Re: Lock down a Terminal Service server

From: David Everett [MSFT] (deverett_at_online.microsoft.com)
Date: 03/18/04 

Date: Thu, 18 Mar 2004 17:11:12 -0600

You can prevent Loopback processing from applying to Admins or anyone else
so long as you give Deny "Apply Group Policy" on the ACL of the policy. The
policy will not get applied because Deny wins over all.

I think this describes your situation.

Normal users will be logging onto a Terminal Server in its own OU. You want
the system completely locked down for the normal users with no ability to
view mapped drives, etc.... Then you have two users who you want to get the
lockdown policy, only these two users need to have access to mapped drives,
etc.... Also, you do not want these two users to have this policy apply to
their user account other than when they logon to the Terminal Server.
Finally, you do not want the Administrators to have policy restrictions at
all on the Terminal Server. If this is correct then the following should
work:

Try this in the lab:
1. Make a Group called TSBypass or whatever and make these two users a
member of this group.
2. Make a TermServ OU and move the Terminal Server into that OU.
3. Leave your users in the Users container if you wish, just don't place
them in the TermServ OU.
4. Make a TSLockdown policy linked to the TermServ OU and configure both the
User and Computer Configuration settings as tight as you wish for the
average user.
5. Make sure to configure the Lookback in the TSLockdown policy under
Computer Configuration\Administrative Templates\System\Group Policy and
choose Replace mode.
6. In the Group Policy tab of Active Directory Users and Computers highlight
the TSLockdown GPO and click the Properties button > Security tab and
highlight Domain Admins. Place a check in the Deny box next to "Apply Group
Policy".
7. While still in the Security tab Add the TSBypass group and give them an
explicit Deny for "Apply Group Policy" as well.
8. Next, create a second GPO called TSBypass policy and link it to the
TermServ OU as well. Don't configure anything in the Computer Configuration
portion of the policy. Under the User Configuration portion of this policy
leave access permitted to view mapped drives, etc...
9. On the Group Policy tab highlight the TSBypass policy > click the
Properties button > Security tab and highlight Domain Admins. Place a check
in the Deny box next to "Apply Group Policy".
10. Highlight Authenticated Users and Delete it from the list.
11. Add the Terminal Server machine account and grant Allow on "Apply Group
Policy".
12. Finally, Add the TSBypass group with Allow for "Apply Group Policy".
13. After this policy has replicated to all DCs, reboot the Terminal Server
and the normal user will get the full lockdown policy applied. The two
users in the TSBypass group will get the less restrictive Loopback policy
applied and any member of the Domain Admins will not get either policy
applied.

NOTE: Any policy differences should only be in the User portion of the
policy and the Computer Configuration portion of the second policy should
remain untouched. 

-- 
David Everett
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"pdx" <anonymous@discussions.microsoft.com> wrote in message
news:6497C6B3-4F3B-4810-9664-A747EC781073@microsoft.com...
> Thanks for the reply and the clarification. However, if I can't filter out
a loopback processing GPO from applying to administrative accounts it seems
to me that I still have my original problem in that I can't lock down the
Terminal Service session for two users on the Terminal Services machine
without affecting their logons to all other machines such as their
workstations.
> If I add the two users to an OU and apply a restrictive group policy to
that OU then it'll affect them on all machines. If I add the Terminal
Services machine to an OU and apply a GPO to that OU, all I can lock down
are computer specific settings which aren't that effective in locking down
the user experience. For instance, I can't lock down Windows Explorer/System
drive access like I am able with user specific settings. If I implement
loopback processing on the Terminal Services machine then administrative
accounts won't have full functionality.
> To flesh out my earlier question about Appsec functionality: If I want
these two users to have access to say Goldmine, Outlook/Office and some
network drives mapped by their logon scripts is that doable. Would Appsec
somehow let me enable access to the mapped drives but restrict access to
navigating the system drives?