Re: how to secure terminal server, no software installation, and etc
- From: "Jeff Pitsch [MVP]" <jeff@xxxxxxxxxxxxxxxxx>
- Date: Sun, 29 Jan 2006 18:40:06 -0500
By default, computer policies are applied to them without any additional
filtering.
Jeff Pitsch
Microsoft MVP - Terminal Services
http://www.sbcgatekeeper.com
Your Terminal Services Security Website
"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:Xns975AAD2415178veranoesthemutforsse@xxxxxxxxxxxxxxxx
> As far as I know, the "Computer Configuration" part of the policy
> is not applied if you don't add the machine account of the TS to
> the security filtering.
>
> From:
> 260370 - How to Apply Group Policy Objects to Terminal Services
> Servers
> http://support.microsoft.com/?kbid=260370
>
> The computer account of the terminal server should be added to the
> security properties of the GPO being created for the loopback. To
> do this, follow these steps:
> 1. Select the GPO that is created for the loopback, and then click
> Properties.
> 2. Click the Security tab, and then click Add.
> 3. In the Select Users, Computers, or Groups box, select the
> computer account, and then click OK.
> 4. Click the computer account from the Group or user names box.
> 5. In the Permissions for computer name box, click to select the
> Read and Apply Group Policy check boxes in the Allow column.
> 6. Click OK two times to close and save the policy settings.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> SQL troubleshooting: http://sql.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Gregg Hill" <bogus@xxxxxxxxxxx> wrote on 28 jan 2006 in
> microsoft.public.windows.terminal_services:
>
>> Vera,
>>
>> What is the purpose of step 5 you mention? "5. add the Terminal
>> Server machine account to the security list of the GPO (keep the
>> default entry for "Authenticated Users")"
>>
>> I have never done that and everything is locked down properly.
>> What am I missing by not doing step 5?
>>
>> Gregg Hill
>>
>>
>>
>> "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
>> in message
>> news:Xns9758D830BFBF6veranoesthemutforsse@xxxxxxxxxxxxxxxx
>>>I assume that the TS runs 2003? If so, the default NTFS
>>>permissions
>>> on the file system should be OK.
>>> I also assume that you installed Terminal Services in "Full
>>> Security" mode, *not* "Relaxed Security"?
>>>
>>> The basic steps to lock down a Terminal Server:
>>>
>>> 1. place the Terminal Server (not the users!) in a separate OU
>>> 2. create a restrictive GPO (see KB 278295)
>>> 3. configure the GPO to use "loopback processing" with the
>>> "Replace" option (see KB 231287)
>>> 4. link the GPO to the OU which contains the Terminal Server
>>> machine account
>>> 5. add the Terminal Server machine account to the security list
>>> of the GPO (keep the default entry for "Authenticated Users")
>>> 6. modify the rights for Administrators on the GPO: select
>>> "Deny"
>>> for the right to "Apply this policy" (see KB 816100)
>>>
>>> More info:
>>>
>>> Windows Server 2003 Terminal Server Security White Paper
>>> http://www.microsoft.com/downloads/details.aspx?FamilyID=402A0CD
>>> 1- 9E4D-4007-8EAF-C30623E71250&displaylang=en
>>>
>>> 278295 - How to lock down a Windows Server 2003 or Windows 2000
>>> Terminal Server session
>>> http://support.microsoft.com/?kbid=278295
>>>
>>> 816100 - How To Prevent Domain Group Policies from Applying to
>>> Administrator Accounts and Selected Users in Windows Server
>>> 2003 http://support.microsoft.com/?kbid=816100
>>>
>>> 231287 - Loopback Processing of Group Policy
>>> http://support.microsoft.com/?kbid=231287
>>>
>>> _________________________________________________________
>>> Vera Noest
>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>> TS troubleshooting: http://ts.veranoest.net
>>> SQL troubleshooting: http://sql.veranoest.net
>>> ___ please respond in newsgroup, NOT by private email ___
>>>
>>> "Johnny Chow" <jchow10@xxxxxxxxx> wrote on 27 jan 2006 in
>>> microsoft.public.windows.terminal_services:
>>>
>>>> Hi,
>>>> I am new to terminal server. I just setup terminal server
>>>> with office and other application. I add the selected users
>>>> to remote desktop group for them to access the server.
>>>> However, how do I restrict them to install software or access
>>>> to C drive (system partition). Any tips or information will
>>>> be appreciated.
>>>>
>>>> Thank you in advance,
>>>>
>>>> Johnny Chow
.
- Follow-Ups:
- Re: how to secure terminal server, no software installation, and etc
- From: Gregg Hill
- Re: how to secure terminal server, no software installation, and etc
- References:
- how to secure terminal server, no software installation, and etc
- From: Johnny Chow
- Re: how to secure terminal server, no software installation, and etc
- From: Vera Noest [MVP]
- Re: how to secure terminal server, no software installation, and etc
- From: Gregg Hill
- Re: how to secure terminal server, no software installation, and etc
- From: Vera Noest [MVP]
- how to secure terminal server, no software installation, and etc
- Prev by Date: Re: Running Outlook on TS 2003
- Next by Date: Re: which apps can run on ts?
- Previous by thread: Re: how to secure terminal server, no software installation, and etc
- Next by thread: Re: how to secure terminal server, no software installation, and etc
- Index(es):
Relevant Pages
|
