Re: Prevent users from launching tsadmin.exe?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 20 Mar 2008 13:02:00 -0700

I wouldn't add a "Deny" ACL, I would add an ACL which ensures that
you can continue to use tsadmin.exe, something like
computername\Administrators or maybe domain\Domain Admins with Full
Control and then remove the Authenticated Users ACL.

As long as you make sure that there is an ACL which allows you Full
Control (and there is no rule which denies you access), you can
always undo your changes. Keep in mind that a "Deny" rule overrides
other rules, so be extremely careful (or better: avoid) Deny rules.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RGVubmlzX1M=?= <DennisS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
on 20 mar 2008 in microsoft.public.windows.terminal_services:

Thanks for the reply Vera. I considered that option, but I
don't want to select Deny for the Users (computername\Users).
If I delete this group, is there a way to replace it if needed?

Much appreciated.

Dennis

"Vera Noest [MVP]" wrote:

You can always change the NTFS permissions on tsadmin.exe
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RGVubmlzX1M=?= <DennisS@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 19 mar 2008 in
microsoft.public.windows.terminal_services:

What is the best practice to prevent users from being able to
launch tsadmin.exe?

Thanks.

Follow-Ups:
- Re: Prevent users from launching tsadmin.exe?
  - From: Soo Kuan Teo [MSFT]

References:
- Re: Prevent users from launching tsadmin.exe?
  - From: Vera Noest [MVP]

Prev by Date: Re: RDP timeout with DNS enabled
Next by Date: Re: an extra empty print job for each print job
Previous by thread: Re: Prevent users from launching tsadmin.exe?
Next by thread: Re: Prevent users from launching tsadmin.exe?
Index(es):
- Date
- Thread

Relevant Pages

Re: [Full-disclosure] RE: Example firewall script
... > of every ACL. ... > DENY ANY ANY at the end of their ACL's ... > should have a deny statement at the end, ... situations where large numbers of disparate hosts ...
(Full-Disclosure)
Re: Loopback Processing and Deny Apply in ACL
... The actual group policy is being applied to the user logon, ... If you Apply the policy to a user then Deny ... >> for the terminal server (which is in it's own OU, ... >> setting the deny apply gpo setting in the acl to the user account of this ...
(microsoft.public.win2000.group_policy)
Transparent Proxy using Squid and PF
... I need a little help on setting up transparent proxy with Squid and PF in FreeBSD 5.4-RELEASE. ... rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 ... acl QUERY urlpath_regex cgi-bin \? ... no_cache deny QUERY ...
(freebsd-questions)
Re: deny access
... > is the correct syntax, but the information he didn't get was: ... > line ACL to block one host would effectively block all hosts. ... > If there are no ACLs now, make it a two liner, the deny line, and: ...
(Security-Basics)
Transparent Proxy using Squid and PF
... I need a little help on setting up transparent proxy with Squid and PF in FreeBSD 5.4-RELEASE. ... rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 ... acl QUERY urlpath_regex cgi-bin \? ... no_cache deny QUERY ...
(freebsd-questions)