lots of hand waving follows. I haven't actually tried any of this,
but it sounds plausible and might even work.

"leo" == leo <leo@xxxxxxxxxxxxxxxxxxxxxxxxx> writes:

leo> I have a need to allow 2 users to connect remotely via remote
leo> desktop in SBS I'd like to be able to remove the shutdown
leo> button on remote desktop sessions for these guy's without
leo> affecting their normal login profiles.

OK, so you got the usual yadda-yadda about not allowing regular users
to RDP into your SBS server. If you don't know what you're doing,
everyone is absolutely right in saying that you shouldn't do this - it
can be dangerous if you aren't careful. But if you know what you're
doing, you can implement a suitably restricted environment that should
make this whole operation pretty safe. (I'm a strong believer that
security tools should empower a business, not hamper it.) The key
ideas are:

1. These RDP users MUST NOT be administrators or power users on the
SBS server, as these security groups can make configuration changes
or install software.

2. Restrict which applications can be run. It's difficult to
completely restrict access to the server (e.g., you can do Windows
Explorer-ish things from File/Open dialogs), but you can get close
by only allowing your users to run a few key applications. You
mentioned something about access to largish files/databases, so you
should limit these users to just the programs that manipulate these
files/databases.

3. Do not allow the users to access email from the server. Remote
access to email is easy enough with OWA and the RPC-HTTP proxy, so
set them up in cached Exchange mode, enable "Download headers and
then full items" and "On slow connections only download headers",
and configure the RPC-HTTP proxy. (You can enable NTLM
authentication for the RPC-HTTP proxy, too, so your users won't get
prompted for a password if they've already logged into the domain.)

4. Do now allow the users to browse the web from the server, or if you
must, force higher security settings (the Internet zone should be
set to "High", and the Trusted Sites list should be hard-coded and
set to "Medium-High").

All of these restrictions can managed via a Group Policy object (an
exercise I'll leave to the reader). The trick is in getting the GPO
to apply to the user accounts in question ONLY when they log into the
SBS server. To accomplish this, you need a second GPO that applies
only to the SBS server and enables loopback processing in "append"
mode, and you need to put the first GPO (with all of the user
restrictions) into the same OU as the SBS server so that it doesn't
apply to your end users.

You might be able to use a WMI filter similar to the following in
order to target the application of these GPOs:

root\CIMv2: select * from win32_computersystem where name = 'sbsserver'

See also the kiosk scenario outlined on the following page:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.mspx

Also of interest is "Implementing Common Desktop Management Scenarios
with the Group Policy Management Console":
http://technet2.microsoft.com/windowsserver/en/library/73907fc3-0390-4264-911e-2b374d90b6041033.mspx

Good Luck!

Best wishes,
Matthew

P.S. For those who claim that using Remote Administration mode in this
manner is a license violation, I'd like to see an authoritative
response from Microsoft that quotes the appropriate lines of the SBS
EULA. (I glanced through my copy of the EULA, and the only
potentially relevant section was 2c.)

--
"Rogues are very keen in their profession, and know already much more
than we can teach them respecting their several kinds of roguery."
- A. C. Hobbs in _Locks and Safes_ (1853)
.

Quantcast