Re: how to secure terminal server, no software installation, and etc

I assume that the TS runs 2003? If so, the default NTFS permissions
on the file system should be OK.
I also assume that you installed Terminal Services in "Full
Security" mode, *not* "Relaxed Security"?

The basic steps to lock down a Terminal Server:

1. place the Terminal Server (not the users!) in a separate OU
2. create a restrictive GPO (see KB 278295)
3. configure the GPO to use "loopback processing" with the
"Replace" option (see KB 231287)
4. link the GPO to the OU which contains the Terminal Server
machine account
5. add the Terminal Server machine account to the security list
of the GPO (keep the default entry for "Authenticated Users")
6. modify the rights for Administrators on the GPO: select "Deny"
for the right to "Apply this policy" (see KB 816100)

More info:

Windows Server 2003 Terminal Server Security White Paper
http://www.microsoft.com/downloads/details.aspx?FamilyID=402A0CD1-
9E4D-4007-8EAF-C30623E71250&displaylang=en

278295 - How to lock down a Windows Server 2003 or Windows 2000
Terminal Server session
http://support.microsoft.com/?kbid=278295

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
SQL troubleshooting: http://sql.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Johnny Chow" <jchow10@xxxxxxxxx> wrote on 27 jan 2006 in
microsoft.public.windows.terminal_services:

> Hi,
> I am new to terminal server. I just setup terminal server with
> office and other application. I add the selected users to
> remote desktop group for them to access the server. However,
> how do I restrict them to install software or access to C drive
> (system partition). Any tips or information will be
> appreciated.
>
> Thank you in advance,
>
> Johnny Chow
.

Relevant Pages

  • Re: Help with configuration
    ... from the User GPO. ... then you don't have to redirect it again in the TS GPO. ... MCSE, CCEA, Microsoft MVP - Terminal Server ... domain account profile is blank, ...
    (microsoft.public.windows.terminal_services)
  • Re: Help with configuration
    ... But now, aside from that, it is not applying any of the settings ... created the GPO on the 2000 server originally. ... I have the Terminal Server computer object in the security ... the domain account profile is blank, ...
    (microsoft.public.windows.terminal_services)
  • Re: Help with configuration
    ... I will specify it on the folder redirect in the GPO. ... But now, aside from that, it is not applying any of the settings again! ... I have the Terminal Server computer object in the security list of the ... domain account profile is blank, ...
    (microsoft.public.windows.terminal_services)
  • RE: preventing admins from a TS policy
    ... The basic steps to use a GPO to configure a Terminal Server: ... modify the rights for Administrators on the GPO: ... I think its in another policy as I said before I went nuts tring ...
    (microsoft.public.windows.terminal_services)
  • Re: Applying Group Policy to domain user on Terminal Server
    ... I am still a little stuck however as the GPO ... TS-GPO and not the local GPO on the Terminal Server ... is in there under the group policy tab. ... TS and the test user. ...
    (microsoft.public.windows.terminal_services)
Loading